Brussels, 16 May – The EDPB adopted new Guidelines on the calculation of administrative fines, harmonising the methodology data protection authorities (DPAs) use. The guidelines also include harmonised ‘starting points’ for the calculation of a fine. Hereby, three elements are considered: the categorisation of infringements by nature, the seriousness of the infringement and the turnover of a business.
EDPB Chair, Andrea Jelinek said: “From now on, DPAs across the EEA will follow the same methodology to calculate fines. This will boost further harmonisation and transparency of the fining practice of DPAs. The individual circumstances of a case must always be a determining factor and DPAs have an important role in ensuring that each fine is effective, proportionate and dissuasive.”
The guidelines set out a 5-step calculation methodology. First, DPAs have to establish whether the case at stake concerns one or more instances of sanctionable conduct and if they have led to one or multiple infringements. The purpose is to clarify if all the infringements or only some of them can be fined.
Second, DPAs have to rely on a starting point for the calculation of the fine for which the EDPB provides a harmonised method.
Third, DPAs have to consider aggravating or mitigating factors that can increase or decrease the amount of the fine, for which the EDPB provides a consistent interpretation.
The fourth step is to determine the legal maximums of fines as set out in Art. 83 (4)-(6) GDPR and to ensure that these amounts are not exceeded.
In the fifth and last step, DPAs need to analyse whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality or whether further adjustments to the amount are necessary.
The guidelines are an important addition to the framework the EDPB is building for more efficient cooperation among DPAs on cross-border cases, a strategic priority for the EDPB.
The guidelines will be submitted for public consultation for a period of 6 weeks. Following public consultation, a final version of the guidelines will be adopted, taking into account stakeholder feedback, and will include a reference table with a range of starting points for the calculation of a fine, correlating the seriousness of an infringement with the turnover of an undertaking.
The EDPB also adopted Guidelines on the use of facial recognition technology in the area of law enforcement. The guidelines provide guidance to EU and national law makers, as well as to law enforcement authorities, on implementing and using facial recognition technology systems.
EDPB Chair Andrea Jelinek said: “While modern technologies offer benefits to law enforcement, such as the swift identification of suspects of serious crimes, they have to satisfy the requirements of necessity and proportionality. Facial recognition technology is intrinsically linked to processing personal data, including biometric data, and poses serious risks to individual rights and freedoms.”
The EDPB stresses that facial recognition tools should only be used in strict compliance with the Law Enforcement Directive (LED). Moreover, such tools should only be used if necessary and proportionate, as laid down in the Charter of Fundamental Rights.
In the guidelines, the EDPB repeats its call for a ban on the use of facial recognition technology in certain cases, as it had requested in the EDPB-EDPS joint opinion on the proposal for an Artificial Intelligence Act. More specifically, the EDPB considers there should be a ban on:
remote biometric identification of individuals in publicly accessible spaces;
facial recognition systems categorising individuals based on their biometrics into clusters according to ethnicity, gender, as well as political or sexual orientation or other grounds for discrimination;
facial recognition or similar technologies to infer emotions of a natural person;
processing of personal data in a law enforcement context that would rely on a database populated by collection of personal data on a mass-scale and in an indiscriminate way, e.g. by “scraping” photographs and facial pictures accessible online.
The guidelines will be subject to public consultation for a period of 6 weeks.