Need for action under data protection law in the light of current measures by the supervisory authorities and the record fine of EUR 14.5 million
Berlin supervisory authority sets an example
At this year's Forum Wohnungswirtschaft at the Deloitte Greenhouse in Berlin, our data protection specialist Dr. Söntje Julia Hilberg explained the practical application of the new guidelines for the application and setting of fines in proceedings against companies within the scope of the EU General Data Protection Regulation (“GDPR”). The following article contains further details and our assessment of the recent decision to impose a fine of EUR 14.5 million and the resulting need for action by companies.
50,000 Euros against an online bank, around 200,000 Euros against a delivery service and most recently the highest fine to date in Germany, at 14.5 million Euros, against a real estate company. The Berlin supervisory authority has so far imposed the highest fines for breaches of data protection law in Germany to date in very different cases. According to publicly available information, not only does the amount of the fines vary greatly, but the same also applies to the violations of data protection regulations that companies have been accused of: The content ranged from the processing of customer data on "black lists" to the non-observance of data subjects' rights and the use of archive systems for the storage of personal data.
In the following, we shed light on the background to the recently imposed record fine and then present the need for action for companies in the light of the recent practice of the supervisory authorities.
The decision of the Berlin supervisory authority
A detailed legal examination of the content of the administrative order imposing a fine is currently just as impossible as a final evaluation of its content. This is because the complete and well-founded decision on the fine is not yet available, which is why only a preliminary assessment based on the press release of the Berlin supervisory authority with brief explanations of the background [Link] is possible.
The press release issued by the Berlin data protection commissioner expresses the legal view that the company concerned has stored data without a legal basis.
According to the press release, the imposition of a fine for violations of Art. 25 (1) of the GDPR and Art. 5 of the GDPR was therefore "mandatory". The aforementioned standards contain provisions on data protection through technical design and data protection-friendly default settings (Art. 25 para. 1 GDPR) as well as general principles on the requirements for data processing (Art. 5 GDPR).
Both standards are characterised by the use of indeterminate legal terms which - unlike the "hard requirements" of the GDPR such as the obligation to keep records of processing activities or the appointment of data protection officers - are to be interpreted in individual cases by courts.
The company concerned has announced that it will defend itself against the allegations raised and used as the basis for the decision on fines and that it will have them reviewed by the courts [Link].
In the event that a judicial review actually takes place, it is to be expected that the court called upon to decide will deal with two questions: The first is whether the personal data were stored without a legal basis or whether there were possibly storage obligations that justified the storage. On the other hand, whether and, if so, to what extent violations on the basis of indefinite legal concepts, such as those contained in Art. 5 and Art. 25 para. 1 GDPR, can be the appropriate subject of fines decisions.
Moreover, it would be interesting if the court responsible for the decision were to deal with the statement of the supervisory authority indicating that it is to be taken into account by reducing the fine that no abusive accesses to the archive systems could be proven. This statement by the supervisory authority could be understood as a special focus on technical and organisational measures to protect against unauthorised access (Art. 32 GDPR). Should this be the case, two (further) aspects should become interesting: First, one may ask oneself whether the supervisory authority may attach particular importance to certain regulatory areas, such as technical and organisational measures, and whether infringements can be weighted in a certain order of priority during on-site inspections. In the same way, it will be dogmatically interesting to find out why the supervisory authority, when exercising its discretion, takes into account the non-existence of certain infringements in order to mitigate the fine.
Recognizable practice of the supervisory authorities
In view of the supervisory authorities' practice to date and the concept of the data protection conference on the calculation of fines [LINK] published on 16 October 2019, the following initial findings for further development and future practice emerge.
1st finding: Data protection is no longer only "best practice"
The "GDPR warm run phase" is over. Times in which those affected and the supervisory authorities were benevolent in their "goodwill" are a thing of the past.
We are currently at a stage that can be described as a "transitional phase": It can clearly be seen that compliance with fundamental requirements of data protection law is increasingly regarded as a matter of self-evidence, especially with regard to central data protection issues such as data subjects' rights or deletion.
