The 27 European internet control agencies must further harmonise their activities. The European Data Protection Board (EDPB) works to develop the standardisation of the methodologies of the data protection bodies of the different Member States.
Entered into force on May 25th, 2018, GDPR relies on the supervisory authorities of the 27 EU Member States. In case of doubt, a company should contact the data protection authority of the Member State where its main establishment is located. This authority is then referred to as the lead authority. The main establishment of a company is either the place of its head office in the EU, or the establishment within which the decisions relating to the purposes and methods of the processing of personal data are taken.
When companies carry out transnational processing, i.e. processing involving citizens of several Member States, the data protection authorities of the States concerned are legally required to ensure compliance. With the aim of providing a single response for the entire territory of the Union, the lead authority cooperates with the data protection authorities concerned in the context of joint operations. Decisions are adopted jointly by all authorities concerned, particularly in terms of sanctions. Companies therefore benefit from a single point of contact for the European Union in terms of personal data protection.
The national protection authorities united within the EDPB
All national protection authorities are united in a European Data Protection Board (EDPB), which ensures the uniform application of data protection law. The members of the EDPB include the heads of the authorities of the supervisory authority of each Member State, the European Data Protection Supervisor and, without the right to vote, the representatives of the authorities of Norway, Iceland and Lichtenstein. It should be noted that the European Commission may participate in the activities and meetings of the EDPN but, again, without the right to vote.
Among the 27 European supervisory authorities, the French data protection authority, the CNIL, is one of the most active. In 2021, it imposed 18 sanctions for an amount of 214 million euros. These penalties include 15 fines (including five with injunctions under penalty) and two calls to order with injunctions. Also in 2021, decisions concerned a wide variety of business sectors and players. Among the most frequent breaches were failure to inform and excessive retention periods. Of these 18 sanctions, half involved a violation related to the security of personal data.
A record number of formal notices were also reached in 2021, with 135 decisions issued, including two made public (against Clearview and Francetest) and three adopted within the framework of European cooperation. This represents a very significant increase in the number of formal notices compared to previous years, with a multiplication factor of 2.75.
Luxembourg and Ireland: the highest sanctions
While the CNIL is active on the sanctions front, it is not the most severe. In August 2021,
the Luxembourg data protection authority, the CNPD (National Commission for Data Protection) inflicted the highest penalty to date against Amazon: 746 million euros. The e-commerce specialist has appealed this record fine. At the time of writing, the result of the appeal is unknown.
The Irish data protection authority, the DPC (Data Protection Commission), sanctioned WhatsApp, a subsidiary of Meta, ex-Facebook, to the tune of 225 million euros in September 2021. This amount was initially between 30 and 50 million euros. euros. The action of eight European national data protection authorities, who criticised the DPC, saying the fine was too low, made it possible to trigger the conflict resolution mechanism of GDPR. This resulted in the EDPB (European Data Protection Board) taking over and imposing the 225 million euros on the Irish DPC. WhatsApp have appealed this decision. At the time of writing, the appeal has not concluded.
In October 2020, the German data protection authority, the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, sentenced H&M to a fine of just over 35 million euros. The German Federal Commissioner for Data Protection and Freedom of Information accused the German subsidiary of the Swedish group of having illegally collected and stored personal data on several hundred of its employees between 2014 and 2019, which constituted illegal surveillance.
Harmonisation of the necessary methodologies between European data protection agencies
In May 2022, the European Data Protection Board adopted a guideline aimed at harmonising the methods for calculating administrative fines adopted by national authorities. This guideline establishes harmonised starting points for the calculation of a fine and notes that three elements must be taken into account: the categorisation of the infringements by nature, the seriousness of the infringement, and the turnover of the company.
In particular, this guideline refers to the fine imposed by the Irish Data Protection Commission on WhatsApp. Even if the amount has been rounded up, the 225 million euros represents only 0.08% of Facebook’s turnover, while GDPR provides for fines of up to 4% of global Facebook revenues. The effort to coordinate and smooth methodologies between all European supervisory authorities is, therefore, a real project for the years to come.