Core to the one-stop shop mechanism, the EDPB serves as an independent umbrella organisation for the European data protection authorities (DPAs). The EDPB’s role is central to ensuring consistent application of the GDPR across the EU and also settle disputes in matters of cross-border processing where a group of DPAs are unable to agree on a cross-border decision. The EDPB issued two (2) key guidelines on May 24, 2023:
- Guidelines 03/2021 on the application of GDPR Article 65(1)(a), and
- Guidelines 04/2022 on the calculation of administrative fines under the GDPR.
These final guidelines, which aim to reinforce the EDPB’s administrative and disciplinary proceedings as well as the DPAs, provide a clearer picture of the jurisdiction of these independent authorities, particularly relevant for those who may be directly or individually affected by a decision from them. We have concisely distilled the notable points below.
Guidelines 03/2021 on the application of Article 65(1)(a) GDPR:
As a creation of the GDPR, the EDPB is able to make decisions that bind a panel of DPAs under Article 65(1)(a). The Lead DPA is the primary point of contact for the controller or processor for the processing in issue while the other Concerned DPAs represent the affected individuals in their territory. It is the Lead’s responsibility to drive the collaboration process by working with the others to get an agreement on the issues, and then prepare the draft decision. If none of the concerned DPAs object to the draft decision, the Lead can go ahead to adopt it. But once there is an objection from one or more of the DPAs, the dispute resolution role of the EDPB becomes activated and that’s where this guideline comes in. Some of its notable takeaways include:
- Deadlines for adopting a binding decision: The guideline provides a specific time limit for adoption of a binding decision. The EDPB is to adopt a binding decision, by two-third majority, within one (1) month from the date the DPAs have referred the file to the EDPB. Although this deadline is extendable by another month and two weeks, it is not automatic and can only be effected by at least one-third of its members or a deciding vote of the EDPB chair. Calculation of the time limits concerned include public holidays and weekends.
- The EDPB’s competence to issue binding decisions: According to Article 65(1)(a) GDPR, the EDPB binding decision shall concern all the matters which are ‘the subject of the relevant and reasoned objection’. The guideline clarified (with examples) what subject matters will constitute a relevant and reasoned objection to trigger the jurisdiction of the EDPB. They comprise: infringements of the GDPR; gaps in the draft decision justifying the need for further investigation; insufficient factual information or reasoning; procedural aspects; and the specific action envisaged by the draft decision. Conversely, the EDPB would not be able to competently issue a decision where it concerns conflicting views on the competence of any of the supervisory authorities concerned or where a competent DPA does not request or otherwise follow the opinion of the EDPB issued under Article 65.
- The right to fair hearing: The guidelines provide that any of the persons who would be adversely affected by the binding decision of the EDPB, including the controller(s) and/or processor(s) subject to the draft decision of the lead authority, will be afforded the right to be heard by the EDPB before a decision is adopted. This right will not necessitate an oral hearing as documentary submissions will suffice.
- Challenging the validity of a binding decision: Any entity (ideally the controllers, processors, or relevant DPAs) directly and individually concerned by a decision of the EDPB, can bring an action before the CJEU for annulment within two months from the date the decision was delivered[1]. However, this will not affect the enforcement of the decision by the concerned DPAs unless the controller or processor secures a stay from its national court[2]. Interestingly, the guideline included provisions which act to limit a complainant’s right of appeal by providing that a national court will not have the power to declare the EDPB’s Article 65 decision invalid. Instead, where a court considers the decision invalid, it must refer the question of validity to the Court of Justice (CJEU). It also added that where a complainant fails to bring a timely action for annulment of an EDPB binding decision, they lose the right to challenge the validity of the decision before national courts[3].