As a result, supervisory authorities are increasingly turning to systematic reviews of various industries and an array of other data protection issues.
At the same time, however, it can be seen that the supervisory authorities do not as a rule immediately "crack down" on identified deficiencies. In all the cases described above, which led to fines, the supervisory authorities initially examined and objected to the findings with considerable lead time and then issued recommendations for remedying the identified data protection deficiencies. As far as can be seen, a thoroughly cooperative approach was adopted in each case. Only when no measures had been taken by those responsible over longer periods of time were the fines imposed. This step-by-step approach by the supervisory authorities is - to a certain extent - a consequence of the principle of proportionality of executive action and is certainly laid down in law and also indicated in practice.
However, it is conceivable that the "transition phase" that has now been initiated will not last too long. It can probably be assumed that further developments will result in supervisory authorities increasingly reluctant to engage in discussions with those responsible in the event of serious infringements and - also for deterrence reasons - to "take action" more quickly and impose fines.
2nd finding: Use the advice of the supervisory authorities as an aid
If one takes the case of the recently imposed record fine as an example, it quickly becomes clear that the supervisory authorities may (still) carry out on-site inspections and then to a certain extent inform the companies of the deficiencies to be remedied. This "homework" should then be thoroughly analysed by all data-processing companies. Legal opinions expressed by the supervisory authorities should not result in companies taking unthinking measures to remedy the alleged shortcomings. This is particularly true if, after consultation with data protection experts, it turns out that the legal situation in the event of a dispute could be assessed quite differently by the courts called upon to decide. Nevertheless, the information provided by the supervisory authorities should in any case be taken as an opportunity to review data processing - and in this context it is quite possible to continue to coordinate with the supervisory authorities if necessary. This applies all the more if the supervisory authority - as in the recent fine case - indicates that it is assuming a deliberate disregard of data protection principles.
3rd finding: Companies have influence over the calculation of the fine
Finally, it can clearly be seen that the supervisory authorities will in future adhere to the concept for the assessment of fines developed and adopted by the data protection conference and that a systematic sanction practice will develop in this respect.
On the basis of the DSK concept, fines will be calculated schematically on the basis of five parameters (company size, annual turnover, daily rates, severity and adjustment in the event of relieving circumstances).
In the event that a violation is identified and a fine may even be imposed, companies should in general cooperate with the supervisory authorities and pay particular attention to the possibilities of exerting influence on factors that may ease the burden. In the case of the recently imposed fine, the press release showed that the fact that (at least) initial measures had been taken with the aim of eliminating the established infringements had been taken into account in particular to mitigate the fine. To ensure that such circumstances can actually be taken into account "in an emergency" in favour of the addressee of the fine, companies should continuously document the measures they have initiated or taken. It can be seen from the previous cases that already documented efforts to remedy structural organisational problems can work in favour of the company.
A further "adjusting screw" in the most recent case that mitigated the fine was the "formally good cooperation" with the supervisory authority. This may be understood to mean that good cooperation with the supervisory authority can lead to fines being lower, irrespective of the assessment or remedy of the content of the infringements.
It is therefore advisable to ensure constant communication with the supervisory authority and, in individual cases, to structure communication in such a way that it does not lead to fundamental discussions on data protection law - possibly even irrelevant to the specific accusation.
In any case, professional advice and, if necessary, legal assistance should be sought.
Companies should take the current decision of the Berlin supervisory authority as an opportunity to re-examine key data protection issues (e.g. determining the legal basis for data processing, implementing deletion concepts, dealing with enquiries from data subjects and managing data protection documents such as records of processing activities and data processing agreements). It is true that the press releases on the recently published fine do not provide any direct legal clarification, for example on how to deal with "legacy burdens" in archive systems. From a strategic point of view, however, it is advisable for companies to adjust to a new phase in the practice of the supervisory authorities. This includes, in particular, the requirement to thoroughly investigate any deficiencies found, for example in the case of investigations by the supervisory authority, and to contribute through cooperative behaviour to the fact that a fine in favour of the company may possibly be lowered.