Insurance Europe has responded to a consultation conducted by the European Data Protection Board (EDPB) on its draft guidelines on the calculation of administrative fines under the General Data Protection Regulation (GDPR).
The aim of these guidelines is to create a harmonised basis from which the calculation of administrative fines in individual cases can be made by national supervisory authorities. While the draft guidelines provide more detail on the factors taken into account for the calculation, they do not make the level of fines more predictable.
Pursuant to Article 83(1) of the GPDR, the turnover of the undertaking is one relevant element to take into consideration when imposing an effective, dissuasive and proportionate fine.
According to the guidelines, however, for the purposes of calculating the turnover of an insurance company, the supervisory authority should also take into account insurance premiums.
This is not in line with the most recent accounting standards issued by the International Accounting Standards Board (IASB). For example, International Financial Reporting Standard (IFRS) 17 — Insurance Contracts, states that the information on insurance revenue (first line of the profit and loss statement) must not include amounts the insurer is obligated to pay the policyholder regardless of whether the insured event occurs (eg the so-called investment component). These amounts that represent the investment of the policyholder (eg the savings component of an endowment life insurance) must be excluded from the revenues in the profit and loss account.
Through this explicit requirement, the IASB, in its role as a global standard setter in the field of international accounting, has ensured the comparability of financial reporting by insurers and companies from other sectors. Insurance Europe, therefore, encourages the EDPB to update its guidelines to take into account the international standards set out by the IASB.
Insurance Europe welcomes the possibility to comment on the European Data Protection Board’s (EDPB) draft guidelines on the calculation of administrative fines under the General Data Protection Regulation (GDPR).
The aim of these Guidelines is to create a harmonised basis from which the calculation of administrative fines in individual cases can be made by national supervisory authorities. The EDPB draft guidelines provide more detail on the factors taken into account for the calculation: however, they do not make the level of fines more predictable.
It is emphasised throughout the draft guidelines that the final amount of the fine depends on all the circumstances of the case. Fixed amounts can be established at the discretion of the supervisory authority, taking into account — inter alia — the social and economic circumstances of that particular member state, in relation to the seriousness of the infringement as construed by Article 83(2)(a), (b) and (g) GDPR.
While the objective of the guidelines is to provide a level of harmonisation, Insurance Europe wishes to stress the importance of taking into account the local social and economic factors as one of the key criteria for calculating a fine. This will ensure that the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality, as required by Article 83(1) GDPR.
The EDPB guidelines also say that group turnover should be relevant for the calculation of the fine instead of an individual undertaking’s turnover only if the parent company exercises decisive influence over its subsidiary.
This principle is consistent with antitrust law and follows the general tradition of EU law on sanctions that has been already established by other EU legal acts. However, it may raise questions of definitions of undertaking and turnover. Supervisory authorities must therefore ensure that the fine is proportionate both to the gravity of the infringement and to the size of the undertaking to which the infringing entity belongs (to take account of the corresponding turnover).
In accordance with competition law, the relevant product market and the relevant geographic market to which the infringement directly or indirectly relates should be used to determine the amount of a fine.
The concept of the relevant market is especially important with regard to insurance companies due to the obligatory separation of life and non-life insurance required by Articles 73 and 74 of the Solvency II Directive.
According to Article 73 (4) of the Solvency II Directive, where a non-life insurance undertaking has financial, commercial or administrative links with a life insurance undertaking, the supervisory authorities shall ensure that the accounts of the undertakings concerned are not distorted by agreements between those undertakings or by an arrangement which could affect the appointment of expenses and income.
Additionally, according to page 36 paragraph 138 of the Guidelines, the turnover within the meaning of Article 83 GDPR is to be understood in terms of the net turnover of Directive 2013/34/EU on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings (Annexes V or VI to Article 13 (1) of Directive 2013/34/EU). For insurance companies, insurance premiums shall be included in the revenue (page 36 footnote 62).
Pursuant to Article 4 of Regulation (EC) No 1606/2002 (IAS Regulation) publicly traded companies, which are obliged to prepare consolidated financial statements, are required to do so in accordance with international accounting standards (IFRS).
In this context, it is especially important with regard to insurance companies that the International Accounting Standards Board (IASB) issued a new accounting standard, IFRS 17 — Insurance Contracts, in May 2017. The IASB published amendments to the standard in June 2020.
Commission Regulation (EU) 2021/2036 of 19 November 20212 adopted IFRS 17 and incorporated the standard into European law. The regulation determines that all publicly traded insurance companies shall apply IFRS 17 for their consolidated financial statements at the latest as from the commencement date of its first financial year starting on or after 1 January 2023.