GDPR Fine and Penalties Regime – 2021
There are 2 tiers of GDPR fines with some violations more severe than others.
- The less severe infringements could result in a fine of up to $10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
These include violation by Controllers and Processors (Articles 8, 11, 25-39, 42, and 43). Organisations that collect and control data (controllers) and those that are contracted to process data (processors) must adhere to rules governing data protection, lawful basis for processing, and more. An organisation needs to read and adhere to these primary obligations.
- The more serious infringements involve breaches of the principles of the right to privacy and the right to be forgotten and could result in a fine of up to $20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
These include violation of the articles governing:
- The basic principles for processing (Articles 5, 6 and 9) — Data processing must be done in a lawful, fair, and transparent manner. It has to be collected and processed for a specific purpose, be kept accurate and up to date, and processed in a manner that ensures its security.
Organisations are only allowed to process data if they meet one of the six lawful bases listed in Article 6.
Certain types of personal data, including racial origin, political opinions, religious beliefs, trade union membership, sexual orientation, and health or biometric data are prohibited except under specific circumstances.
- The conditions for consent (Article 7) — When an organisation’s data processing is justified based on the person’s consent, that organisation needs to have the documentation to prove it.
- The data subjects’ rights (Articles 12-22) — Individuals have a right to know what data an organisation is collecting and what they are doing with it. and a right to obtain a copy of the data collected, to have this data corrected, and in certain cases, the right to have this data be erased. People also have a right to transfer their data to another organization.
- The transfer of data to an international organisation or a recipient in a third country (Articles 44-49) — Before an organisation transfers any personal data to a third country or international organization, the European Commission must decide at that country or organisation provides adequate protection. The transfers themselves must be safeguarded.
- Any violation of member state laws adopted under Chapter IX — Chapter IX grants EU member states the ability to pass additional data protection laws as long as they are in accordance with the GDPR. Any violation of these national laws also faces GDPR administrative fines.
- Non-compliance with an order by a supervisory authority — If an organisation fails to comply with an order from the monitoring bodies of the GDPR, they have set themselves up to face a huge fine, regardless of what the original infringement was.
The above are the administrative fines and Article 82 gives data subjects the right to seek compensation from organisations that cause them material or non-material damage as a result of a GDPR infringement.
The reference to the worldwide revenue of the firm or business is broad and includes the revenue of all-natural persons or corporate entities that make up the group.
How are fines assessed?
Fines are administered by the data protection regulator in each EU country who will determine whether an infringement has occurred, and the severity of the penalty and they use the following 10 criteria to determine whether a fine will be assessed and in what amount:
- Gravity and nature — The overall picture of the infringement. What happened, how it happened, why it happened, the number of people affected, the damage they suffered, and how long it took to resolve.
- Intention — Whether the infringement was intentional or the result of negligence.
- Mitigation — Whether the firm took any actions to mitigate the damage suffered by people affected by the infringement.
- Precautionary measures — The amount of technical and organizational preparation the firm had previously implemented to follow the GDPR.
- History — Any relevant previous infringements, including infringements under the Data Protection Directive (not just the GDPR), as well as compliance with past administrative corrective actions under the GDPR.
- Cooperation — Whether the firm cooperated with the supervisory authority to discover and remedy the infringement.
- Data category — What type of personal data the infringement affects.
- Notification — Whether the firm, or a designated third party, proactively reported the infringement to the supervisory authority.
- Certification — Whether the firm followed approved codes of conduct or was previously certified.
- Aggravating/mitigating factors — Any other issues arising from circumstances of the case, including financial benefits gained or losses avoided as a result of the infringement.
Where an organisation has multiple GDPR violations, it will only be penalized for the most severe one, provided all the infringements are part of the same processing operation.
Data controller’s responsibility
Many companies use third parties, like email or cloud storage services, to handle their data which can be helpful in adhering to the GDPR if the third party has a higher technological capacity, but it does not absolve the hiring organisation (the controller) from ensuring that personal data is processed in accordance with the GDPR.
Unless the controller can clearly demonstrate that it was “not in any way responsible for the event giving rise to the damage” it will be fully liable for any infringement caused by a non-compliant third party hence the reason why a data controller needs to vet and ensure the third party have a good track record for security.
In addition to the fines, each Member State can apply other penalties for infringements of the Regulation not already covered by Article. 83 such as criminal penalties for certain violations of the GDPR or penalties for infringements of national rules which were adopted based on flexibility clauses of the GDPR. The national penalties must also be effective, proportionate and act as a deterrent.
Fines and penalties imposed within the EU so far have included:
- Capital One bank in the US suffered a breach affecting 100 million people in the US and 6 million in Canada in 2019 and was fined $80million for a failure to establish effective risk assessment processes” when migrating operations to public cloud environment as well as a “failure to correct the deficiencies in a timely manner”.
An outside individual obtained personal information of Capital One credit card customers and potential customers via a vulnerability in the company’s web application firewall and included considerable personal information of the customers including their name, address, phone numbers, email addresses, dates of birth, self-reported income, credit scores, credit limits, balances, payment history, contact information, transaction data, Social Security numbers and bank account details.
- Target agreed in 2017 to a $18.5 million settlement with 47 states and the District of Columbia relating to a breach in 2013 in which some 40 million credit and debit card accounts were stolen during the post-thanksgiving Black Friday sales rush. Personal information of up to 70 million individuals were with the costs associated with the breach over $200 million.
- Ticketmaster January 2021, US agreed to pay a $10 million criminal fine after it used passwords unlawfully retained by a former employee of a competitor to gain access to systems at the rival company.
System accessed were a booking fee calculator, a web-based data analytics package for ticketing known as an Artist Toolbox that provided clients real-time data about ticket sales sold through the victim company. Unauthorized access to the victim company went on for over 12 months from early 2014 into mid-2015.
- HIPAA violations – medical and health records
There were a number of HIPAA violations in 2019 with fines of $3 million each for Cottage Health & Touchstone Medical Imaging for breaches in 2013 and 2015 which resulted in electronic protected health information (ePHI) affecting over 62,500 individuals being leaked. Both incidents involved servers holding ePHI being accessible over the internet.
A NFP academic medical system Jackson Health System (JHS) which ran a number of hospitals and care centres in Florida was fined $2.15million by DHS over several incidents between 2013 and 2016.
Although JHS did report the loss of paper records on 756 patients to DHS in 2013, it failed to report the loss of an additional three boxes of patient records after an internal investigation. In 2015 JHS discovered two employees had accessed a patient’s electronic medical record without a job-related purpose and in 2016 they reported a breach after finding an employee had been selling patient data 24,000 patients’ records since 2011.
These cases all highlight the in-house compliance required to monitor staff and ensure adequate security measures are in place to prevent data breaches.