The European General Data Protection Regulation (GDPR) will come into force on May 25, 2018. It will increase existing obligations for businesses, as well as introduce a number of new obligations, such as recordkeeping obligations and mandatory privacy impact assessments. But aside from the substantive obligations, the GDPR also significantly steps up the enforcement powers of the EU’s national data protection authorities (DPAs), empowering DPAs to impose fines of up to EUR 20 million or 4% of worldwide turnover (revenue), whichever is higher.
The new sanctions framework which introduces the possibility of imposing fines relative to a company’s revenue, is unprecedented in the context of data privacy enforcement and therefore comes with legal uncertainties. Will revenue from an undertaking only relate to a single legal entity or can it also include a group of companies? What will be the relevant turnover considered for calculation of fines? When is the starting point of the calculation or the cap for maximum amounts? These concepts have until now been foreign to European privacy laws, and there is no guidance or precedent that can assist with their interpretation.
Read our article in Bloomberg BNA.