Forensic Risk Alliance Partner Simon Taylor reflects on the shortcomings of the ICO’s draft statutory guidance.
This article was first featured in Global Data Review.
Last month, the UK Information Commissioner’s Office (ICO) closed the public consultation on its draft statutory guidance for regulatory action. One of the most keenly anticipated parts of the guidance was the ICO’s stance on the calculation of financial penalties under Article 83 of the General Data Protection Regulation (GDPR). Covid-19 considerations aside, lack of transparency in the ICO’s fine calculation methodology was at the heart of the significant reductions (from the initial notices of intention) seen in the recent British Airways and Marriott cases. By publishing and consulting on this guidance, it is clearly hoped that future climbdowns can be avoided.
Whilst the guidance can be commended for transparency and providing some (but not that much) detail to understand at least one aspect of the financial fallout, it unfortunately misses a golden opportunity to move away from the irrationality of using enterprise turnover as a proxy for calculating fines and leaves a number of open questions. This can only lead to a period of uncertainty and unnecessary litigation in the courts.
Missed opportunity to scrap turnover as a proxy
There are three central reasons why using turnover as a proxy is wrong.
Firstly, and good enough on its own, is that there is no mandate or requirement in the GDPR to do so.
Secondly, since turnover does not have a causal connection to or flow from the wrongdoing addressed by the GDPR, it is an inappropriate proxy for the misconduct.
Finally, using turnover is in fact likely in the end to produce inconsistent and anomalous results, such as disproportionately high fines for high-volume, low-margin businesses.
Using turnover for limits, not calculation
On the first point, turnover is only used in the GDPR to set the upper boundary for penalties – 2% or 4% of turnover, depending on which parts of the GDPR have been violated. In the recitals to the GDPR, Recital 150 states that the regulation will set the “upper limit and criteria for setting the related administrative fines”, thus making it clear that the cap on fines and the method for assessing them are separate from one another. Article 83 deals with penalties, and explains the GDPR’s fining principles. The opening paragraphs sets the overall objective that fines must be “effective, proportionate and dissuasive” by reference to the infringement in question rather than the turnover of the business concerned. Paragraph (2) specifically lists the factors to be taken into account in deciding the amount of any fine, and while “financial benefits gained or losses avoided directly or indirectly from the infringement” is a relevant criteria, the overall turnover of the organisation is pointedly not one of them. Turnover only comes into play later at Article 83 (4) and (5) only for the purpose of setting the upper limit of the fine as referred to in Recital 150 (i.e. 2%/ 4% of turnover or €10 million/ €20 million). Accordingly, from a basic reading of the GDPR, there is in fact no proper basis for employing turnover as a starting point for financial penalties.
What does turnover have to do with harm?
The second reason why turnover should not be used, other than as the ceiling of a fine, is that it bears no relation to the harm that the GDPR was designed to address. As referred to above, Article 83(1) explicitly requires the fine to be proportionate to the harm caused by the infringement. The ‘harm’ is the harm occasioned to data subjects by their data being lost or being misused in violation of GDPR principles: what does turnover have to do with that? The factors relevant to this issue are those set out in Article 83(2) and include the type of personal data involved, how long the violation continued for, whether the data controller acted deliberately or negligently, whether there were profits made or losses avoided, and whether the controller has a record of infringements. The factors do not include how big the turnover is, precisely because other than providing the basis for a cap, it is irrelevant. Additionally, according to Article 83(1) fines are supposed to be effective and dissuasive – ie compliance with GDPR principles is encouraged by the way in which the fine is calculated.
The only behaviour that is encouraged if fines are predominantly based on the size of revenues is the reduction of revenues. Placing the type of personal data lost or misused, the numbers of affected data subjects, the time period of the breach and so on as the key determinants of the size of the fine ensures the final penalty will be “proportionate” to the breach, will “dissuade” GDPR violations and will be “effective” in promoting compliance with GDPR objectives. Basing fines on turnover achieves none of these objectives.
Consistency is key
Finally, using turnover as a proxy for GDPR infringements unfairly discriminates between different types of business and business models and will inevitably lead to inconsistency.
For example, as above, a business that has a high turnover but very low margins will have a higher fine starting point for loss or misuse of data of the same type, volume and value than a business with lower turnover higher margins and perhaps similar profits. The business with the higher turnover will then have to rely on the ICO adjusting the fine downwards by reference to some of the more subjective elements of the ICO’s methodology, such as ”consideration of financial means” or ”assessment of economic impact”. Equally, highly diversified businesses are at risk of higher penalties when GDPR infringements occur in an isolated business unit with no connection, from a GDPR perspective, with the rest of the group but the fine is calculated taking into account the turnover of the whole group.
