GDPR Fines - Article 83

For a number of years, data breaches, hacks and breaks in security have been on the rise, resulting in the exposure of consumers' personal information. In response to this, many privacy laws have been enacted to help protect this data. One such law is the General Data Protection Regulation (GDPR) from the EU.

Companies have been fined millions for violating the GDPR's rules and regulations. For companies looking to avoid facing these heavy fines, it's necessary to understand what exactly qualifies as violating the GDPR and what are the ways your company can limit or avoid these fines.

What is the GDPR?

The GDPR is the EU's governing body of law on the collection, processing, and transfer of personal data on the internet. It protects EU citizens from the illegal collection, misuse, and misappropriation of their private and sensitive information by websites and apps.

This regulation applies to all websites, apps, and ecommerce stores that interact with EU citizens, not only those that are based in the EU. Any company that collects or uses the private data of EU citizens must comply with the GDPR's rules.

It's also one of the strictest privacy laws to date and has influenced companies and national governments to update their policies and processes to comply with its rules.

Failure to comply with the GDPR can result in significant fines.

Fines Under the GDPR

Fines are controlled by Article 83 of the GDPR. Under this section, there are multiple ways companies can violate the law and trigger a Data Protection Authority to issue fines.

There are two primary types or tiers of infringements, depending on what is being infringed.

Under section 2 of Article 83, authorities take into account certain factors when determining the severity of the infringement, which can affect what tier is applicable. The factors that are considered include:

1. Nature, gravity and duration of the infringement: What was the nature of the processing concerned, the amount of people affected by the infringement, and the level of damage suffered?
2. Negligent or intentional: Whether the infringement was due to the company's negligence or done intentionally.
3. Mitigate: Did the company or app take any steps to mitigate the damage, such as giving timely notification of the breach to consumers?
4. Organizational Measures: What the extent of responsibility of the company is, by taking into account technical and organizational measures that the company implemented.
5. Previous infringements: Has this company or app had previous relevant infringements?
6. Cooperation: How well did the company cooperate with the supervisory authority to help mitigate the damages? For example, were they willing to follow the authority's rules after the breach and take appropriate steps?
7. Data: What were the categories of data that were affected? Was it only names and emails or did it include more sensitive data, such as credit card information?
8. Supervisory Authority Notification: How was the authority notified? Were they told immediately upon discovery of the breach or did the company delay in reporting it?
9. Article 58(2): If there have been measures under this article that have been ordered against the particular company regarding similar circumstances, such as warnings that practices may cause later infringement or breaches.
10. Certification Mechanisms: Has the website followed the codes of conduct and approved certification processes?
11. Other aggravating or mitigating factors: If there are any other extenuating circumstances that may have led to the infringement. This may include losses avoided or financial gains.

Considering these factors, let's take a closer look at the two different tiers of infringements that could determine the severity of fines you may face if you violate the GDPR.

Tier I Infringements

Tier I comprises of infringements of the following provisions of the GDPR:

1. Obligations of the controller and the processor: What are the obligations a controller (or company) has to the collection of the information of children, how is the identification of the data determined, the responsibilities of the controller, and are the controller's protections certified by the appropriate authority? (Articles 8, 11, 25-39, 42-43)
2. Obligations of the certification body: Whether the data protection certification is commissioned by the right supervisory authorities and complies with the GDPR. (Articles 42-43)
3. Obligations of the monitoring body: Is a federal or governing body taking appropriate actions against controllers or processors that infringe on the GDPR, such as suspension or exclusion? These monitoring bodies have long-reaching arms. Under the GDPR, a French authority has the right to fine a U.S. company if it infringes on the rights of French citizens. (Article 41(4))

If a website or app infringes on any of the above sections, they could face up to €10 million or up to 2% of the total worldwide annual turnover for the company's preceding fiscal year, whichever number is higher.

