How are the laws governing privacy and data protection enforced? What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?
Data Protection & Cyber Security
Most cases where violation of data protection laws occurs evoke administrative liability. Criminal sanctions are extremely rare in practice. However, their application cannot be excluded in case of serious violations, such as the intentional dissemination of PII.
Russian Code of Administrative Offences dated December 30, 2001 No. 195-FZ sets out administrative fines up to 75,000 rubles (approx. USD 1,150) per violation (the exact amount depends on the type of violation) and up to 500 000 (approx. 7 500 USD) for violation relating to direct marketing and promotion related contacts with individual/data subject.
In certain cases, where there are several violations of one type (e.g. in case the data controller processes PII of several individuals without lawful basis) the fine may be imposed repeatedly per violation.
Roskomnadzor is entitled to request data controller to rectify violation of the Personal Data Law. Failure to do so may entail inspection of Roskomnadzor and, consequently, imposing an administrative fine.
Likewise, where processing of PII on the website or in the app violates data protection laws, access to such website/app may be restricted from Russia upon the respective court decision. Widely known example is LinkedIn case, which was blocked in 2016 due to failure to comply with the localization requirement. It is still not available for Russian users.
Russian criminal code provides for the criminal liability for individuals and company’s officers for illegal dissemination of the information protected by law, for illegal collection and dissemination of the information on individuals’ private life, comprising his/her personal or family secret without consent of the individual, for violation of privacy of correspondence and phone conversations. Criminal liability may arise in different forms up to imprisonment. This type of liability rarely applies in practice.
Orders of regulators may be challenged by PII owners in courts.
Each year Roskomnadzor discloses results of the inspections (in aggregated form, without referring to particular cases). Most frequent violations over the last years are as follows: failure to register as data controller in the state register maintained by Roskomnadzor; absence of data subject’s consents or non-compliance of consent forms with statutory requirements; improper data storage; failure to timely destruct the data.
The Data Protection Authority may apply the following administrative penalties in the event of violation of the Data Protection Law:
- Fines of between ARS 1,000 and 100,000;
- Business closure; or
- Cancellation of the file, record or database.
The Data Protection Authority Rule No. 9/2015 lists offenses and violations and classifies them as minor, serious, or very serious, with corresponding ranges of sanctions. One example of minor offense, for instance, is not to timely comply with a request issued by the Data Protection Authority to provide certain documents or information, while transferring personal data to a foreign country without complying with local regulations would be considered a very serious offense.
In addition, Data Protection Authority Rule No. 71 E/2016 capped fines applicable for various infringements encompassed by the same administrative proceeding. In the same administrative proceeding, such fines may not exceed ARS 5,000,000.
Until the LGPD becomes effective, there is no specific authority in charge of data protection in Brazil. For the time being, law enforcement authorities, such as the Public Prosecutor's Office, consumer protection authorities and specific regulatory agencies will enforce privacy and data violations. PII owners can appeal to the courts against orders of the regulators.
For the last couple of years, the Special Unit for Data Protection and Artificial Intelligence opened several cases against companies that suffered security incidents and data breaches.
The Internet Law states that, without prejudice to any other civil, criminal or administrative sanction, the non-compliance with data protection rules can result in the following sanctions that may be applied on an individual or cumulative basis:
- A warning, with a deadline for the adoption of corrective measures;
- A fine up to 10% of the gross income of the economic group in Brazil in the last fiscal year, taxes excluded;
- Temporary suspension of the activities that entails the events set forth in any operation related to treatment of data;
- Prohibition to execute activities that entail processing of data.
The Brazilian Consumer Protection Code determines a penalty of six months to one year imprisonment or fine, or both, to those who block or hinder access by the consumer to respective information contained in files, databases or records, or those who are expected of knowing that information relating to the consumer as contained in any file, database, record or registration is incorrect and, nevertheless, fail to immediately rectify it. The same statute sets forth administrative penalties imposed by the authorities in charge of protecting consumer rights, and such penalties include fines, intervention and counter-advertising.
The Bank Secrecy Law (Complementary Law 105/2001) establishes a penalty of one to four years imprisonment and a fine for financial institutions (and similar entities) that breach the secrecy of the financial operations of, and the financial services provided to its users.
