It’s getting serious!
By Dr. Daniel Klösel
It is general knowledge that the GDPR became directly applicable on May 25, 2018, but there is one thing that has not really sunk in since then: The oft-cited framework of fines in Art. 83 of the GDPR, which provides for antitrust-like fines of up to 4 % of global annual turnover, has not yet been fully exhausted in Germany.
While a few heavy fines in other EU countries have caused a stir (such as €204 million for British Airways [BA] in the UK or €50 million for Google in France), the German fines have remained virtually unchanged in comparison with the days of the old BDSG. Since May 25, 2018, Baden-Württemberg has been at the top nationally with a total of seven fines averaging €27,000, while Saarland was at the bottom of the list with three fines at an average of €197. The fine of €195,407 against Delivery Hero and the most recent fine of €14.5 million against Deutsche Wohnen, both levied by the Berlin Data Protection Agency has gone off, for the first time, in a different direction and has formed the blueprint for the future handling of fines, which means that it will now get serious indeed.
The new catalogue of fines: annual turnover ÷ 360 a certain multiplying factor
For months, the German Data Protection Authorities have been working more or less quietly and behind closed doors within the framework of the Conference of the Independent Federal and State Data Protection Authorities (DSK) on a uniform fine model that had already been approved by the majority in the summer and, following increasing pressure, was published in excerpts on October 14, 2019 (see: datenschutzkonfer-enz-online.de). And this catalogue is no laughing matter.
The starting point is a turnover-oriented daily–rate, in other words, an amount equivalent to annual total turnover divided by 360 (days), which is then multiplied according to the seriousness of the violation and finally determined by taking into account additional subjective (culpability) and objective (preventive measures) aspects. Specifically, the calculation is based on the following four steps:
1. Daily rate = annual turnover (category) ÷ 360
2. Factor = “minor x 1–4” to “very severe x 12–14.4” (formal/material violations)
3. Modification of the factor according to duration, nature, number
4. Culpability: such as conditional intent (+25%), (no) TOMs (±25%), nature (x 200% or 300%, etc.), cooperation with the regulatory authority or self-indictment (each -25%)
This results in fine corridors for companies with an annual turnover of €90 billion, for instance, starting at €250 million or for those with an annual turnover of EUR 90 million starting at about €250,000. Just to provide some perspective: Germany’s 100 largest companies’ turnover ranges between about €7 billion to €230 billion and the stated figures form only the starting point for further (drastic) increases, given the multipliers in steps 2 to 4.
The blueprint for future fine practice: the Deutsche Wohnen case
Less than one month after the leak regarding the disclosure of the new sanction catalogue, the case of Deutsche Wohnen in Berlin has impressively showed that this sanctioning practice is also not only written on paper. As early as June 2017, the data protection authority in Berlin had complained that Deutsche Wohnen (with an annual turnover of about €1.461 million in 2018) was acting contrary to data protection due to the lack of a deletion concept for its tenant data.
During a renewed examination in March 2019, the authorities found that initial preparatory measures had been taken, but that a system for archiving tenant data, especially related to information on the remuneration of the tenants, was still in use and it did not permit the additional deletion of tenant data that was no longer required, for example, if the tenancy had been already terminated. Tenant data on personal and financial circumstances, including salary statements, self-disclosure statements, account statements and tax, social security and health insurance data, were affected. During storage, no checks were made as to whether this was permissible. The data was also not deleted at a later date and was not technically possible.
The case has two sides: On the one hand, the breach of data protection laws – for example, in comparison to the mentioned data leak at BA – can be described as less sensitive. On the other hand, the authorities had issued several reminders to Deutsche Wohnen without the company having reacted appropriately. However, a fine of €14.5 million for such a case corresponds to the turnover-related approach and far exceeds the previous fine practice in Germany, which only imposed similarly high fines for much more comprehensive and intensive data protection violations, such as, for example, the systematic divulgence of information about entire workforces.
Advice for practitioners: prevention and legal defense
This is a bitter pill to swallow, and conversations with individual members of the Data Protection Authorities have confirmed that the authorities are taking this very seriously. And indeed, the statement of the authorities that the legal GDPR approach would provide for such a turnover-related approach including a limitation of up to 4% of the worldwide annual turnover, is generally less contestable. Furthermore, some authorities have also announced that various fine proceedings based on the new turnover-related approach are still ongoing and will be published over the next few months. The impacts on businesses are easy to describe.
First: Those who have not yet taken data protection seriously (enough) are well-advised to start doing so. One-and-a-half years of practical experience in the implementation of GDPR compliance concepts (works agreements, consent declarations, HR processes, etc.) have shown that this can be done quite quickly in the individual case and, depending on the baseline position, can also be completed with just a few adjustments.
Second: Should the worst case occur, legal defense is often meaningful and promising. Our years of experience with comparable proceedings in matters involving misdemeanors and criminal charges, such as those in connection with the illegal lease of employees or in case of misclassification issues, have shown that it is often possible to achieve quite a lot. A catalogue of fines that lacks transparency provides even more to go on.
In any event, one thing is clear: After pretty much exactly one-and-a-half years, the honeymoon is over.