Maximum data protection fines could reach 4% of business turnover under latest EU proposals

Out-Law News | 04 Dec 2015 | 2:20 pm | 3 min. read

Businesses could be fined up to 4% of their annual global turnover for breaching new EU data protection laws under the latest plans for a new General Data Protection Regulation.

Trilogue negotiations on the wording of the Regulation, involving representatives from the Council of Ministers, the European Parliament and European Commission, have been taking place since the summer. Negotiations are expected to conclude before the end of the year.

Recently it emerged that "tentative agreement" on some aspects of the new Regulation, including on provisions on liability for non-compliance with the new regime, had been reached as part of the trilogue talks.

However, the Parliament and the Council have been in disagreement over a number of areas of the Regulation, including the maximum level of penalties that data protection authorities should have the power to impose.

MEPs backed plans to set a cap on fines of up to 5% of a company's annual global turnover, or €100 million if greater. The Council, which is made up of representatives from the national governments of EU countries, got behind a 2% of turnover cap on fines under a complex three-tiered system of penalties.

However, according to a leaked document from the presidency of the Council, published by Statewatch, the Council is being asked to support compromise proposals (7-page / 35KB PDF) which would see the maximum possible fine for a breach of the new Regulation set at 4% of global annual turnover for "an undertaking", or €2 million for other organisations.

Those maximum thresholds would apply to cases of infringements that concern "the rights of data subjects", with other thresholds proposed for other types of breaches in an adaptation of the Council's three-tiered system of penalties.

Where a data controller breaches a part of the Regulation which concerns obligations it is bound by then the maximum financial penalty that a data protection authority could serve would be a fine capped at 2% of turnover for a business, or €1m for other types of data controllers. Those same thresholds would apply to breach cases, involving data controllers or processors, that concern "non-compliance with an order of the supervisory authority", according to the Council presidency's compromise proposals.

The leaked Council presidency document also indicated that the Council might make concessions to MEPs on proposals that concern the appointment of a data protection officer (DPO).

Whilst MEPs have wanted organisations to be required by the new Regulation to appoint a DPO in certain circumstances, the Council was keen not to mandate the appointment of a DPO in any case.

However, under the latest compromise proposals set out by the Council presidency, businesses whose "core activities … consist of [personal data] processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of the data subjects on a large scale" would be under an obligation to appoint a DPO.

Businesses whose "core activities … consist of processing on a large scale of special categories of data … and data relating to criminal convictions and offences" would also be required to appoint a DPO, under the plans. The term 'special categories of data' describes particularly sensitive types of personal data, such as information that reveals a person's race, ethnicity, political or religious views or details of their health or sex life.

Public bodies, other that courts, would also be required to appoint a DPO where they process personal data, according to the Council presidency's document.

According to the proposals, a DPO could be shared by businesses operating in the same group or across several public bodies. A person employed as a DPO would also be allowed to "fulfill other tasks and duties".

The Council presidency proposed that organisations required to appoint a DPO should have up to a year after the new Regulation comes into force to make that appointment.

A DPO would have to boast certain professional qualities and expert knowledge on data protection issues and perform a range of tasks under the new data protection framework. They would have to act as an advisor to their employers on data protection issues, including in relation to data protection impact assessments, monitor their employers' compliance with the Regulation and serve as a point of contact for their employer to data protection authorities.

The Council presidency's compromise proposals also highlighted what potential new data breach notification rules could apply under the new Regulation.

According to the proposals, data controllers would be required to notify data protection authorities of a personal data breach "without undue delay and, where feasible, not later than 72 hours after having become aware of it" unless that breach is "unlikely to result in a risk for the rights and freedoms of individuals".

Where a breach originates with a data processor, those companies must notify the data controller "without undue delay after becoming aware of [the] breach".