The Brazilian Criminal Code (Decree-Law 2.848/1940), as amended by Law 12.737/2012, sets forth the penalty of three months to one year imprisonment and fine to those who invade another computer device connected or not to the internet through improper breach of security mechanism and for the purpose of obtaining, tampering or destroying data or information without the explicit or tacit authorization of the device owner or installing vulnerabilities to gain any illicit advantage.
The GDPR allows for the data protection authority in Bulgaria – the CPDP, to impose administrative fines for violations of the GDPR, dependent on which provisions of the GDPR have been breached, up to:
- For infringements of any of the obligations of the controller/processor (stipulated in Article 8, 11, 25-39, 42 and 43 of the GDPR) – administrative fines up to 10 000 000 EUR, or up to 20 % of the total worldwide annual turnover of the preceding year of an undertaking.
- For infringements of the principles of processing inherent in the Regulation, the data subjects’ rights, the transfers of personal data to a recipient in a third country, any obligations pursuant to Member State law and pertinent to special processing situations, as well as non-compliance with an order or a temporary definitive limitation by the supervisory authority - administrative fines up to 20 000 000 EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year of an undertaking.
For violations of some specific rules of the PDPA (falling with the permittd derogations under GDPR), the PDPA refers to the sanctions under GDPR.
Data subjects can only appeal to the courts in the case that they themselves initiate a civil litigation (see above Question 21). In the case of investigations by the FDPIC and subsequent decisions, the data subjects are not anymore party to the proceeding and cannot appeal.
Apart from civil law claims by the data subjects, FADP is generally enforced by the FDPIC. The FDPIC may investigate potential data privacy infringements by its own initiative or based on a complaint by data subjects or third parties. After the investigation the FDPIC renders a recommendation in case that the FADP has been infringed. Recommendation means that he informs the respective data controller about the non-compliance and provides recommendations for curing the respective breaches. In the case that a recommendation is not complied with or rejected, the FDPIC may forward the case to the Federal Administrative Court for a decision. Both, the FDPIC and the data controller may appeal against the decision of the Federal Administrative Court.
There are some few constellations, in which non-compliance with the FADP is criminally sanctioned, i.e. enforced by the criminal authorities based on complaints by the data subjects or the FDPIC. Art. 34 FADP mentions criminal sanctions in case that the controller of the data file:
- breaches its obligations under art. 8-10 FADP (access / information right) and art. 14 FADP (information duty when collecting sensitive personal data and personality profiles), in that they wilfully provide false or incomplete information; or
- wilfully fails (1) to inform the data subject in accordance with art. 14 para. 1 FADP, or (2) to provide information required under art. 14 para. 2 FADP.
Private persons are further liable to a fine if they wilfully:
- fail to provide information in accordance with art. 6 para. 3 FADP (information of the FDPIC when using contractual safeguards or corporate binding rules for cross-border data transfers) or to declare files in accordance with art. 11a FADP or who in doing so wilfully provide false information; or
- provide the FDPIC with false information in the course of a case investigation or who refuse to cooperate.
Finally, art. 35 FADP sanctions the breach of the data secrecy. It sets out as follows: "Anyone who without authorisation wilfully discloses confidential, sensitive personal data or personality profiles that have come to their knowledge in the course of their professional activities where such activities require the knowledge of such data is, on complaint, liable to a fine. The same penalties apply to anyone who without authorisation wilfully discloses confidential, sensitive personal data or personality profiles that have come to their knowledge in the course of their activities for a person bound by professional confidentiality or in the course of training with such a person.The unauthorised disclosure of confidential, sensitive personal data or personality profiles remains an offence after termination of such professional activities or training."
The fine mentioned above is up to Swiss francs 10’000.00.
GDPR establishes the general framework of penalties that should be observed in case of infringements of the data protection legislation. In Spain, the AEPD is the entity with powers of control, supervision, inspection and coercion in relation to data protection obligations. Data subjects can submit their claims to this entity in the event that their rights and privacy have been affected, although they will not be able to claim compensation for any damages they may have suffered. In this case, data subjects must sue the offending company in court to claim the appropriate compensation.
