DATA PROTECTION IN MAY 2023
By Mugurel Olariu, RPD protectie date
EDPB – European Data Protection Board, held its 80th plenary session on 24/25 May 2023, several documents were adopted, among which we mention:
● Guide no. 4/2022 regarding the calculation of administrative fines, final form (after public consultation);
● Guide no. 3/2021 regarding the application of art. 65 para. (1) lit. a) of GDPR, final form (after public consultation).
We specify some aspects related to Guide 4/2022, as follows:
The European Data Protection Board (EDPB) adopted these guidelines to harmonize the methodology used by supervisory authorities to calculate the amount of the fine. These guidelines complement the previously adopted Guidelines on the application and determination of administrative fines for the purposes of Regulation 2016/679 (WP253), which focus on the circumstances in which a fine should be imposed.
The calculation of the amount of the fine is at the discretion of the supervisory authority, subject to the rules set out in the GDPR. In this context, the GDPR requires that the amount of the fine be effective, proportionate and dissuasive in each individual case (Article 83 paragraph (1) GDPR). Moreover, when setting the amount of the fine, the supervisory authorities duly take into account a list of circumstances that refer to characteristics of the infringement (its gravity) or of the character of the perpetrator (Article 83 paragraph (2) GDPR). Finally, the amount of the fine cannot exceed the maximum amounts provided for in Article 83, paragraph (4), paragraph (5) and (6) GDPR. The quantification of the amount of the fine is therefore based on a specific assessment carried out in each case, within the parameters provided by the GDPR.
Taking into account the above, the EDPB has developed Version 2.0 of the five-step methodology for calculating administrative fines for breaches of the GDPR.
During all the steps to follow, it must be borne in mind that the calculation of a fine is not a simple mathematical exercise. Rather, the circumstances of the specific case are the determining factors leading to the final amount, which can be – in all cases – any amount up to and including the legal maximum.
These guidelines and its methodology will remain under constant review by the EDPB.
On May 25, elections were held for the positions of president and vice-president of the European Data Protection Board.
The EDPB has elected Anu Talus as the new Chair of the European Data Protection Board (EDPB) to replace outgoing Chair Andrea Jelinek. She was elected with 19 votes out of 27, in two rounds.
Anu Talus is the head of the Finnish Data Protection Authority (DPA), a function she will as of today combine with the role of EDPB Chair.
EDPB Chair, Anu Talus said: “I am honoured and grateful to be elected EDPB Chair and I see it as a token of appreciation by my fellow heads of DPA. As a closely integrated network of DPAs, the EDPB has the important task of ensuring that 450 million Europeans enjoy the same level of data protection, regardless of where they live.”
“Part of the newly adopted EU digital legislation overlaps with the GDPR. Going forward, it is crucial to ensure that the legal framework related to the data protection is coherent, that the competences of the EDPB are safeguarded and that fragmentation is avoided. Grey areas are in no one’s favour, not the individuals whose personal data we protect, nor economic operators who need legal certainty.”
Outgoing Chair, Andrea Jelinek said: “The new EDPB Chair has exciting challenges ahead and Anu has solid foundations to build upon. In the past five years, the GDPR has become a global landmark as the world’s most comprehensive data protection law. I am confident that the EDPB, this unique body with great responsibilities and a far-reaching impact, will benefit greatly from the expertise of Anu.”
The EDPB also elected Irene Loizidou Nikolaidou (CY DPA) as new Deputy Chair to replace outgoing Deputy Chair Ventsislav Karadjov.
1.2 billion euro fine for Facebook as a result of the EDPB binding decision
Following the EDPB’s binding dispute resolution decision of 13 April 2023, Meta Platforms Ireland Limited (Meta IE) was issued a 1.2 billion euro fine following an inquiry into its Facebook service, by the Irish Data Protection Authority (IE DPA). This fine, which is the largest GDPR fine ever, was imposed for Meta’s transfers of personal data to the U.S. on the basis of standard contractual clauses (SCCs) since 16 July 2020. Furthermore, Meta has been ordered to bring its data transfers into compliance with the GDPR.
Andrea Jelinek, EDPB Chair, said: “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”