A recent leaked draft proposal reveals the position of the E.U. Council as regards to the fines system that will come into force under the proposed new General Data Protection Regulation in the E.U. member states. The huge amount of fines that will hang over companies which, intentionally or by negligence, violate Europe’s fundamental right to data protection, explains the increasing interests of practitioners for data protection compliance.
We already knew that European law makers tend to a three-tiered system of fines, depending on the nature, gravity and duration of the infringement and the level of damage suffered by data subjects. Briefly, the lowest level corresponds to delays and modalities of responses to data subject requests, the middle level to the obligation of transparence before data subjects and data protection authorities (DPAs), and the highest level to various concrete infringements, as the lack of legal basis to process data, the failure to notify data breaches or data transfers outside the E.U. without adequate safeguards.
Whereas, the E.U. Parliament had set the highest fines at 5% of the business’ annual global turnover in its proposal, the draft document limits those amounts to 2%. In mid-June, E.U. ministers should endorse the whole text to allow final negotiations between the Council and Parliament to start, notably concerning the adequate level of sanctions.
This leak finds a particular resonance in the context of the recent decisions issued by French, Belgian and European authorities, which became increasingly insensitive to the big player’s positions on data protection. After putting Google under fire in the famous decisions of the E.U. Court of justice (CJEU, C-131/12), is now Facebook is in the limelight.
Indeed, recent cases against Google taught us the wide territorial scope of the data protection adopted by courts and authorities. For instance, the E.U. subsidiary of a multinational, the activity of which is simply connected to the data controller, is necessarily bound by the E.U. data protection regulation. In France and Belgium, Facebook recently learned the lessons the hard way.
On May 13, 2015, the Belgian Commission for the protection of privacy issued a recommendation in which the Belgian DPA refers to the CJEU decision to prevent the Facebook Irish subsidiary to circumvent data protection regulations, by hiding behind the U.S. head office, outside E.U. authorities’ jurisdiction.
The Belgian DPA highlights the secrecy of Facebook data processing, the complete lack of information provided to the data subject and the vast powers Facebook claims on personal data for financial activities.
As for France, the forum clause included in the general terms of use of Facebook conferring jurisdiction to Californian courts, has been recently challenged before a Parisian court. Judges based their reasoning on consumer law provisions and declare the clause unenforceable, since it creates a serious imbalance between rights and obligations of a consumer and a professional. This decision has the potential to become a solid solution in the future.
With those recent events and the forthcoming adoption of the General Data Protection Regulation, we may expect a strong enforcement of this fundamental right.
*Raphael Krowicki, an Associate in our Brussels office, co-wrote this post.