Regarding the range of fines established in the GDPR, it sets the administrative fines for the infringements listed in article 83.4 GDPR up to 10.000.000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. On the other hand, the serious infringements listed in article 84.5 GDPR, would be subject to administrative fines up to 20.000.000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. In each individual case, all fines should be effective, proportionate and dissuasive.
In the Spanish administrative system, infringements are divided into three categories: very serious, serious and minor. Therefore, the sanctioning regime established by the LOPD makes this distinction, although the fines will be determined according to the GDPR criteria, depending on the particularities of each case.
The Data Privacy Act is enforced through the judicial system through a summary jurisdictional process states by the Act, if the person responsible for the personal data registry or data base does not comply with the Act or fails to respond within two business days to a request of access, modification, elimination or blocking of personal data, or refuses a request on grounds other than the security of the nation or the national interest.
According to Chilean law, actual damage is required in order to be entitled to monetary damages or compensation. In fact, the Data Privacy Act states a general rule under which damages (both non-monetary and monetary damages) that result from willful misconduct or negligence in the processing of personal data shall be compensated. The amount of compensation shall be established reasonably by the civil judge, considering the circumstances of the case and the relevance of the facts. There is no criminal liability for non-compliance with the Data Protection Act; Nevertheless, in relation to cybersecurity, the Law No. 19.223, states criminal liability for the actions described therein.
A final ruling issued by the general courts of Chile regarding the procedure briefly described in the paragraphs could be appealed before to the respective Appeal Court.
Every member state of the EU must provide one or more independent public authorities (Art. 51 GDPR), which are responsible for monitoring the implementation of and compliance with the GDPR. They have investigative and corrective powers, including the sanctions of administrative fines according to Art. 83 GDPR. But of course, administrative fines are not the only penalties for infringements. Especially the corrective powers include issuing warnings and reprimands.
Every data subject has the right to lodge a complaint to such a supervisory authority according to Art. 77 GDPR. Furthermore, there is the right to an effective judicial remedy according to Art. 78 GDPR against a legally binding decision of the supervisory authority. Also, the right to an effective judicial remedy against the controller or processor is provided in Art. 79 GDPR. Besides this, each natural or legal person always has the right to other administrative or non-judicial remedy according to Artt. 78 GDPR et seq..
Each administrative fine because of infringements of the GDPR must be effective, proportionate and dissuasive (Art. 83(1) GDPR). Therefore, the decision for a fine must consider especially the nature, gravity and duration of the infringement. The administrative fines range up to 10 million EUR or 2% of the total worldwide annual turnover in cases of Art. 83(4) GDPR or even up to 20 million EUR or 4% in cases of Art. 83(5) GDPR.
The laws governing privacy and data protection are enforced by MeitY as well as the Courts. The machinery may be set in motion by filing of complaints by Data Subjects before the grievance officers (appointed pursuant to the Privacy Rules) or by reporting of cyber security incidents by body corporates or regulators requesting information from service providers, intermediaries etc.
Negligence in implementing and maintaining reasonable security practices and procedures which cause wrongful loss or wrongful gain to any person render the concerned body corporate liable to pay damages to the person who is affected.50 Additionally, where any person has access to materials containing personal information of another person (while providing services under a contract) discloses such personal information without the consent or in breach of contract within an intent to cause wrongful loss or wrongful gain, such person is punishable with imprisonment up to 3 years and/or fine up to INR 500,000.
We have not come across any restriction applicable to PII owners from appealing the decisions of regulators (such as MeitY) before Courts in India. The exact nature of action that may be brought will vary basis certain factors, such as the cause of action, the counter party, the remedy prescribed under statute, the relief being sought etc.
Separately, depending upon the nature of contravention by data fiduciaries (such as violation of provisions governing processing of PD, SPD etc.), the Privacy Bill proposes penalties up to INR 150 million (approx. USD 2 million) or 4% of the total worldwide turnover of the preceding financial year of the data fiduciary, whichever is higher. The Privacy Bill also proposes imprisonment and/or fine on persons who intentionally, knowingly or recklessly obtain, disclose, transfer, sell or offer to sell SPD which results in harm to a Data Subject.
50 - This penalty has been prescribed under Section 43A of the IT Act, which only deals with sensitive PII and not PII.
