It has been eight months since the Court of Justice for the European Union struck down the 15-year-old Safe Harbor arrangement between the EU and US. At the time, there was a good deal of consternation over the future of EU-US data exchange and just how businesses would continue to operate.
Despite several fits and starts, parties on both sides of the pond worked hard to remove and address their own respective internal barriers and to create the necessary legal framework to reestablish data exchange connectivity.
Officially, the General Data Protection Regulation (GDPR) 2016/679 went into force on May 24, 2016, but it will not enter into full force until May 6, 2018. In other words, companies, individuals and agencies that are impacted by the GDPR have just under two years to right the proverbial ship and be ready to operate in the new GDPR environment. For an overview of the GDPR, click here to read a run-through of the upcoming changes offered by Tripwire’s Paul Edon.
With the broader points in context, this article will focus on the penalties, fines and punishments that can be levied against entities who run afoul of GDPR. As a threshold issue, unlike many regulatory frameworks, there is not a rigid timeframe of changes to be made. Rather, GDPR expects each member country to create their own timeline and update the Commission as to progress made towards the May 2018 deadline.
With that in mind, the focus of today are the penalties of failure.
Before digging into that, it is important to note one key shift in the GDPR from the previous framework. Under the new regime, the focus in not where the business is located but more on where the business activity occurs. The implication of this shift is that the GDPR effectively becomes global law.
If your company is doing business, offering services, or performing activities on behalf of EU citizens, the GDPR may apply. It also bears mentioning that the new framework has the mechanisms in place to allow member states to create criminal penalties that can include deprivation of profits.
Probably the most significant changes under GDPR are the powers given to the Data Protection Regulators (DPR) who have the authority to create a penalty framework that will range from simple reprimands to hefty fines. Regardless of the DPR penalty framework, the GDPR states that all penalties must be effective, proportionate to the offense, and dissuasive.
With that in mind, here is the penalty breakdown within the regulation:
Fine: 10,000,000 Euros or 2% Global Turnover, for offenses related to:
- Child consent;
- Transparency of information and communication;
- Data processing, security, storage, breach, breach notification; and
- Transfers related to appropriate safeguards and binding corporate rules.
Fine: 20,000,000 Euros or 4% of Global Turnover, for offenses related to:
- Data processing;
- Data subject rights;
- Non-compliance with DPR order; and
- Transfer of data to third party.
Three very important notes regarding the above schedule: First, the penalty will be whichever number is greater, either the flat fine or the percentage of global turnover. Global turnover applies to all sales of a company, net of taxes. Second, the GDPR authorizes penalties in the event of both material and non-material damages. Finally, the above list is a summary and not intended to be exhaustive. Rather it represents the authors’ amalgamation of a wide array of possible situations contained within the regulation into a digest form.
GDPR is coming. Prepare now!
/s/ HH @LegalLevity