Chapter 8 – Remedies, Liability and Penalties
We’ve finally broached the chapter that has spawned the creation of every annoying little upstart company promising we can avoid fines in the millions if we only hire them to consult.
Articles 77 through 84 are all geared towards defining how the supervisory authority is going to use a stick to enforce this regulation. I guess the entire regulation implies that the carrot is individual digital privacy. In a world where governments have data on every individual and large scale corporations have accurate data about people who have never interacted with their services then it might appear this regulation is too late.
Article 77 – Right to Lodge a Complaint with a Supervisory Authority
2 paragraphs. Every individual has the right to lodge a complaint about the use of their data. I agree, you can’t make a regulation about individual’s data privacy without allowing each of them the ability to remedy breaches.
Article 78 – Right to an Effective Judicial Remedy against a Supervisory Authority
4 paragraphs. I studied history in the past so this chapter which states that every individual can take up action against the supervisory authority and their decisions is very different to the old days where you would expect a decision of a supervisory authority to be final. Good on us for growing.
Article 79 – Right to an Effective Judicial Remedy against a Controller or Processor
2 paragraphs. Seems a bit odd, but it looks like individuals whether or not they have gone to the supervisory authority can just up and sue Controllers or Processors if they feel they have had their GDPR rights violated. I wonder how this is going to play out.
Article 80 – Representation of Data Subjects
2 paragraphs. It looks like individuals are going to get the right to use a third party to lodge complaints. Oh wait I get it. This is the specific article that sets up companies that will be spamming radio and TV with commercials about GDPR compensation.
Article 81 – Suspension of Proceedings
3 paragraphs. I think it would be better served if I was a solicitor for this article, but it looks like when an entity is being sued for the same thing all over the place then the jurisdictions can get together and suspend their proceedings in favour of one single action. Sounds sensible, as people are going to sue Facebook and Google all over the place, better to have one big action than a whole bunch of little ones that might result in multiple degrees of decisions.
Article 82 – Right to Compensation and Liability
6 paragraphs. If you as an individual have suffered material or non-material damage you can sue the pant off of anyone you see fit. This concept is enshrined into this regulation in this article. But there is a neat little side idea that if you are suing more than one controller or processor then they all become liable for the entire fine. So if one company out of 4 responsible pays the entire fine then they can go after the other three for their 25% responsibilities in the penalty. This seems messy, but probably necessary to ensure that individuals get their compensation.
Article 83 – General Conditions for Imposing Administrative Fines
9 paragraphs. While the sections on individuals suing are relatively short, administrative fines (those that will really make the supervisory authority (in our case the ICO) wealthy have a bunch of details. Go figure.
So there are two levels of fines which I hadn’t heard about yet. The people out scare mongering neglected to mention that different infringements fall into different categories of fine. I pretty sure they felt ok saying something like ‘up to’ to cover their bases.
Paragraph 5 has the infamous 20,000,000 EUR fine or 4% of the total worldwide turnover whichever is higher. Seems steep, but how often would this be resorted to? The current Data Protection Act of 1998 allows for fines up to £500,000 and they have yet to issue the maximum penalty for any offence and only recently started issuing fines in the £350,000 to £400,000 range and these are to businesses that they had been warning continuously as well as the said company making nuisance calls in the millions. And not just one or two million, like 46 million or 99 million.
Right behind these big figures is a neat little note saying that a member state can actually set limits on how high fines can be imposed on public bodies. So until we see how the state is going to implement GDPR in the UK.
Article 84 – Penalties
2 paragraphs. Beyond the monetary penalties listed above, the member state gets to set other penalties for breaches of this regulation. I’m waiting for the first company that has to be tar and feathered.
Penalties huh? Well they have created the conditions for some government departments to become very wealthy as well as hitting industry hard. However history doesn’t stand up to how hard we are going to hit industry. I’m sure there is a balance to strike that doesn’t need to strangle industry while moving forward the key elements of individual data privacy.