On 18 March 2024, the Information Commissioner's Office (the "ICO"), issued its Data Protection Fining Guidance (the "Guidance") on issuing fines under the UK General Data Protection Regulation (the "UK GDPR") and the Data Protection Act 2018 (the "DPA 2018"). The guidance replaces the sections about penalty notices in the ICO's Regulatory Action Policy which was published in November 2018.
Background
The ICO has the power to issue administrative fines to controllers and data processors. In a nutshell, the data protection legislation gives the ICO the power to issue a fine, when it considers that an organisation has failed, or is failing to comply with its obligations under the data protection legislation or has failed to comply with enforcement notices already issued by the authority.
The amount of the fine is subject to a statutory maximum. Depending on the provisions breached, the ICO can apply two different maximum amounts. The first one, the 'standard maximum amount' can be £8.7 million, or 2% of the annual worldwide turnover of the 'undertaking' (whichever is higher). For more severe infringements, the second option, the 'higher maximum amount' applies, being £17.5 million or 4 % of annual turnover (whichever is higher).
To date, only around a dozen fines have been imposed by the ICO under the UK GDPR, despite the legislation having been in force for almost 6 years. We have also seen a similar trend across Europe. For many European countries subject to the EU GDPR, one potential reason for the low levels of fining activity could be that the power to issue fines was new to several data protection authorities. However, this does not explain away the modest use of fining in the UK as the ICO was also able to issue monetary fines (albeit up to a much lower maximum if £500,000) under the previous Data Protection Act 1998.
The Guidance
The Guidance sets out the circumstances in which the ICO would consider it appropriate to issue a penalty notice, and explains, how the amount of any fine would be determined.
The Guidance is divided into three main sections: (i) statutory background; (ii) circumstances in which the ICO would consider fines appropriate; and (iii) a step-by-step guide on how the ICO calculates the appropriate amount of fine. The subsections underneath answer other common questions, such as how the concept of undertaking is defined, what happens if there are several infringements in play, and what are the relevant aggravating or mitigating factors that can increase or reduce the amount of the fine in practice. As the sanctions regime has been in place for several years, many of these matters have also been previously addressed by the Regulatory Action Policy or by the European Data Protection Board (the "EDPB") guidelines on calculation of administrative fines. Nevertheless, transparency and more certainty on the level and triggers of enforcement from the supervisory authority is always welcome.
There are two special categories in the guidance that we have focused on below, that we find especially interesting. The first is the definition of undertaking, the turnover of which acts as the base unit for calculating the amount of fine, and the second the five-step approach on calculating the fine itself.
Undertaking
One of the most interesting parts is the guidance is the section regarding the concept of 'undertaking'. The term plays an important role as the second limb of the penalty regime, relating to percentage of turnover, only applies if the infringing body is an undertaking. According to the UK GDPR, where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 of the Treaty of the Functioning of the European Union ("TFEU") for those purposes. As the TFEU is no longer applicable in the UK, but still a part of the UK GDPR, this section is considering further.
The Guidance states that where the fined entity is a part of an undertaking, the maximum fine will be calculated based on the annual turnover of the undertaking as a whole. For the purposes of assessing the annual turnover, the principles arising from competition law are the starting point, according to both the EDPB and now the ICO. In the Guidance, ICO concludes that while the provisions of the TFEU or the EDPB decisions no longer apply to the UK, the concept of an 'undertaking' is well established in the UK competition law thanks to the UK and previous EU case law.
The Guidance states that an undertaking refers to any entity that is engaging in 'economic activity', regardless of its legal status or the way it is funded. An undertaking may comprise of one or more persons forming a 'single economic unit', rather than a single legal entity. If the undertaking is engaged in economic activity where it conducts any activity consisting in offering goods or services on a given market, the undertaking is engaging in 'economic activity'. This is regardless of whether the undertaking is motivated by profit or has an 'economic purpose' for such activities.
