Skip to content ↓ | Skip to navigation ↓

It has been eight months since the Court of Justice for the European Union struck down the 15-year-old Safe Harbor arrangement between the EU and US. At the time, there was a good deal of consternation over the future of EU-US data exchange and just how businesses would continue to operate.

Despite several fits and starts, parties on both sides of the pond worked hard to remove and address their own respective internal barriers and to create the necessary legal framework to reestablish data exchange connectivity.

Officially, the General Data Protection Regulation (GDPR) 2016/679 went into force on May 24, 2016, but it will not enter into full force until May 6, 2018. In other words, companies, individuals and agencies that are impacted by the GDPR have just under two years to right the proverbial ship and be ready to operate in the new GDPR environment. For an overview of the GDPR, click here to read a run-through of the upcoming changes offered by Tripwire’s Paul Edon.

With the broader points in context, this article will focus on the penalties, fines and punishments that can be levied against entities who run afoul of GDPR. As a threshold issue, unlike many regulatory frameworks, there is not a rigid timeframe of changes to be made. Rather, GDPR expects each member country to create their own timeline and update the Commission as to progress made towards the May 2018 deadline.

With that in mind, the focus of today are the penalties of failure.

Before digging into that, it is important to note one key shift in the GDPR from the previous framework. Under the new regime, the focus in not where the business is located but more on where the business activity occurs. The implication of this shift is that the GDPR effectively becomes global law.

If your company is doing business, offering services, or performing activities on behalf of EU citizens, the GDPR may apply. It also bears mentioning that the new framework has the mechanisms in place to allow member states to create criminal penalties that can include deprivation of profits.

Probably the most significant changes under GDPR are the powers given to the Data Protection Regulators (DPR) who have the authority to create a penalty framework that will range from simple reprimands to hefty fines. Regardless of the DPR penalty framework, the GDPR states that all penalties must be effective, proportionate to the offense, and dissuasive.

With that in mind, here is the penalty breakdown within the regulation:

Fine: 10,000,000 Euros or 2% Global Turnover, for offenses related to:

  • Child consent;
  • Transparency of information and communication;
  • Data processing, security, storage, breach, breach notification; and
  • Transfers related to appropriate safeguards and binding corporate rules.

Fine: 20,000,000 Euros or 4% of Global Turnover, for offenses related to:

  • Data processing;
  • Consent;
  • Data subject rights;
  • Non-compliance with DPR order; and
  • Transfer of data to third party.

Three very important notes regarding the above schedule: First, the penalty will be whichever number is greater, either the flat fine or the percentage of global turnover. Global turnover applies to all sales of a company, net of taxes. Second, the GDPR authorizes penalties in the event of both material and non-material damages. Finally, the above list is a summary and not intended to be exhaustive. Rather it represents the authors’ amalgamation of a wide array of possible situations contained within the regulation into a digest form.

GDPR is coming. Prepare now!

/s/ HH @LegalLevity

10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • Martin Hepworth

    Gdpr and safe-harbor/privacy-shield arent really linked, other than they relate to european citizens data.

  • Human_condition_revisited

    Interesting. Lucky me, having zero sales in the EU.
    Overall though it seems to me that the Court of Justice for the European Union is mistaken in structuring this law as advertised in your article.

    1) Any court of law that does not vary a penalty according to the actual extent and gravity of any real or perceived violation of a given law… is from the start no longer a court of “Justice”, but a court of “Highway Robbery”. To be concerned with meting out justice requires to be able to carefully measure and weigh “what it is” that is in such need to be punished. It takes judgment and common sense, which this court of justice does not concern itself with. Clearly, such laws cannot be passed with the “consent of the governed”. Making such laws without asking the member states for comment is one among many things that will become the downfall of the EU.

    2) All big multinational companies with big legal battle treasury chests will either take this as a cost of doing business (as a hidden tax) or will fight it tooth and nail, to the point of no longer doing business in the EU. If the punishment does not fit the crime, companies will
    leave. That means these jobs go bye-bye.

    3) Any small to medium company in the EU, with sales of less than 10 or 20 million Euros per year will immediately be bankrupted by such absurd and draconian penalties. It begs the questions as to whether these judges obtained their law degrees in the (prior) USSR or China, North Korea or Pakistan and similar bastions of the rule of law.

    4) Overall, this will reduce jobs (which the EU apparently doesn’t need) and overall trade and economic activity. It’s about as smart as Trump’s wall, which will do nothing but replace the currently existing walls and fences, with bigger and costlier walls and fences.

    5) The United States has really a hard time to levy corporate taxes and penalties on the world wide income of corporations. Europe, with less reach, less money and less power
    to enforce penalties on global income (sales, turnover), will find it even more difficult.
    It might be questionable, under existing international law and various trade and tax treaties, whether the global sales of a company can be subject to a penalty that occurs
    in a particular jurisdiction.

    5) Anyone “who knows anything” about the internet and electronic communications will
    be quite aware that it is impossible to provide “100% safety” in the internet environment.
    It is a constant battle, with every new threat leading to a new defense, which in turn leads to a new way around that defense or some other attack vector. Clearly then, these judges are either very misinformed, or else they actively strive to achieve a type of compliance that cannot be achieved, even with the best efforts. Hence these judges are ignorant of the subject matter they try to “regulate” and try to deliver punishment that is most unfairly levied on any smaller company that is less able to understand and comply with such laws on account of insuffcient financial strength to do so.

    6) My prediction: As soon as the first penalties are applied, there will be enough legal wrangling to strike this law down, and/or make it more reasonable, cut to size and shaped according to regional jurisdictions.

    In general, this law is yet another bad idea in the already so crowded history of bad ideas.

<!-- -->