Additionally, focusing on turnover fails to distinguish between companies whose business is about using data for profit, and those businesses who happen to collect data as part of their activities. If Facebook (turnover $70 billion) has a data breach involving the same number of data subjects, same type of data, same time periods as Walmart (turnover $520 billion), the starting point would be vastly different. Many might in fact consider that the Facebook breach deserved more serious treatment than Walmart, but the way things are structured now, the opposite would be the case. Another example that could be used here is Cambridge Analytica, which was responsible for the harvesting and misuse of the data of 87 million Facebook users. In 2016, before the scandal hit, Cambridge Analytica had a turnover of approximately £31 million: using the ICO’s draft guidance and assuming ”very high” seriousness and ”intentional” culpability would lead to a fine starting point of 3% of turnover, or £930,000. However, if Facebook were fined based on the part it played, taking 2016 turnover and assuming the lowest level of culpability and seriousness, its starting point would be £875 million.
While it is clear that the GDPR wanted supervisory authorities to significantly increase fines to levels that are “effective, proportionate and dissuasive”, there is in fact no case for achieving this by ratcheting up fines through direct links to turnover.
What is the EDPB’s guidance on fines?
So far, the European Data Protection Board (EDPB) itself has not issued any guidance on fines, its predecessor, the Article 29 Working Party, did so in October 2017 (which were adopted by the EDPB).
The Article 29 Working Party guidance emphasises, among other things, that each case is to be assessed individually and that the starting point for assessment are the factors set out in Article 83(2), as discussed above. The guidance additionally goes further, stating that “Article 83 (2) provides a list of criteria the supervisory authorities are expected to use in the assessment both of whether a fine should be imposed and of the amount of the fine.”
In other words both the decision to impose a fine and the quantum of any fine should be determined exclusively by the factors in Article 83(2) – turnover should play no part, other than in ensuring that there is an overall cap on the maximum liability for GDPR violations. Given the clarity with which the Article 29 Working Party expressed its views, it is difficult to understand why the UK ICO has opted to use turnover in the way that it has in determining fines. In the first two major cases, British Airways and Marriott, pragmatic resolutions were found without resorting to appeal mechanisms; but it is by no means certain that this will be the case for others on the wrong end of an ICO penalty notice.
What’s the alternative?
The current ICO guidance essentially sets out a top-down approach where turnover, culpability and seriousness of the breach are blended using a grid to create a starting point from which adjustments (up and down) are made in order to reach an outcome. For very serious intentional breaches, the starting point is 3% of global turnover (for infringements where the cap is 4% turnover).
This approach is the wrong way round and, as explained above, not in line with the requirements of the GDPR or the guidance of the EDPB. The correct approach, which would be in line with the GDPR, the EDPB and fining regimes for other types of misconduct, would be to work from the bottom up using the Article 83(2) factors. A bottom-up approach could involve attributing monetary values, for fine calculation purposes, to the types of data lost or misused such as credit card, PINs, passport details, home address or medical information. Amplifiers could be developed to represent the numbers of data subjects concerned, the duration of the breach, the purpose of processing (to distinguish cases of data misuse), the degree of culpability (from negligence to intent) and so on to reflect all of the relevant factors. There are many advantages to this approach, including: showing a clear linkage between the infringement and the harm caused; enabling consistency and harmonisation of fines across the EU; creating trust in the process by providing a granular view of the components making up the fine and the weight given to each factor; providing greater legal certainty to controllers and processors on the financial implications of infringements; minimising the extent to which litigation might be required to resolve disputes; and so on.
The consultation has now concluded and the ICO’s final guidance is awaited. There is a high likelihood that the ICO will persist with the top-down turnover driven approach, but will take the view that the consultation process solves the transparency issues that blighted the BA and Marriott cases. For the remaining cases in the hopper we can expect an emboldened ICO that is less ready to reduce its planned fines.
For the next batch of cases there will be less pragmatism and more litigation – not only over whether the ICO is right as a matter of principle to link financial penalties so closely to the turnover cap but also on other questions, such as the right turnover figure to take; whether the organisation in question has the ability to pay the fine; the economic impact within the sector of imposing such a fine; and the extent to which the organisation has benefitted from the infringement by making additional profits or avoiding costs or losses. All these are open questions as yet untested by any court.