The latest GDPR guidelines from the Article 29 Working Party
cover the application and setting of administrative fines for the purposes of
the Regulation 2016/679 (WP 253); it can be downloaded using the link below or via http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 (see under Letters, Opinions and other documents). The document makes it clear
that it aims for consistent enforcement of the GDPR, which ‘is central to a
harmonized data protection regime’. Administrative fines are described as
central to enforcement and ‘a powerful part of the enforcement toolbox of the
supervisory authorities’. The guidelines are expressed as being adopted by the
European Data Protection Board (Ed: not sure when that met) though there are
later references to the EDPB’s role ‘when competent’.
The guidelines are not exhaustive and do not aim to provide
explanations about the differences between administrative, civil or criminal
law systems when imposing administrative sanctions in general. The guidelines
are to be used as a common approach. On a first reading, it seems safe to say
that the various factors identified in the guidelines as being relevant to the
amount of fine are not likely to surprise anyone familiar with past practice.
The Article 29 Working Party has also issued Opinion 03/2017
on Processing personal data in the context of Cooperative Intelligent Transport
Systems (C-ITS) (WP 252); it can be downloaded using the link below or via http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083
(see under Letters, Opinions and other documents). C-ITS is a peer-to-peer
solution for the exchange of data between vehicles and other road
infrastructural facilities (traffic signs or other transmitting/receiving base
stations) without the intervention of a network operator; it is much more
interesting than it sounds, at least for those interested in data protection or
tech transport issues.
A clue to the areas of interest is found in the fact that
the Article 29 Working Party encourages ‘a timely dialogue between the relevant
stakeholders on the data protection implications of these evolutionary
scenarios, by also considering the difficult ethical questions raised by such a
new, in-depth intervention in traditionally human-managed actions’.