Tier II Infringements

In contrast to Tier I infringements, Tier II applies to those that infringe upon:

1. The basic principles of processing, including conditions for consent: This encompasses the section of the GDPR that applies to the lawfulness of the data collection, how the data is processed, protection of sensitive information, and how the data is protected. (Articles 5, 6, 7, and 9)
2. The data subjects' rights: These types of infringements relate to the transparency of data collection practices, what information is provided to consumers about the data collection, right to access data, right to be forgotten, right to restriction of collection, and right to object to use of data. (Articles 12-22)
3. The transfers of personal data to a recipient in a third country or an international organization: This is especially important as many companies use third-parties to help with the running or analytics of their websites. Companies need to be aware of the transfer safeguards they use when sending data, what the adequate level of protection is, and the corporate rules that apply when sending information to outside parties or outside of the EU. (Articles 44-49)
4. Any obligations pursuant to Member State law adopted under Chapter IX.
5. Non-compliance with the supervisory authority: Did a company fail to comply with an order, a limitation on data processing, or a suspension of data flows that its supervisory authority decreed? (Articles 58(1) and (2))

Tier II has significantly higher fines if a website is found to have infringed on one these specific provisions. Under this tier, you could face up to €20 million in fines or up to 4% of the total world wide annual turnover for the preceding year, again whichever is higher.

An important thing to remember is that if a controller negligently or intentionally infringes on multiple provisions of the GDPR, the total amount of fines won't exceed those of the worst infringement.

Also, when thinking about GDPR fines, remember that member states of the EU can also apply additional fines. Under Article 84, Member States "shall lay down the rules on other penalties applicable to infringements of this Regulation."

Examples of GDPR Violations

The extent of the GDPR's violations are broad. These violations can include your company's own violations and also violations of third-party companies that your website or app uses. Failure to properly review and keep track of your third-party partners could result in huge fines by the GDPR.

The EU Commission offers a good example of how a company may violate the GDPR and face potential fines:

Article 83 fines can be imposed on both large and small companies. In fact, the biggest fines that have been imposed by the GDPR since its enactment have been on some of the largest global companies. Below are a few real life examples of companies that have faced fines and articles they may have violated:

Article 12: Google was fined €50 million in 2019 for its failure to make its data collection statements "easily accessible" to consumers and failed to gain consent when using that data for ad campaigns. This was a major violation because one of the GDPR's main goals is to create transparency between companies and their consumers when it comes to data collection.

Article 7: Not all fines are for the failure to protect consumer data. They can also be for failure to protect your own company's employees' data, too. H&M was fined by a German authority when it was discovered that it was secretly collecting and monitoring its employees' data. The data was then used for employment practices without the consent or knowledge of its employees.

Article 24: British Airways was originally fined £183.4 million when visitors to its site were being redirected to a fake site which resulted in the breach of sensitive data. The severity of the fine was heightened because it was determined that the breach was due to the negligence of British Airways in maintaining its practices and monitoring. The fine was significantly lessened due to COVID-19.

Articles 32-34: A fine for a data breach was laid against Marriot when millions of customers' data was exposed. This was a significant breach not only because of the amount of consumers that were exposed but also because the breach was not discovered until four years after the hack actually occurred.

Mitigating GDPR Fines

As mentioned above, there are numerous factors governing bodies take into account when determining the severity of the fines when the GDPR is violated. One of the most important factors is mitigation.

Did the violating company mitigate the damages to its consumers? Did they report the breach to the appropriate governing body in a reasonable matter of time? These are some of the questions that are considered when determining how much you may be fined.

Remember, mitigation is extremely important not only to protect your consumers' data but also to protect your own company. If your company is faced with a breach or a security issue is discovered, here are few things you can do to help mitigate the potential damage:

1. Immediately notify users of the breach
2. Notify the governing body in your country or state of the breach as soon as possible
3. Take appropriate steps to implement better protections or processing to heighten your security
4. Implement plans or steps for routine maintenance and checking of your own website and third-party companies you use and partner with

Summary

Following the GDPR's regulations is essential to protecting your customers, and your company from potential fines. Article 83 states specific ways you can infringe upon its regulations. Depending on which Articles are infringed upon and the severity of the infringement, the amount of fines issued can vary greatly.

Constant checking and updating your policies and procedures will help you limit violations and potentially help reduce any fines that may occur.