Show me the money!

The Data Protection Commission confirmed last Friday (15th May 2020) that they had submitted their first administrative sanction under GDPR for approval by the Circuit Court. This was covered over the weekend by the Sunday Times and the Irish Times.

The fine relates to three data breach instances in October 2019. It is one of a number of investigations the Office of the Data Protection Commission has had open in respect of Tusla. For a variety of reasons, I won’t dwell on the facts of the case but instead I’ll look at the significance.

Some on-line commentators have decried that the first fine was against a public body not one of the high profile complex international cases. To that, I simply point out that cases conclude when they conclude and simple cases can often get a result faster. I would not see it as a negative that a local case is the first decision, rather a recognition that the DPC is the regulatory body for all data controllers in Ireland irrespective of who they are.

In terms of the quantum of the fine, it would be tempting to argue that higher fines might have been expected. However, a public body is subject to a maximum fine of €1 million in Ireland (it was going to be no fine, but legislators such as Senator Alice Mary Higgins recognised the folly of such an approach). Also, fines have to be meaningful, effective, and dissuasive. If a Regulator levies the maximum fine on the first case, it leaves very little wriggle room for later when an even worse case arises which requires a more severe sanction.

Also, in the first test of an enforcement power the DPC had to manage the risk of any appeal. The fact that this fine was at the maximum of the level for appeals in the Circuit Court suggest that couching the fine at a level that would make it effective and meaningful but not at a level that might trigger a knee jerk appeal to the High Court. A huge fine that doesn’t go anywhere other than the headlines of the papers is not one that is effective.

We need only look at the current ICO issues with their BA and Marriott enforcement to see how a swing and a miss is very possible in cases of these kinds. However, the ICO is not alone and a number of the “early runners” in GDPR enforcement have become unstuck in recent months, with Austria apparently being one of the first. Belgium has also had their Supervisory Authority see an early decision over turned – there are others. The problem can be summarised as : procedural issues and poorly framed action. I think it’s about time we looked at the headline grabbing fines of the last year or so and check how many of them have actually been effective (or in the case of the ICO, how many were actually fines).

So… the DPC had a pragmatic decision to make in terms of the fine levied. It had to be meaningful, effective, and dissuasive. At €25k per specific breach, this is certainly meaningful. In terms of its effectiveness, the real test of that will be how it encourages a change in behaviours in the organisation that has been fined. As for its potential to be dissuasive, much will depend on how data controller’s respond to this benchmark threshold that has been set.

The benchmark has now been set for administrative sanctions for a weakness in management practices and procedures resulting in an unauthorised disclosure of personal data with a high risk to the fundamental rights and freedoms of the affected data subjects. We have a number. It’s no longer a vague concept.

The DPC has fined, as an opening position, 2.5% of the maximum penalty per individual data subject affected by the conduct complained of. It’s not a lot, but it can add up quickly. For Facebook or Google or any other non-public sector data controller that could be €50,000 per data subject, double the penalty levied on a Public Sector body. I’d put the opening threshold as being between €25,000 (the current fine) and €50,000 (2.5% of €20 million) depending on the severity of the issue and the other mitigating factors that the DPC might take into consideration.

This gives a very large degree of leeway for the DPC in any enforcement action to adjust up or down based on the severity of a case or the level of mitigation. So, it is measured. It is also still below the threshold for Circuit Court appeals for small cases – per individual affected. For larger cases, we will see this ramping up quickly if the DPC scales up fines in a linear way, which will bring things into the High Court quickly enough. And at that level, the DPC needs to be sure their procedures are solid to avoid a loss on a technicality.

That is also a benchmark quantum for litigation for data protection breaches in civil cases (and is broadly in line with recent out of court settlements in Ireland for data protection related cases). So… we have a proxy number for that too.

As for the significance of who was fined, yet again the Data Protection Commission has taken action against a Public Sector body. This has three key messages

1. The DPC is very definitely an independent actor
2. Public bodies should not think they can invoke a collegiate bond of public servants when enforcement is called for.
3. Her first scraps are against organisations who excel at the minutiae of public authority decision making… her procedures are being tempered against entities who are no strangers to the threat or the use of judicial review proceedings.

Things just got a little more real. Show me the money.