The data fines arms race is on

DPC report confirms major fines increases and flags regulator enforcement 'arms race'

The data fines arms race is on

The Irish Data Protection Commission's Annual Report for 2022 gives an interesting insight into GDPR enforcement and how fines are calculated, as well as highlighting differing views on fine levels amongst EU regulators.

In 2022, the Data Protection Commission (DPC) issued over €1 billion in punitive fines against Big Tech firms (link to Annual Report). Of the thousands of complaints handled, the regulator investigated numerous cross-border complaints as Lead Supervisory Authority.

Image
Rafi Azim-Khan
Description
Rafi Azim-Khan is head of data privacy at Pillsbury Law

The DPC's recent approach to enforcement has truly highlighted the fact that other regulators can and do influence investigations and fine levels, further emphasising the importance of the GDPR co-decision making process in reviewing draft decisions.

In relation to some high profile large-scale cases, which led to significant fines, the report highlighted the fact that some regulators want to see even higher fines - and disagreements can arise:

"The DPC submitted a draft decision to the Article 60 process. The DPC received objections from other concerned supervisory authorities and was unable to reach consensus."

The Article 60 process governs how EU data regulators cooperate when deciding on cross-border breaches. Essentially, the DPC investigated and decided on what it thought would be appropriate in terms of a fine but then had to submit its decision to other EU regulators, who did not always agree.

If disagreements cannot be overcome, the matter is escalated to the European Data Protection Board, which ultimately decides.

What does this mean for companies looking to do business in Europe?

International businesses looking to launch or grow in Europe have a myriad of considerations when deciding where to base their EU operations.

Aside from the host of operational EU regulations companies must comply with, such as health, safety and environment regulations, and CE marking, one of the most impactful is GDPR.

Many tech firms have seen Ireland as the default choice for their EU headquarters, given a perception that the DPC was less aggressive than other EU counterparts regarding the enforcement of GDPR breaches. With the recent spike to over €1bn of fines in the latter half of 2022 alone, however, that perception will need rethinking.

The report also highlights the willingness of EU regulators to pile pressure on one another's enforcement activities. While companies may value the perceived ability to have a good working relationship with their home authority, this may be rendered irrelevant if any such penalty falls at the Article 60 hurdle.

The potential wider consequences of repetitive Article 60 disagreement is a situation where EU regulators feel pressured to increase the level of fines they are imposing, in order to avoid such actions being challenged by their counterparts.

What is clear is that the gloves are now off, and many regulators are looking to impose much larger fines, either enforcing these themselves or via input to others.

The key advice businesses should follow is to understand that these fines are not just for cyber breach type events, but, increasingly, for basic non-compliance, so fresh reviews of policies and procedures is key. A choice of 'home' in terms of location and data authority alone is unlikely to be enough to save you.