The EU proposes fining itself up to €500,000 ‘as a last resort’ if it contravenes new regulation ‘aligned’ to the GDPR
The European Union proposes fining itself if its institutions contravene a new regulation that will “align” to the General Data Protection Regulation (GDPR), according to a briefing report on The European Parliament’s website.
If EU institutions contravene the new regulation (as proposed), the European Data Protection Supervisor (EDPS), an “independent supervisory authority,” will have the power to “impose administrative fines on Union institutions and bodies as a last resort and only where the institution failed to comply with an order…”
The EDPS will be able to impose fines of up to 50,000 EUR per infringement and up to a total of 500,000 EUR per year.
Under Article 83 of the GDPR, private organizations can be fined 20 million EUR or 4% of annual turnover (whichever is higher) for a data breach.
The EDPS also declared in a statement on the new proposal (PDF) from 2017 that “it is essential that the [new regulation] become fully applicable at the same time as the GDPR i.e. on 25 May 2018”, an objective which hasn’t been met.
The size of the fines that can be imposed by the EDPS will depend on a range of factors, including “the nature, gravity and duration of the infringement” and “any action taken by the Union institution or body to mitigate the damage suffered by data subjects.”
The Commission’s proposal also states, “the maximum yearly ceilings are inspired by amounts of fines applicable in some Member States.”
Under the new proposal, and as per the GDPR, the data subject will have the right to object to data processing, as well as the right to erasure (‘the right to be forgotten’), data portability and rectification.
However, the briefing also outlines that “restrictions to these rights…may be provided by a legal act or by the internal rules of Union institutions in matters relating to the operation of the institutions.”
Moreover, “Even in the absence of a legal act or internal rules, an EU institution may restrict these rights in relation to a specific processing operation.”
How the EU will handle internal contraventions of the GDPR has been a subject of debate since the GDPR came into force on 25th May.
The debate came to the fore after a recent analysis by Indivigital identified the EU’s website is serving third-party content and spreadsheets containing personal information on thousands of individuals from its website Europa.eu.
Following Indivigital’s analysis, Cedefop, one of the agencies identified in the analysis, began deleting third-party content hosted by Twitter from its website. Despite this, a recent survey by the EDPS stated EU institutions “show continuous and steady progress in implementing data protection rules…”
The regulation that will cover how EU institutions handle personal data was tabled by the European Commission in January 2017 and is set to come into force later this year. The new regulation will repeal the existing regulation (Regulation (EC) No 45/2001).
Article 98 of the GDPR, titled “Review of other Union legal acts on data protection,” also addresses the processing of personal data on individuals by EU institutions.
Under the existing regulation (45/2001), a failure to comply with data protection obligations may result in disciplinary action in line with the EU’s Staff Regulations.
The EU’s Court of Justice has also ruled on contraventions of the existing regulations on a few occasions, notably Egan and Hacket v Parliament in 2012 (which involved access to records relating to a pension dispute).
According to the briefing, under the new regulation the criteria for “lawful data processing” by EU institutions broadly mirrors those of the GDPR (contrary to popular misconception, “consent” is only one means through which organizations can process data on an individual).
“Legitimate interest” as a basis for processing data is more restricted for public institutions. However, unlike the GDPR, the new regulation will provide more flexibility to process data for other “compatible purposes.”
According to a revision proposed by the Council of the European Union, the new regulation should only apply “to the processing of data wholly or partially by automated means by EU institutions”.
Moreover, it deems it should not apply to the “processing of ‘operational personal data’, such as data processed for criminal investigations by EU bodies like Europol and Eurojust.”
The EU Commission’s proposal also states that “Legal acts adopted on the basis of the Treaties or, in matters relating to the operation of the Union institutions and bodies, internal rules laid down by the latter may restrict the application of [Article] 34,” a provision that the EDPS has taken exception to.
Article 34 of the EU Commission’s proposal relates to the privacy of electronic communications and states, “Union institutions and bodies shall ensure the confidentiality of electronic communications, in particular by securing their electronic communication networks.”
In response to this provision, the EDPS states, “…Article 25 as proposed may not fulfil the requirements set out in the Charter and in the European Convention for Human Rights and Fundamental Freedoms (‘ECHR’).”
It also states that “it should be clarified that acts of Union law which could restrict rights set out in Article 25, should comply with the same requirements on specificity and transparency as those laid down in Article 23(2) GDPR.”