The EDPB publishes guidelines on the calculation of GDPR fines and on the use of facial recognition in law enforcement

17 May 2022

On May 12, 2022, the European Data Protection Board (EDPB) adopted two guidelines: one on the calculation of fines under the GDPR, the other on the use of facial recognition technologies by law enforcement and judicial authorities.

This page is a courtesy translation of the original article published on cnil.fr. In any case of inconsistency, please note that the French version shall prevail.

Alternatively, you can directly read the EDPB guidelines on administrative fines under the GDPR or the Guidelines on the use of facial recognition technology in the area of law enforcement.

Guidelines on the calculation of administrative fines under the GDPR

At its 65^thPlenary on 12 May 2022, the EDPB adopted guidelines aimed at harmonizing the methods of calculation of administrative fines adopted by national authorities.

These guidelines complement the guidelines on the application and setting of administrative fines under the GDPR, which focused on the circumstances in which to impose such a fine.

They establish harmonized "starting points" for the calculation of a fine and note that three elements should be taken into account: the categorization of infringements by nature, the seriousness of the infringement and the turnover of the company.

The guidelines set out a five-step method of calculation:

First, data protection authorities must establish whether the case at hand involves one or more instances of sanctionable conduct and whether they led to one or more infringements. The objective is to clarify whether all or only some of the infringements can be sanctioned by a fine.
Second, the authorities must have a starting point for the calculation of the fine, for which the EDPB provides a harmonized method.
Third, authorities must take into account aggravating or mitigating factors that may increase or decrease the amount of the fine, for which the EDPB provides a consistent interpretation.
The fourth step is to determine the legal caps on fines, as provided for in article 83.4 - 6 GDPR, and ensure that these amounts are not exceeded.
In the fifth and final step, the authorities must analyze whether the final calculated amount meets the requirements of effectiveness, deterrence and proportionality or whether further adjustments to the amount are necessary.

These guidelines will be subject to a public consultation for a 6-week period. After the public consultation, a final version will be adopted, taking into account stakeholders' comments, and will include a reference table with a series of starting points for the calculation of a fine, correlating the seriousness of an infringement with a company's turnover.

Texte reference

The EDPB guidelines (version open for public consultation until June 27th 2022)

EDPB guidelines on the calculation of administrative fines under the GDPR - European Data Protection Board

Guidelines build on commitment to strengthen European cooperation

On 28 April, the EDPB adopted a declaration on European cooperation in which the EU authorities reiterated their commitment to closer and more collective cross-border cooperation by identifying several avenues for improvement, including:

The identification of cross-border cases of strategic importance, for which cooperation will be considered a priority. On the basis of criteria such as the number of people concerned in Europe or the persistence of structural or recurring problems, a dedicated action plan will be established at the European level to ensure effective and faster progress in the study of cases, within a collectively determined timeframe.
Facilitating the use of cooperation tools allowed by the GDPR, and in particular joint investigations between authorities.
Intensifying the exchange of information, in a sustained and early manner, in order to encourage the rapid emergence of an informal consensus that could allow the progress of joint instructions.

Guidelines on the use of facial recognition technology in the area of law enforcement

The EDPB has also adopted guidelines presenting facial recognition technologies and the legal framework for their application in the field of prevention, investigation, prosecution of criminal offences and enforcement of sanctions.

In these guidelines, the EDPB underlines that facial recognition tools should only be used in strict compliance with the “Law enforcement” Directive. Furthermore, these tools should only be used if they are necessary and proportionate, as provided for in the Charter of Fundamental Rights of the European Union.

The EDPB reiterates his call for a ban on the use of facial recognition technology in certain cases, as requested in his joint opinion with the European Data Protection Supervisor (EDPS) on the proposed Regulation on artificial intelligence. More specifically, the EDPB considers that the following should be prohibited:

remote biometric identification of individuals in publicly accessible spaces;
facial recognition systems that categorize individuals on the basis of their biometric data into groups regarding their ethnicity, gender, political or sexual orientation or other grounds of discrimination;
facial recognition or similar technologies that allow the inference of a natural person's emotions;
processing of personal data in a law enforcement context that would rely on a database populated by the collection of personal data on a large scale and in an indiscriminate manner, for example by collecting photographs and facial images that are accessible online.

These guidelines will be subject to a 6-week public consultation. They are also accompanied by three annexes:

Annex I helps to assess the risks of interference with fundamental rights in a given scope.
Annex II is intended to help law enforcement authorities acquire and manage a system of facial recognition technologies.
Annex III outlines potential scenarios and relevant aspects to be considered.

Texte reference