Section 155 DPA 2018 requires the ICO to consider whether issuing a penalty notice for an infringement and the amount of any fine is, in each case, effective, proportionate and dissuasive4. The Fining Guidance explains how the ICO approaches this assessment, first addressing effectiveness and dissuasiveness, before explaining how consideration is given to proportionality in this context.
Summary of responses
Some respondents suggested that the sector in which the organisation operates should be taken into account when assessing proportionality, because a fine could have a disproportionate impact on the organisation and the people it supports through its services and products. It was also suggested that the Fining Guidance should recognise the differences between a commercial controller and public authorities, because a penalty imposed on the latter would wrongly divert funding used for services carried out in the public interest.
One respondent noted the large degree of discretion afforded to the ICO to adjust the fine to ensure it was effective, proportionate and dissuasive, but was in support of this in order to ensure that the ICO takes the relevant circumstances of each case into account.
Comment was made that dissuasiveness could be a difficult criteria to meet in the case of large corporate entities on the basis that revenues earned as a result of the infringement may be greater than the amount of the fine. Another respondent stated that it may be difficult to apply the guidance in a way that deters tech start ups from infringing data protection law, particularly if they are able to plead financial hardship.
One respondent queried why the Fining Guidance adopted the approach of considering effectiveness and dissuasiveness before proportionality (when the language of the legislation is ‘effective, proportionate and dissuasive’), noting that that no precedence is given to any particular factor in the EDPB’s fining guidance.
Several respondents commented on the approach to financial hardship. One respondent considered that the approach was too lenient given that infringements of data protection law can also lead to hardship for data subjects. Another respondent agreed that in some circumstances imposing a fine may be appropriate and necessary even if it renders a controller insolvent. Other respondents sought further information about the process for claiming financial hardship or asked how it would apply where a subsidiary claims financial hardship, but its parent is in a sound financial position.
ICO response
The ICO accepts that there will be different considerations relating to the decision to impose a fine, depending on the motives for the processing. The Fining Guidance already makes clear that, as part of the seriousness assessment, the ICO will have regard to whether a controller’s processing involves business activities, charitable or other non-profit motives, or is carried out by a public body. Further, it is inherent in any proportionality assessment that we will take into account all relevant factors relating to the controller or processor before deciding to impose a fine or deciding on the amount of any fine. However, our preference is for the Fining Guidance to otherwise be broadly neutral in relation to its general application to different types of controllers and processors. With the ICO retaining discretion to decide on its approach to regulatory interventions and enforcement, for example the approach we are trialling in relation to public sector enforcement.
The Fining Guidance purposefully provides a significant degree of discretion at the stage of considering whether imposing a fine (and the amount) is effective, proportionate and dissuasive. This is important because decisions on fines should be taken on a case by case basis having regard to all relevant circumstances. While the ICO will seek to ensure there is broad consistency in the approach taken, the decision on the amount of an appropriate fine in each case is a matter of expert judgement. In that regard, the ICO considers it is logical to consider proportionality as the final step – enabling the ICO to consider the appropriateness of the fine overall (taking into account any need for an increase to ensure that it is effective and dissuasive).
In relation to the concerns expressed about fines being effective and providing an adequate deterrent, particularly for controllers with low or no turnover, the ICO notes that the Fining Guidance is clear that the ICO may increase the overall fine at step five of the calculation to ensure both that the controller is sanctioned effectively and others are deterred from committing the same infringement. In addition, the Fining Guidance is clear that there may be circumstances where a fine may be effective, dissuasive and proportionate even if the controller or processor is unable to pay and is rendered insolvent. As part of its work to recover fines, the ICO pursues formal recovery action which can result in insolvency.
In relation to financial hardship, the ICO reiterates that – as set out in the Fining Guidance – reductions at this stage are expected only in exceptional circumstances. This is because the fine amount at the end of the calculation will be effective, proportionate and dissuasive. The ICO does not intend to add further detail to the section on financial hardship in the Fining Guidance about the process involved, but will consider providing more information about its procedure in due course in its planned data protection procedural guidance.
The ICO is generally unlikely to accept a request for a reduction based on financial hardship from a subsidiary that forms part of a wider undertaking if its parent company (or ultimate parent company) is financially sound. As explained in the Fining Guidance (at paragraph 31), as well as using the concept of the undertaking for determining the relevant maximum amount, the ICO may also hold a parent company jointly and severally liable for the payment of a fine imposed on a controller or processer over which the parent company has decisive influence.
4 In relation to UK GDPR see section 155(2)(a) and Article 83(1) UK GDPR; in relation to Part 3 and Part 4 DPA 2018 see section 155(3)(l) DPA 2018.