Guidelines 04/2022 on the calculation of administrative fines under the GDPR:
Article 83 of the EU GDPR provides for the general conditions for imposing administrative fines by DPAs and it is from this provision that the guideline flows. The position is still largely the same: the ‘quantification’ of fines are at the discretion of the DPAs but must be effective, proportionate, and dissuasive in each case. The criteria that the DPAs must evaluate when deciding whether and what degree of fines can be issued still reasonably include considerations of whether there was: intentional infringement, refusal to mitigate harm, or lack of cooperation with authorities, among other things. The EDPB has sought to set down a clear method of calculating the appropriate fine amounts in each case through the five-step process set down in the guidelines. The main takeaways to note from this guideline are:
- Case categorisations: For the first step, DPAs must assess what conduct the fine equates to, particularly whether combined infringements occurred, as there are cases where several sanctionable acts result in multiple infringements. The rules clarify this by identifying three (3) categories into which a case may fall: concurrence of offence, unity of action/processing, and plurality of actions. The way the fine is calculated will depend on the category of the case in question. In a case where there is a unity of action, for e.g., the total amount of the fine shall not exceed the amount specified for the gravest infringement, whereas in the case where there is a plurality of actions, the DPAs can impose individual fines for each, without there being a single legal maximum applicable to their sum.
- Legal maximums, numbers and percentages: As a starting point Art. 83(5) GDPR outlines the legal maximums for purposes of fines. For very serious infringements, the fine can be up to 20 million euros, or 4% of the total global turnover, whichever is greater. However, less serious infringements would see a lower maximum of up to 10 million euros or up to 2% of its total global turnover, whichever is greater. The guidelines go further to provide two employable thresholds. Firstly, DPAs would consider each case’s specific facts and circumstances to determine the appropriate level of seriousness (whether low, medium or high) to ascribe. For low level violations, administrative fines will range from 0 to 10% of the legal maximum, 10% to 20% for medium-level violations, and 20% to 100% for high-level violations. So, the higher the severity of the violation, the higher the amount of the fine. Secondly, DPAs can also decide to categorise fine amounts using a tiered approach based on the size of an undertaking and its annual turnover, such that the higher the turnover of the undertaking within its applicable tier, the higher the starting amount for the calculation of the fine and vice versa.
- Overall maximum amounts: Although the guideline does not provide fixed sums for specific infringements, it does emphasise overall maximum fine amounts provided in Article 83 of the GDPR which is: up to 10 million euros or 20 million euros respectively (static maximum amount) or alternatively an amount based on the undertaking’s turnover, i.e. up to 2% or 4% of the undertaking’s total annual turnover of the previous financial year (dynamic maximum amount). The DPAs would apply the turnover-based amount where it is greater than the static amount in a given case. Also, the guideline importantly clarifies that an undertaking “encompasses every entity engaged in an economic activity, regardless of the legal status of the entity and the way in which it is financed.”
- Aggravating and mitigating circumstances: The guidelines make it clear that the numbers and percentages identified above are not fixed amounts for infringements, rather the DPAs must evaluate the nature of each infringement which would include investigating to know the positive actions taken by the controller/processor to mitigate or aggravate the damage suffered by the data subjects. The elements considered are not out of the ordinary but include the normal considerations of technical and organizational measures taken, prior infringements, degree of cooperation, adherence to approved codes of conduct and so on.
Why this is important: The EDPB has been playing an increasingly significant role in the enforcement of the GDPR. Since November 2020 when it issued its first binding decision there has been a clear trend of the deciding body issuing final decisions especially against big technology companies operating in the EU, with its most recent ruling recording the highest fine awarded so far under the EU arbiter’s remit. On the one hand, such a decision would elicit questions from observers about the EDPB’s authority to issue binding rulings in cases arising from national DPAs; when it is appropriate to exercise this authority, whether there are any restrictions on the punitive fines that can be imposed, and the criteria used by supervisory authorities in determining the appropriate fines in each case. On the other hand, given the recent news coverage of EDPB rulings, this may be an opportune measure by the EDPB to strengthen its competency as a decision-making body. In either case, interested parties conducting business within the EU would be well to be aware of its contents and take the necessary precautions.
[1] Article 263 TFEU
[2] Article 78 GDPR
[3] Para. 130-132, Guidelines 03/2021
