EDPB: new guidelines on calculation of fines and use of facial recognition technology

May 15, 2022

Guidelines on the calculation of administrative fines

The European Data Protection Board has adopted new Guidelines on the calculation of administrative fines, harmonising the methodology data protection authorities (DPAs) use. The guidelines also include harmonised “starting points” to calculate a fine. Three elements are considered: the categorisation of infringements by nature, the seriousness of the infringement and the turnover of a business.

The guidelines set out a calculation methodology which involves five steps:

  • DPAs must establish whether the case concerns one or more instances of sanctionable conduct and if they have led to one or multiple infringements. The purpose is to clarify if all the infringements or only some of them are subject to fines.
  • DPAs must rely on a starting point for the calculation of the fine for which the EDPB provides a harmonised method.
  • DPAs must consider aggravating or mitigating factors that can increase or decrease the amount of the fine, for which the EDPB provides a consistent interpretation.
  • The fourth step is to determine the legal maximums of fines as set out in Article 83 (4)-(6) GDPR and to ensure that these amounts are not exceeded.
  • Finally, DPAs need to analyse whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality or whether further adjustments to the amount are necessary.

The guidelines are an important addition to the framework the EDPB is building for more efficient cooperation among DPAs on cross-border cases, which is a strategic priority for the EDPB.

The guidelines will open for consultation for a period of six weeks. Following public consultation, a final version of the guidelines will be adopted, taking into account stakeholder feedback, and will include a reference table with a range of starting points for the calculation of a fine, correlating the seriousness of an infringement with the turnover of an undertaking.

Guidelines on the use of facial recognition technology in the area of law enforcement

The EDPB also adopted Guidelines on the use of facial recognition technology in the area of law enforcement. The guidelines provide guidance to EU and national law makers, as well as to law enforcement authorities, on implementing and using facial recognition technology systems.

The EDPB stresses that facial recognition tools should only be used in strict compliance with the Law Enforcement Directive (LED). Moreover, such tools should only be used if necessary and proportionate, as set out in the Charter of Fundamental Rights.

In the guidelines, the EDPB repeats its call for a ban on the use of facial recognition technology in certain cases, as it had requested in the EDPB-EDPS joint opinion on the proposal for an Artificial Intelligence Act. More specifically, the EDPB considers there should be a ban on:

  • remote biometric identification of individuals in publicly accessible spaces;
  • facial recognition systems categorising individuals based on their biometrics into clusters according to ethnicity, gender, as well as political or sexual orientation or other grounds for discrimination;
  • facial recognition or similar technologies to infer emotions of a natural person;
  • processing of personal data in a law enforcement context that would rely on a database populated by collection of personal data on a mass-scale and in an indiscriminate way, for example by “scraping” photographs and facial pictures accessible online.

The guidelines will be open for consultation for a six weeks.