Diverging fining policies of European DPAs: is there room for coherent enforcement of the GDPR?

The European Union’s (EU) General Data Protection Regulation (GDPR) puts forward a non-exhaustive list of criteria in Article 83 that Data Protection Authorities (DPAs) need to consider when deciding whether to impose administrative fines and in determining their amount in specific cases. Notoriously, the ceiling for administrative fines put forward by the GDPR is high – up to 20M EUR or 4% of a company’s worldwide annual turnover for breaching specific rules (e.g. the rights of the data subject), and up to 10M or 2% of the same turnover for breaching the rest of the provisions (e.g. data security requirements), leaving ample room to calibrate the fines to the facts of a case.

While it was expected that independent DPAs would give the criteria different weight in their enforcement proceedings, depending on their own legal and cultural context, the past four years of enforcement experience have shown that fining policies and practices vary considerably among EU DPAs. 

Some DPAs decided to formulate fining policies and publish them, while others merely built their own body of case-law and created practice around how these criteria are applied without formalizing such policies. The DPA of the German State of Bavaria was one of the first to publish non-binding guidance on the matter: in September 2016, it revealed it would devote particular attention to previous data protection infringements and the degree of collaboration the investigated parties offer during the proceedings.

To avoid having DPAs taking diverging approaches to setting fines under the new

Read more

Explore the site

More from the blog

Latest News