Putting a price on data protection infringement
Published in International Data Privacy Law (IDPL), Volume 12, Issue 1, February 2022, Pages 1–15
43 Pages Posted: 23 Nov 2022
Date Written: November 22, 2022
• There is an assumption that the use of fines as an enforcement tool will have a deterrent effect and lead to compliance with the EU General Data Protection Regulation (‘GDPR’). This article gives a critical analysis of the fines in Article 83 og the GDPR, and whether the introduction of elevated fines have led to the desired behavioural changes.
• The GDPR has no provisions that ensure harmonisation of the imposing and calculation of fines. This has already led to diverging practices by the Data Protection Authorities (‘DPAs’). Neither does the GDPR require transparency about imposed fines. Without transparency, the deterrent effect of fines can be questioned.
• Monetary sanctions may not always lead to better compliance and ultimately better data protection for individuals. The GDPR has other enforcement measures that may have a more immediate effect in adjusting undesired processing of personal data, such as a temporary or definitive ban on processing which may be more harmful for a data-driven controller than a fine.
• The fines may function as punishment and deterrence, but not as restoration. Individuals who are affected by an infringement are not benefited by the imposed fine. Although Article 82 of the GDPR gives any person suffering material or non-material damage resulting from an infringement a right to compensation, the right is more theoretical than practical.
• The article concludes that adjustments should be made to ensure transparency and harmonisation. Also, changes should be considered to ensure that individuals are duly compensated in the event of damages suffered by data protection infringements.
Keywords: Administrative Fines, Behavioural Effect, Compensation, Deterrent Effect, Enforcement, General Data Protection Regulation
Suggested Citation: Suggested Citation