Multi-Billion Euro Fines for Data Protection Violations Under the New GDPR—Really?

Bloomberg BNA

09 Oct 2017
Reprinted with permission.

The European General Data Protection Regulation (GDPR) will come into force on May 25, 2018. It will increase existing obligations for businesses, as well as introduce a number of new obligations, such as recordkeeping obligations and mandatory privacy impact assessments. But aside from the substantive obligations, the GDPR also significantly steps up the enforcement powers of the EU’s national data protection authorities (DPAs), empowering DPAs to impose fines of up to EUR 20 million or 4% of worldwide turnover (revenue), whichever is higher.

The new sanctions framework which introduces the possibility of imposing fines relative to a company’s revenue, is unprecedented in the context of data privacy enforcement and therefore comes with legal uncertainties. Will revenue from an undertaking only relate to a single legal entity or can it also include a group of companies? What will be the relevant turnover considered for calculation of fines? When is the starting point of the calculation or the cap for maximum amounts? These concepts have until now been foreign to European privacy laws, and there is no guidance or precedent that can assist with their interpretation.

Read our article in Bloomberg BNA.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.