What then are the factors considered when assessing which entities form an undertaking and therefore the basis of the turnover calculation? According to the Guidance, this broadly rests on whether the breaching entity can act autonomously or whether another entity (e.g. a parent company) exercises decisive influence over it. To evaluate this, the ICO considers all economic, organisational and legal links which tie the relevant subsidiary to the parent. Interestingly, this can include assessing the parents influence over the way the subsidiary provides goods and services to data subjects or process their personal data. The ICO also makes it clear that in a situation, where a parent company owns all, or "nearly all" of the voting shares in a subsidiary, there is a rebuttable presumption that the parent company exercises decisive influence over the subsidiary's conduct. The burden of proof to show that no decisive influence exists is on the parent company.
Importantly, the Guidance confirms that as well as using the concept of an undertaking for determining the relevant maximum amount of fine applicable, the ICO may also hold a parent company jointly and severally liable for the payment of a fine.
In case of an investment company that is purchasing shares of the target company and developing the company and its internal policies before exit, this could lead to difficult situations. If the target company is, or has been breaching the data protection legislation requirements, can the amount of the fine be calculated on the basis of the turnover of the investment company and the target together, or, even the turnover of the whole group? We are not aware that such indications were given by the ICO, but this looks like it could be something to watch.
Five step assessment
Another interesting theme in the Guidance is the five-step approach for calculating the amount of fine. The steps are explored in greater detail below.
Step 1: Assessment of the seriousness of the infringement. The starting point for the fine will be based on the seriousness of the infringement. For lower degree infringements, the ICO will determine the starting point for the fine to be between 0 % and 10 % of the relevant legal maximum for the fine. For medium degree seriousness, the starting point will be between 10 % and 20 % of the maximum possible fine, and for the most serious infringements the starting point can be between 20% and 100 % of the maximum amount. Where the undertaking's total worldwide annual turnover exceeds £435 million (or, for the higher maximum amount, £437.5 million), the percentage will be calculated on the turnover-based percentage figure and for lower turnover undertakings, from the fixed amount specified.
Step 2: Accounting for turnover. After the ICO has established a starting point, it will then look at the undertaking's total worldwide annual turnover in its previous financial year. The ICO provides a very detailed guidance here on how the turnover is determined. The guidance also provides helpful, indicative tables to clarify, how the ranges for possible adjustments are based on the turnover of the undertaking. As a general note, the ICO emphasizes that it is likely to choose a higher amount for undertakings with higher turnover within the applicable rate.
Step 3: Calculation of the starting point. At step 3, having regard to the seriousness of the infringement and, where relevant, the turnover of the undertaking, the ICO will calculate the specific amount for the fine by using a formula and depending on whether the fine is fixed or percentage-based.
Step 4: Adjustments to take into account any aggravating or mitigating factors. After the initial amount has been calculated, the ICO then considers any relevant mitigating or aggravating factors, including interestingly as a specific mitigating factor, any action the controller or processor took pro-actively to report a cyber security breach to other appropriate bodies (such as the National Cyber Security Centre) and whether it followed any advice or guidance provided. These factors can lead to a decrease or increase in the original amount of fine.
Step 5: Adjustment to ensure fine is effective, proportionate and dissuasive. After the calculations, the ICO assesses whether the result is effective, dissuasive, and proportionate taking into consideration the situation as a whole. Finally, having completed all of the steps, the Commissioner will ensure that the final amount does not exceed the relevant statutory maximum amount and decrease the fine if necessary.
The ICO clarifies that the five-step calculation approach is not intended to be mechanic, but it involves overall evaluation and judgment and the individual circumstances of the case. We note that even though the assessment does provide more information on how the authority assesses the fine, especially the fifth step still leaves room for the authority to adjust the fine as they see fit.
It remains to be seen how the ICO will start using their new guidance and whether the proposed changes to the UK data protection legislation made by the Data Protection and Digital Information Bill will, if passed, require amendments, that make this guidance short-lived.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
