Is there a wide discrepancy of criteria among the different European Data Protection Authorities, regarding to the imposition of administrative fines?

Thus, in order to ensure consistency in the use of their coercive powers, it is necessary that the foreseen infringements are punished with equivalent sanctions; avoiding the proliferation of the so-called "data heavens". That is, countries where there is a lack of protection of personal data and where the violation of people's privacy may go unpunished.

However, at present, the harmonised imposition of sanctions within the European Union (EU) is an arduous task, since the GDPR does not provide for an exhaustive classification of administrative fines, establishing only a distinction between the least serious infringements and the most serious ones, which can amount to 20 million euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Given the high amounts that fines can reach, the GDPR empowers the supervisory authorities of the member States to act independently in each individual case, identifying the most appropriate corrective measures, (taking into account the principles of effectiveness, proportionality and dissuasion) and, where appropriate, applying and modulating administrative fines, based on the graduation criteria legally set out: the nature, gravity and duration of the infringement; the intentionality; the categories of data affected; any relevant previous infringements, among others.

This, bearing in mind those national data protection authorities should avoid choosing different corrective measures in similar cases.

With regard to the sanctions recently imposed by the supervisory authorities, in the case of Spain, the highest sanction in the last year has been imposed on a financial institution, amounting to 6 million euros, in January 2021. Nevertheless, a month earlier, the Spanish Data Protection Agency (AEPD) sanctioned another financial institution with 5 million euros.

The sectors that have suffered the most scrutiny when it comes to examining their compliance were: banking, with penalties of more than 11 million euros, followed by telephone companies with more than 2 million euros, and finally gas, electricity and water suppliers, internet service providers and video surveillance.

On the other hand, Spain is the country that processes most sanctions compared to other European countries (such as France and Germany, that have imposed few sanctions, but of considerable amounts). However, the penalties, in Spain, are less substantial. The AEPD is far from the sanctions, for example, of the french National Commission on Informatics and Liberty (CNIL), with penalties of more than 100 million euros or the Italian Supervisor, up to 28 million euros.

Finally, it will be the case law and practice experience gained by the supervisory authorities that will generate a more precise determination of the criteria for graduating and applying sanctions in a consistent manner. For, to paraphrase the European Data Protection Board, this is an evolving art.

In the light of the above, it would not be surprising if the different data protection authorities follow convergence guidelines in the future…