Derek Mooney writes: The European Data Protection Board has just published its latest guidelines for EU member state supervisory authorities on harmonising the methodology used by these authorities when calculating the size of penalties for GDPR breaches. These latest set guidelines featuring five specific steps, was adopted by the EPDB on May 12, updates the 2016 is available to download HERE.
The EDPB is now inviting comments and observations on these new Guidelines and has set 27th June 2022 at the latest date for receipt of comments (sent via this online form). using the provided form. As we highlighted in our January 2022 Preview 2021 was a record year for GDPR fines, with IBM’s latest research showing that the average cost of a data breach in 2021 had risen from €3.4mio to €3.8mio.
From BEERG’s viewpoint the issue is not just with the calculation of these penalties, but with the fairness of their imposition. Should there be administrative fines in every case where there is a data breach? Does every GDPR breach constitute an offence? Shouldn’t an offence result from a deliberate or actual misconduct before fines are imposed, and shouldn’t the authorities need to prove actual misconduct?
This specific issue has been raised in several German district court rulings which will probably find their way to the CJEU in the coming years – perhaps there they might be added to the increasing argument in favour of addressing the problem of GDPR “application overreach” as identified by CJEU, Advocate General Michal Bobek, and many others.