Following in the footsteps of the CNIL and the ICO, the Berlin DPA will impose a multimillion-euro fine for breach of the GDPR.

By Tim Wybitul, Joachim Grittmann, Ulrich Wuermeling, Wolf-Tassilo Böhm, and Isabelle Brams

The Berlin Data Protection Authority (Berlin DPA) recently announced that it will issue a multimillion-euro fine for breach of the EU’s General Data Protection Regulation (GDPR), a significant step change in its GDPR enforcement approach. The Berlin DPA’s most significant penalty to date includes two fines on a company totaling €200,000. In that case, as with the latest announcement, the Berlin DPA has not yet named the affected company. The announcement also continues a trend, started by the French Data Protection Authority (CNIL) and followed by the UK Information Commissioner’s Office (ICO), of data protection authorities beginning to show their teeth in GDPR enforcement.

In January 2019, the CNIL issued a €50 million fine against a large technology company, the first significant sanction under the GDPR (though the fine fell well short of the maximum potential penalty available in that case). About six months later, the ICO followed suit with two announcements in quick succession of plans to impose fines of about €110 million in one case and more than €200 million in another case, which Latham & Watkins discussed in a 12 July 2019 blog post.

Prior to the Berlin DPA’s latest move, the approach taken by German data protection authorities to GDPR enforcement had led many to assume that serious fines were unlikely to be imposed in the near future. The first fines imposed in Germany were comparatively low, amounting to only €20,000. The authority in that case, Baden-Wuerttemberg, took a relatively pragmatic approach. In a press release, it praised the company’s professional and cooperative strategy in the fine proceedings. (Latham advised the company in the fine proceedings.) Furthermore, it positively considered the company’s approach to openly disclose errors in data protection and to eliminate them quickly.

Be prepared, but don’t panic

Whilst German data protection authorities appear to have abandoned their initial reluctance to impose high fines under the GDPR, companies should not panic. As they do with many other legal and regulatory regimes, organisations can manage their exposure to data protection risk with effective compliance strategies. Latham’s GDPR Resource Center provides a comprehensive Compliance Checklist to guide organisations through preventive GDPR compliance, including the key actions organisations should take to implement GDPR into their operations and governance.

Under the GDPR, documenting and evidencing compliance is critical, and in any judicial or administrative proceedings, the presented evidence often determines success or failure. Effective implementation and documentation will put organisations in a strong position to defend against the increasingly robust attitude of data protection authorities to GDPR enforcement. In practice, this means, amongst other things, that data protection documentation should be designed in such a way that judges and authorities can easily understand it.

In addition to the risk of penalties imposed by data protection authorities, companies should also consider the risk of possible damages claims by impacted individual. Lawyers and litigation platforms are already focusing on companies that are being fined.

Mount a strong defence in GDPR fine proceedings

In addition to creating preventive compliance programs, organisations should consider preparing a data protection defence strategy. This should include, amongst other things, producing a defence manual that clearly sets out procedures and responsibilities with regard to data protection proceedings. Typical points to cover in a defence manual include:

  • Task allocation: Who does what? Who is in control of the defence? Which internal resources are needed? Which external service providers are involved, g., specialised law firms, auditors, IT service providers?
  • In-house communication: Who needs to be informed, and how? How are urgent/emergency communications handled?
  • Public relations: Good public relations with regard to data privacy efforts can help companies avoid damage to reputation — a result that could have a direct impact on revenues. This is particularly true for actual (or suspected) data breaches or investigations by data protection authorities, and especially in a technology-focused environment.
  • Communication with the data protection authority: History shows that communication with data protection authorities is a decisive factor in the outcome of administrative or preliminary data protection proceedings. For this reason, companies mounting a specific GDPR defence should thoroughly prepare for and plan communication with the relevant authories.
  • Preparing for searches: Data protection authorities have specific rights and powers under the GDPR for the purposes of investigations and enforcement. For example, Art. 31 GDPR requires companies to cooperate with data protection authorities. Companies should therefore prepare and/or adapt internal procedures relating to searches and information requests.

The topics mentioned above are by no means exhaustive, and specific response and defence steps may be required in certain contexts or industries. Listed companies, for example, should also consider ad hoc publication obligations under securities trading and other relevant laws.

Who will be fined next?

Data protection authorities across Europe — including the ICO, the CNIL, and German authorities — are conducting ongoing investigations into potentially significant GDPR breaches. The Irish Data Protection Authority, which is investigating a number of major multinational technology companies, is one to watch in particular. The outcome of these investigations will play a significant role in shaping the GDPR enforcement landscape.