Need for “Compliance Surcharge” to be factored into Data Processing Contracts

The fine imposed on Meta at $1.2 billion holding the Standard Contractual Clause agreement unacceptable and US-EU agreement in the form of Privacy Shield rejected by the EUCJ and insisting that the US legal system has to be changed, is an attempt to use GDPR fines as an extortion tool against companies to teach a lesson to the US authorities.

Recently during the Ukraine war, US confiscated the properties of Russian businessmen under its “Sanction” mechanism though the dispute was not between US and Russian Citizens. US thought that hitting the citizens of a country through economic sanctions is a way of “Proxy war”.

Now EU is paying back US with the same coin. It is extorting money from Meta, Amazon and Google periodically under GDPR fines. In some cases the supervisory authorities say that legal Basis of “Contract” is not acceptable even though GDPR says so. In another case SCC is not acceptable though EDPB says so. It has become difficult for businesses to develop a compliance plan with certainty. (Though the undersigned has suggested some means of overcoming these issues to a reasonable extent)

The Meta decision is also a reflection of the cartel of EU supervisory authorities forcing Irish authorities to keep the fine at the higher level to show their power. DPC left to itself might have imposed a lesser fine.

US companies like Meta need to decide if this GDPR fine should be accepted and gulped down as the EU tax to live with or to fight back on the unreasonable nature of the order.

Recently, EU imposed certain Export restrictions on India to punish India for its Russian policy. India hit back with counter sanctions by increasing the import duties on EU imports. Similarly, Meta, Google, Amazon and the other international non-EU entities should start charging a “GDPR surcharge” on their services and generate additional revenue to meet the future fines. This will be a sort of “Insurance” against “GDPR administrative fines”.

Pricing of all products and services to EU should be peppered to add “GDPR Risk Factor”. This could be around 10% of the revenue so that some funds are built up for administrative fines.

Indian companies also should start collecting such “Compliance Surcharge” for their services particularly to EU customers. In future “Compliance Surcharge” should be considered part of the pricing strategy for any data related business and the CFOs and DPOs need to work out what should be the surcharge for different data elements based on the country of origin.

Perhaps it is time for PDPCSI (Personal Data Protection Compliance Standard of India) to add this requirement in its Model Implementation Specifications.

It is suggested that Compliance surcharge rates have to be developed for different country’s data and the collection funded into a special reserve as if it is a “Self Insurance Fund”.

Comments are welcome.


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.