On 25 May 2018, Regulation 2016/679, the General Data Protection Regulation (GDPR) will come into effect across the European Union (including Malta). As has been widely reported, infringement of the GDPR may lead to fines as high as €20,000,000 or 4% of an entity's total worldwide annual turnover (whichever is higher). On 3rd October 2017, the Article 29 Working Party adopted on the application and setting of the said administrative fines under the GDPR. The guidelines are intended for use by supervisory authorities to ensure improved application and enforcement of the GDPR and to encourage its consistent interpretation and application. The GDPR outlines the powers of local supervisory authorities when addressing an infringement by a data controller or a data processor (the latter being directly answerable at law as of 25 May 2018). The new guidelines emphasise that in the exercise of their powers, supervisory authorities (including Malta's Office of the Information and Data Protection Commissioner) must observe the following key principles:
- Infringement of the [GDPR] should lead to the imposition of "equivalent sanctions" (across all Member States);
- Like all corrective measures chosen by the supervisory authorities, administrative fines should be "effective, proportionate and dissuasive";
- The competent supervisory authority will make an assessment "in each individual case";
- A harmonized approach to administrative fines in the field of data protection requires active participation and information exchange among Supervisory Authorities.
With regards to sanctions imposed, the guidelines stress that there should be a degree of consistency among Member States. Therefore, despite the fact that supervisory authorities remain completely independent from each other, there must still be a level of uniformity with regards to enforcement. Corrective measures must also be suitable to the nature, gravity and consequences of the breach in question, taking into account all the facts of the case. This guarantees that fines shall be objectively justifiable and not arbitrary. Furthermore, the guidelines highlight the requirement imposed by the GDPR itself that supervisory authorities are to evaluate each case on an individual basis when exercising their discretion in relation to the corrective measures to be imposed. Finally, the guidelines stipulate that supervisory authorities must cooperate with each other (through mechanisms such as information exchanges) and, where relevant, also with the European Commission.
The guidelines also expand on the assessment criteria (found in the GDPR) that supervisory authorities are expected to use when determining whether a fine should be imposed and, if so, the amount of such fine. It should be noted that the said guidelines are not exhaustive and do not take into account the inherent differences between civil, administrative and criminal law systems of all the Member States.