The Dutch Data Protection Authority, AP, determines the amounts of the fines it imposes taking its own fine calculation policy rules as a starting point. These policy rules set out the bandwidths within which fines tend to end up for the various categories of infringements. As a consequence, the amount of a fine is more predictable. Because the bandwidths are significantly lower than the maximum amounts, they are less likely to put the fear of God into Dutch organisations than the draconian fines the AP's counterparts in some other countries issue.  The AP's modus operandi also draws criticism, however. The bandwidths have been said to be too low if compared with those used by other European watchdogs.

The new European fine calculation guidelines may be about to change all that. And if so, will they affect the organisations falling under the supervision of the AP? We will attempt to give an answer in this blog.

Fear of fines under the GDPR

At the time it was due to enter into force, the General Data Protection Regulation (GDPR) struck terror into the hearts of many organisations that deal with personal data. The cause of this terror were the maximum fines that could be imposed by supervisory authorities under the GDPR. For good reason, as the fines can run up as high as EUR 10,000,000 or up to 2% of the total worldwide turnover, whichever is higher. Some infringements even risk fines up to EUR 20,000,000 or up to 4% of the total worldwide turnover, whichever is higher.

EU-wide divergence

Given the policy set out by the AP, Dutch organisations are unlikely to be hit by fines in the amounts mentioned in Article 83 of the GDPR. After all, the bandwidth with the highest amounts reaches “only” as far as EUR 1,000,000. Obviously, in the event of concurrent infringements or if special circumstances apply, the amount may rise beyond that mark. A recent example is the substantial fine imposed on the Dutch Tax Authorities. The AP's decision shows that the nature, the duration and the gravity of the violations caused the AP to impose a fine well beyond the usual bandwidths. Another factor aggravating the fine was the gross negligence on the part of the Tax Authorities.

Still, the amount of the fine - totalling EUR 3,700,000 - seems next to nothing compared with fines imposed in other EU member states. The table below makes clear that the total amount of fines imposed in the Netherlands is well below the total amounts imposed in other member states.[1] Yet for a part of the cases the number of fines imposed is comparable. Having said that, it should be borne in mind that some countries simply are home to more enterprises that are likely to be subject to GDPR investigations, such as the big tech companies who tend to have their European headquarters set up in Luxembourg or Ireland.

Source: https://www.enforcementtracker.com/?insights, consulted on 03 July 2022.

All in all, and not surprisingly in view of the above figures, the AP takes quite a bit of flak from interest groups and ‘privacy experts’. The AP is considered to be ‘mild’, even ‘soft’. Now the flak appears to come from a new corner: the European supervisors united in the European Data Protection Board (EDPB). More precisely put, the new European guidelines from the EDPB - its peers - seem to coerce the AP into imposing heftier fines.

European guidelines for GDPR fines

The EDPB guidelines for calculating the amount of administrative fines, of which only a draft version has been published, have as their obvious main goal the harmonisation of fines - and their amounts. The methodology for calculating the amount of a fine is set out in five steps, with national authorities being allowed discretion to apply a different methodology.

1. Identifying the processing operations in the case and evaluating the application of Article 83(3) GDPR
2. Finding the starting point for the calculation based on an evaluation of:
   1. the classification in Article 83(4)-(6) GDPR;
   2. the seriousness of the infringement pursuant to Article 83(2)(a), (b) and (g) GDPR;
   3. the annual turnover of the organisation concerned with a view to imposing an effective fine.
3. Evaluating aggravating and mitigating circumstances related to the - past or present - behaviour of the organisation concerned
4. Identifying the relevant legal maximums for the different processing operations, and calculate the (provisional) amount of the fine
5. Analysing whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality

Comparison with the Dutch guidelines for GDPR fines

There are three aspects where the European guidelines and the Dutch guidelines for calculating GDPR fines differ. For example, the turnover of the organisation concerned is an immediately relevant starting point in the European guidelines, whereas the Dutch guidelines that element plays a limited part only - according to the AP, it does not become a factor until the final stage of the calculation. Thus, the European approach is more in harmony with the GDPR, as Article 83 clearly provides that turnover can be a factor in determining the amount of a fine.

The EDPB guidelines also expect individual watchdogs to evaluate the seriousness of the infringement. That seriousness is categorised into three levels: low, medium, and high. The level of seriousness of an infringement determines the starting amount and impacts the legal maximum applicable:

1. Low level: 0-10% of the legal maximum
2. Medium level: 10-20% of the legal maximum
3. High level: 20-100% of the legal maximum

Lastly, the European guidelines take a different approach to bandwidth. Like the AP's current guidelines, the EDPB guidelines apply bandwidths - or, in the proposed text: ranges - within which the amount of a fine is determined. However, where the AP applies a bandwidth within which the amount of the fine is determined as a rule, the EDPB uses its ranges to determine the starting point for further calculation. The final calculation may arrive at a higher - or lower - amount.

Conclusion

Once approved, the EUropean guidelines for calculating GDPR fines will, to an extent, definitely impact organisations that fall within the scope of supervision of the AP. After all, the AP will no longer have discretion in following its own guidelines and will be forced - although they are mere guidelines - to follow the lines set out by the European watchdog. As these lines appear to suggest a more stringent policy with regard to fines, the fines imposed on Dutch organisations may turn out to be higher than before. That is in any event to be expected in view of the purpose of the new guidelines: uniformity and harmonisation.

As it is, though, the proposed guidelines apply only to private organisations, as not all European supervisors are authorised to impose fines on administrative bodies. So the actual impact of these guidelines on administrative bodies (in the Netherlands and elsewhere) will have to be awaited.

If you want to learn more about this topic, feel free to contact Sophie Hendriks.