General Data Protection Regulations – The Fines, the Gaps while Calculating for Parent Companies and Their Subsidiaries

It’s been more than a year since the European Union’s General Data Protection Regulation (GDPR) came into effect on 25 May, 2018. The implementation of the GDPR signaled the start of more stringent privacy oversight and enforcement.

The diversity and scope of enforcement options, and the intersection of data privacy regulation with rapidly advancing technology, are likely to pose challenges for regulators and for businesses.

Some ambiguity remains regarding the interpretation and implementation of some of the GDPR’s provisions. And there are significant gaps in terms of the regulation’s enforcement.

Fines under the GDPR fall into both these categories and is the area of most concern for organizations, insurers, legal observers and regulatory authorities alike. The key issue is interpretation of the provisions and their real-world applicability.

In the first year of the implementation of the GDPR, regulators brought more than 200,000 cases in 31 countries and issued nearly €56 million in fines. The diversity of monetary fines and enforcement actions is striking and demonstrates the GDPR’s broad scope. Further, thousands of GDPR actions are currently pending.

The fines and the gaps

Article 83 of the GDPR provides for fines against organizations breaching their GDPR obligations. Companies may be fined up to €10 or €20 million or, up to 2% to 4% of the "total worldwide annual turnover" of the preceding financial year, in respect of certain breaches of obligations under the GDPR. 

Key questions we are seeking to answer, include:

If a subsidiary company infringes its GDPR obligations, is the turnover of the parent company taken into consideration when determining total annual turnover?

How is the quantum of the fine decided for a multinational company with subsidiaries spread across many jurisdictions?    

For example, consider an Indian multinational company, with no European Economic Area processing and which does not process any data relating to European citizens (i.e. effectively out of scope of the GDPR). Now consider a UK-based subsidiary of the same Indian organization which falls foul of the GDPR and it is determined that it will face an administrative fine. Will the consolidated turnover of the India based parent company be factored in when calculating the penalty to be imposed?

In a word, YES.

Article 29 of the Working Party on the GDPR (WP 29) lays down guidelines¹on the application and setting of administrative fines. According to the WP 29, "the concept of an undertaking is understood to mean an economic unit, which may be formed by the parent company and all involved subsidiaries."

This implies that the parent company would be included in the computation of the global turnover if one of its remotest subsidiaries runs foul of the GDPR, as would any of the parent companies’ subsidiaries.

But what if the parent company has no say in the day-to-day operations of its subsidiary and is unable to make important decisions on behalf of the subsidiary?

The GDPR is silent on this.

Where the GDPR is silent on an issue, the regulatory bodies rely on European competition law to bridge the gap.

By studying the related concepts under the European competition law, it can be postulated how the GDPR will be enforced². The parent company could take a European competition law defense and distance itself on the grounds that it did not exert “decisive influence” over the subsidiary. (Under European competition law, the regulatory authorities attribute liability to a parent company for anti-competitive activity by a subsidiary if it can demonstrate that the parent company exercised "decisive influence" over the infringing subsidiary.)

But, currently there are no cases explicitly answering this question. The regulatory authorities have been dealing with GDPR infringements on case-to-case basis. And, until the recent Google case, where the French data regulator CNIL slapped the company with a €50m fine, the authorities have been reluctant to hand out steep fines. And while this is a lot of money, it’s still a mere fraction of the internet giant’s annual global turnover.

If European competition law principles are applied, it may be possible for a parent company to avoid being considered for computation of global turnover as per the GDPR fining provisions. A lot hinges on what the definition of the term “undertaking” is for the purposes of the GDPR.  And to get to the definition requires referencing the European competition law and terms within it that refer to certain treaties and interpretations of those treaties by the Court of Justice of the European Union, itself relying upon a doctrine known as Single Economic Entity and the inter-related concept of 'exercise of decisive influence'. The basic concept is "when a company exercises decisive influence over another company they form a single economic entity and, hence, are part of the same undertaking."

But where does that leave us? "Decisive influence" depicts a test of control of the parent company over a subsidiary. The "exercise of decisive influence" by one entity over another entity entails that the latter entity does not enjoy real autonomy in determining its commercial policy on the market.

The CJEU recently held that where a parent company is able to exercise all of the voting rights, particularly when it has a high majority stake in the subsidiary's share capital, such a parent is in a position of a parent of a wholly owned subsidiary, and there is a legal presumption that that parent is able to determine the economic and commercial strategy of the subsidiary³.

There is no exhaustive list of the factors which can determine the independence of a subsidiary’s conduct. Instead, all of the relevant factors relating to the "economic, organizational and legal links" between a parent and the subsidiary must be taken into account⁴. However, the European Commission has identified some of the factors signifying the exercise of decisive influence. They are:

• The power to appoint member of the board of directors in subsidiary company.
• The power to call shareholders meetings or revoke directors.
• The level of representation of the parent company in a subsidiary’s board and their management powers.
• The role of the parent company on the committees established by the subsidiary.
• Measures taken to ensure decisive control in the subsidiary post IPO of shares of the subsidiary.
• Directors of the parent company receiving regular updates from the subsidiary.

The upshot however is that this is all good information, but it’s largely untested.

What does all this mean?

The potential fines under the GDPR's fining provisions present huge implications for companies all over the world. Companies should deliberate upon their corporate structure, and be prepared for an adverse situation where the entire turnover is considered in the calculation of any fine for GDPR infringements.

In the absence of any clarity on this point, from the GDPR guidelines or relevant case law, risk-averse organizations should work towards tying up their loose ends and work on minimizing their risks. The GDPR is still in its nascent stage and the regulatory authorities have been adjudicating upon the infringements on a case-by-case basis.  2019 is supposed to be the year when the regulators are expected to come down heavily on infringements. As regulators take more stringent action and work on resolving the plethora of complaints which haven’t yet been adjudicated upon, a clearer perspective on the provisions of GDPR will prevail.

[1] Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679
[2] GDPR Fines – Lessons from Competition Law. Article by Oliver Yaros, Warsha Kalé, Ryota Nishikawa and James Harrison- Mayer Brown.
[3] Judgment of 12 July 2018 in The Goldman Sachs Group, Inc. v Commission, T-419/14, EU:T:2018:445 (now on appeal to the Court of Justice, C-595/18 P).
[4] Judgment of 14 September 2016 in Ori Martin and SLM v Commission, C-490/15 P, EU:C:2016:678; and The Goldman Sachs Group, Inc. v Commission.