Harmonisation of the methodology on the calculation of administrative fines at the EDPB level
The EDPB adopted the Guidelines on the calculation of administrative fines. Furthermore, the Board presented the Guidelines on the use of facial recognition technology in the area of law enforcement. Both documents, adopted on May 12th 2022, during the 65th plenary meeting, will now submitted for public consultation.
As regards the Guidelines on the calculation of administrative fines, they harmonise the methods used by DPAs.
The guidelines set out a 5-step calculation methodology. First, DPAs have to establish whether the case at stake concerns one or more instances of sanctionable conduct and if they have led to one or multiple infringements. The purpose is to clarify if all the infringements or only some of them can be fined.
Second, DPAs have to rely on a starting point for the calculation of the fine for which the EDPB provides a harmonised method.
Third, DPAs have to consider aggravating or mitigating factors that can increase or decrease the amount of the fine, for which the EDPB provides a consistent interpretation.
The fourth step is to determine the legal maximums of fines as set out in Art. 83 (4)-(6) GDPR and to ensure that these amounts are not exceeded.
In the fifth and last step, DPAs need to analyse whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality or whether further adjustments to the amount are necessary.
The guidelines are an important addition to the framework the EDPB is building for more efficient cooperation among DPAs on cross-border cases, a strategic priority for the EDPB.
Following public consultation, a final version of the guidelines will be adopted, taking into account stakeholder feedback, and will include a reference table with a range of starting points for the calculation of a fine, correlating the seriousness of an infringement with the turnover of an undertaking.
The EDPB also adopted Guidelines on the use of facial recognition technology in the area of law enforcement. The guidelines provide guidance to EU and national law makers, as well as to law enforcement authorities, on implementing and using facial recognition technology systems.
The EDPB stresses that facial recognition tools should only be used in strict compliance with the Law Enforcement Directive (LED). Moreover, such tools should only be used if necessary and proportionate, as laid down in the Charter of Fundamental Rights.
In the guidelines, the EDPB repeats its call for a ban on the use of facial recognition technology in certain cases, as it had requested in the EDPB-EDPS joint opinion on the proposal for an Artificial Intelligence Act. More specifically, the EDPB considers there should be a ban on:
- remote biometric identification of individuals in publicly accessible spaces;
- facial recognition systems categorising individuals based on their biometrics into clusters according to ethnicity, gender, as well as political or sexual orientation or other grounds for discrimination;
- facial recognition or similar technologies to infer emotions of a natural person;
- processing of personal data in a law enforcement context that would rely on a database populated by collection of personal data on a mass-scale and in an indiscriminate way, e.g. by "scraping" photographs and facial pictures accessible online.
In connection with the 65th plenary meeting, a press statement has been published on the EDPB website.
The Agenda of the 65th EDPB plenary meeting