GDPR Fines – Lessons From Competition Law

Although the EU General Data Protection Regulation (the "GDPR")1 entered into force on 25 May 2018, and the obligations under the GDPR have since taken effect, there remain significant uncertainties as regards enforcement. In particular, the application of the GDPR's fining provisions - arguably the key concern for companies commercially - raises several issues, both in terms of the interpretation of the relevant GDPR provisions, and their operation in practice.

This article seeks to shed some light on the potential reach of the GDPR fining provisions within corporate group structures and other commercial arrangements by exploring relevant EU competition law principles and policy considerations. By understanding how related concepts under EU competition law have been interpreted and applied in practice, it is possible to postulate how these may be deployed within the GDPR context.

Fines under the GDPR

Article 83 GDPR provides the legal basis for the imposition of fines for breaches of the GDPR. Companies may be fined up to €10 or €20 million or, in the case of an "undertaking", up to 2 per cent. or 4 per cent. of the "total worldwide annual turnover" of the preceding financial year, in respect of certain breaches of obligations under the GDPR.2

The fining regime prior to the GDPR under Directive 95/46/EC was left to individual EU Member States to determine. In the United Kingdom, for example, the relevant data protection authority, the Information Commissioner's Office (the "ICO"), had issued statutory guidance under the Data Protection Act 1998 about the issuing of monetary penalties. The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribed that the amount of any penalty determined by the ICO must not exceed £500,000. Importantly, there was no reference to an "undertaking" or "total worldwide turnover" when calculating fines under the prior regime in the United Kingdom.

In contrast, the GDPR now clearly envisages that "undertakings" will be fined up to 2 per cent. or 4 per cent. (as the case may be, depending upon the nature of the GDPR breach) of "total worldwide annual turnover". Logically, therefore, the enforcement provisions of the GDPR give rise to two key questions:

What is an "undertaking" for GDPR purposes; and How to calculate "total worldwide turnover" under Article 83 GDPR. 1. What is an "undertaking" for GDPR purposes?

In terms of the first question, the GDPR does not seek to define an "undertaking" for enforcement purposes. Rather, Recital 150 GDPR expressly provides that EU competition law principles should be used to delineate the concept of an "undertaking", as follows:

"Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 [Treaty on the Functioning of the European Union ("TFEU")] for those purposes." 3

EU competition law as an aid to interpretation

Both Articles 101 and 102 TFEU expressly impose obligations on "undertakings": at a high level, Article 101 TFEU prohibits undertakings from entering into restrictive agreements/arrangements and Article 102 TFEU prohibits an undertaking from abusing a dominant position. However, in order to determine what precisely constitutes an "undertaking" for these purposes, it is necessary to look beyond the provisions of the Treaty and consider the jurisprudence of the Court of Justice of the European Union (the General Court or the Court of Justice, as the case may be) (the "CJEU"), as well as the decisions of the European Commission (the "Commission").

Broadly, the CJEU has held that "an undertaking encompasses every entity engaged in an economic activity regardless of the legal status of the entity and the way in which it is financed."4 The offering of goods or services on a given market is an economic activity.5 EU competition law, therefore, adopts a functional approach to the determination of an "undertaking", recognising that companies may perform both economic and non-economic activities (the latter usually being the exercise of some public function) and such classification must therefore be performed for each activity separately.6

Further, the CJEU and the Commission have expanded the scope of what (or even who) may be considered an "undertaking" through the 'single economic entity' doctrine and the inter-related concept of 'exercise of decisive influence'. It is established law that "when a company exercises decisive influence over another company they form a single economic entity and, hence, are part of the same undertaking." (emphasis added)7 for competition law purposes. In other words, the concepts of "undertaking", "single economic entity" and...