Comments on GDPR Enforcement EDPB Decision 01/020
11 Pages Posted: 9 Mar 2021 Last revised: 24 Mar 2021
Date Written: January 10, 2021
The European Data Protection Board issued its first Binding Decision on 9 November 2020 in a case in which the Irish Data Commissioner (DPA) was lead enforcement authority. In the judgment of the Irish DPA, a fine of up to EUR 275,000 was appropriate, taking into account all relevant circumstances, including aggravating and mitigating factors. Several other national DPAs raised objections, including the German DPA, which thought that a fine of up to EUR 22 million was relevant, on the basis that it should be 'dissuasive' and therefore 'must be high enough to make data processing uneconomic and objectively inefficient'. Under the DGPR, the EDPB considered all objections, and rejected a surprising number as not satisfying the 'relevant and reasoned' standard. The EDPB issued a binding decision that a sanction must be 'deterrent' and required The Irish DPA to revise its fine. The Irish DPA issued a fine of EUR 450,000.
This paper highlights the major rift in theory and practice between different approaches to the effects, if any, of financial sanctions. The case raises fundamental issues over the consistency and coherence of EU enforcement policy, and the level of confidence that may be placed in it. It identifies a conflict between traditional concepts of deterrence, effective, proportionate and dissuasive sanctions, and outcome-focused achievement of compliance. It also raises an underlying conflict between pure economic theory on the effectiveness of penalties and the relevance of the findings on behavioral science on how to affect future behavior.
Keywords: GDPR Enforcement, Sanctions, Penalties, Deterrence, Behavior
JEL Classification: K2, K42, G38
Suggested Citation: Suggested Citation