GDPR, 4% of your global turnover, really?

By now, most businesses in the US heard about the European Union beast called GDPR that will eat them up, comes May 25. Who hasn't heard yet of that huge 4% of global turnover fine should your business failed to comply with the 99 articles of the GDPR? I am often asked by US clients and their lawyers about the actual risk of getting hit by the EU regulators, even with much smaller fines. I brought my EU privacy practice to the USA under the Foreign Legal Consultant (FLC) status so I could advise American lawyers and their clients about the GDPR mouse prints, after over 20 years of EU privacy case law under the 1995 Directive by the European Court of Justice (ECJ), the Supreme Court of the European Union in matters of European Union law.

As the media is about to amplify the fear mongering is a couple of weeks, my phone is going to ring day and night to comfort scared CEO's and CFO's. Last time I checked, Facebook was fined the maximum EUR 150,000 in France, under the near-defunct 1995 EU Privacy Directive and its French applicable privacy law. Not a big deal for the Menlo Park mogul, but enough to scare a small MarTech startup with less than $250 K in seed money.

Fight back!

Are you ready for a big secret? Although it won't be a secret no more after I publish this article, I shall not lose my EU attorney license and California bar FLC registration over such confidence, because I am about to legally show you how a French trained privacy lawyer would advise a client hit with a mega-fine by one or more EU data privacy watchdogs.

First, pick your victim: Facebook, Google, Microsoft (here and here and here or most likely there), Grindr (the guys who collected and shared HIV status and geo-location of their users), Tinder, etc. Let's say that the French CNIL and/or the Irish Data Protection Commissioner has sent a request letter on Friday, May 25 to your victim's CEO asking why no Data Protection Officer has been designated yet and for a copy of its Data Privacy Impact Assessments. The CEO calls his General Counsel who calls her outside counsel, who calls me. I let them know that chances are they are likely going to get hit by a fine and no, there is no deadline extension, no grace period, just blood.

To set a good example for other businesses in the US, say the Irish Commissioner fines your victim EUR 950,000, soon followed by another fine of 1.5% of its global turnover, say 895 million Euros by the French CNIL. The Belgium watchdog enters the feast and ends up hitting your victim with a EUR 1 million penalty. Not long after, the other 25 EU regulators follow suit with fines ranging from EUR 600,000 (the Romania National Supervisory Authority for Personal Data Processing) to EUR 565 million by the Italian Garante per la protezione dei dati personali.

I hear you wondering how you can get fined by 28 authorities, and not just by one. Is that possible under the GDPR? You have not read anything like that for the last two years in the hundreds of blogs and articles about the new EU privacy regulation. Well, the GDPR makes this possible because once the main Data Protection Authority (e.g. the Irish Data Protection Commissioner for Facebook Ireland) has concluded there was non-compliance and fined the culprit, all other 27 DPAs retrieve their autonomy and may prosecute as well in each member state for the same GDPR infringement and fine your victim on their own.

Hence, theoretically, you could get fined 28 times 4% of your global annual turnover, which would be over 100%. I hear you: the EU regulators would never gang up to fine a US company for a privacy breach, right? Wrong! That is precisely what happened to Uber last year, under the 1995 Directive and the E.U. member States national applicable laws.

The Hague Convention

So, say Privacystudios.com (a fictional California company) got fined 895 million Euros by the French CNIL. What is it a French privacy attorney would do that his peers in the US don't know? Do you really think he would tell his client to pay and move on? Hell, no! He would put a fight against the French DPA' decision, which is just a government agency, like the FTC or the SEC in the United States.

To take advantage of the slow pace of the French justice system, Privacystudios.com' French counsel could first file with the CNIL a pre-trial request to review its decision to fine his client "to remedy the illegalities that could taint its decision without calling for the intervention of the judge" (French Administrative Supreme Court or "Conseil d'Etat", November 18, 2005, Houlbreque Case number 270075, published with the Court' Recueil at page 513).

Within 2 months from receiving the request for review, the CNIL may confirm, modify or cancel the fines and/or other penalties. At the expiration of this 2-month period, counsel for Privacystudios.com would have another two months to file before the administrative court a complaint against the CNIL's decision to not change its original order. So, we are now four months into the initial decision by the French CNIL to claim 895 million Euros in fines from Privacystudios.com.

But Privacystudios.com could prefer to ignore the fines and simply fix its GDPR compliance issues at that time, following the CNIL grievances and instructing its French attorney to wait for the CNIL to file suit. Quite odd, isn't it? Why would the CNIL file suit? Because California, like most other states, follows the Uniform Foreign Money-Judgments Recognition Act (UFM-JRA), which governs the enforcement of foreign judgments (assuming that the Hague Convention on the Recognition and Enforcement of Foreign Judgments in Civil and Commercial Matters applies to administrative court decisions, which could even be far stretched). Without a judgment by a French court against Privacystudios.com, the French regulator is toothless to enforce its GDPR fines.

In order to benefit from the UFM-JRA to collect GDPR fines in the U.S., any of the E.U. 28 privacy watchdogs would have to go to court and fight to establish the legitimacy of its decision and the amount of fines to be asserted. In 2001, the European Court of Human Rights (ECHR) rendered 889 judgments, with about half related to lengthy judicial procedures in the European Union. Italy, got 320 convictions, followed by Portugal and Poland. France was condemned 18 times by the ECHR for violation of Article 6-1 of the European Convention on Human Rights, which gives every citizen the right to have his case heard "within a reasonable time" by a court. The CNIL would be facing 2 to 3 years of litigation before the administrative court, followed by another 2 to 3 years with the Administrative Court of Appeal, and another 3 years before the Administrative Supreme Court.

Over 15 years of litigation

It will take the CNIL between 7 and 9 years to get its original decision advocated before the French administrative jurisdictions. Throw in another 3 years or so after the French data privacy counsel has successfully asked the administrative judge referrals for an interpretation of the GDPR to the ECJ in Luxembourg. We now are in total between 10 and 12 years of litigation. By then, Privacystudios.com has been acquired for a mega-bucks deal or just gone belly-up.

But if it is still ticking in 2030, the CNIL would still have to enforce the final decision from the Administrative Supreme Court in order to collect in California the 895 million Euros fines (provided administrative judges sided with the French DPA, which is far from a sure thing).

Hence, the CNIL would seek recognition of the French final judgment before a trial court in the U.S., which would rely on the UFM-JRA’ discretionary bases. There, a California federal jury may decide that the mere violation by Privacystudios.com of the GDPR was not sufficient to authorize the CNIL to collect close to a billion dollars with compounded interests.

Then, maybe the federal appellate court would disagree and hold that the GDPR violation was material enough to warrant a reduced fine of say, 150 million dollars as under U.S. privacy laws such amount would already be considered quite substantial. That would likely take another 3 years. It is now year 2033. Plus a possible appeal before the U.S. Supreme Court, just to see if we could gain more time...

Conclusion

So, are you still scared of these hefty GDPR fines, CEO's, CFO's and American attorneys out there? But you are not out of the woods, yet. Because the real stick with GDPR is the negative publicity non-compliance carries (think Cambridge Analytica...). So, stop procrastinating and get your GDPR compliance in check now!