Depending on the violation, different sanctions and penalties may be imposed by the CSL.59 For example, none-compliance with the personal information protection related provisions in the CSL may result in order to take rectification measures, warning, confiscation of illegal earnings, fines, or a combination thereof. The fine is more than the illegal earnings but less than ten times of the illegal earnings. In the event that there are no illegal earnings, the fine is no more than 1 million Chinese Yuan. The directly responsible person may face a fine ranging from 10,000 to 100,000 Chinese Yuan. In case of severe violation, the competent authority may order suspension of related business, winding up for rectification, shutdown of website, and revocation of business license of such operator or provider.60 A citizen, a legal person or any other organization may first apply to the relevant administrative organ for reconsideration and, if refusing to accept the reconsideration decision, may initiate an action to the people's court. Unless it is required by any relevant laws to exhaust administrative reconsideration before seeking judicial review, it/he may also initiate an action to the people's court directly.61
59 - CSL. § 64.
60- Administrative Procedure Law of the People's Republic of China (Amended in 2017) (《中华人民共和国行政诉讼法（2017修正）》). § 45.
61 - Administrative Procedure Law of the People's Republic of China (Amended in 2017) (《中华人民共和国行政诉讼法（2017修正）》). § 45.
Enforcement of provisions within MCI Regulation 20/2016 is being conducted by the regulatory authority through direct or indirect supervision. It is also possible for the regulator to impose administrative sanctions in the forms of: (a) verbal warning; (b) written warning; (c) temporary suspension of activity; and/or (d) announcement on online websites. ESO being imposed with the foregoing administrative sanctions may appeal sanctions given in the form of decree, which is normally awarded for the suspension, to the Indonesian State Administrative Court.
Laws governing privacy and data protection are enforced by the CNPD.
The GDPR in its article 83 sets out two tiers of maximum thresholds for fines depending on the obligations breached:
a) Up to € 10.000.000 or, in case of an undertaking, up to 2% of the total annual worldwide turnover of the preceding financial year, whichever is higher;
b) Up to € 20.000.000 or, in case of an undertaking, up to 4% of the total annual worldwide turnover of the preceding financial year, whichever is higher.
In accordance with the Data Protection Law that implemented Directive 95/46/EC and is still in force in everything that does not contradict the GDPR and until the new Data Protection Law is approved, criminal offences are punished with imprisonment up to 1 year or a penalty of up to 240 days depending on the offence (and in certain circumstances these thresholds can increase up to 100%).
In addition to the above fines and penalties, other sanctions can be ordered, such as the temporary or definitive prohibition of the processing, blocking, erasure and total or partial destruction of the personal data as well as the advertisement of the conviction.
Both controllers and processors can appeal to the courts against orders and decisions of the Regulator (CNPD) and the same applies to data subjects when the CNPD does not handle a complaint or does not inform the data subject within 3 months on the progress or outcome of the complaint lodged.
Finally, Article 29 Working Party Guidelines on the application and setting of administrative fines (WP253), in the absence of specific laws, regulations and guidelines in their jurisdiction, could be useful to controllers and processors to better understand the criteria and assessments that the supervisory authority will follow when enforcing the law as these guidelines reflect the position of the European Data Protection Authorities and their interpretation of the GDPR provisions.
The Information Commissioner's Office (ICO) has a range of powers it can exercise, including restricting or stopping the processing of personal data.
In addition, the ICO can issue fines on a controller or a processor for its breach of the obligations that apply to it. There is a two tier system of fines reflecting the seriousness with which a breach of specified obligations is viewed. For example breaches of the principles, conditions applicable to consent, lawful basis, individual's rights and restricted transfers provisions are subject to the higher tier of up to €20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Breaches of obligations such as maintaining the record of processing activities, conducting a data protection impact assessment, a processor's obligations, privacy by design and appointing a data protection officer (amongst others) are subject to a lower standard tier where the maximum fine is €10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The ICO in issuing a fine will take account of: the nature, gravity and duration of the infringement, any mitigating action taken, previous infringements and the intentional or negligent character of the infringement. The maximum amount of the penalty in sterling will be determined by applying a spot rate exchange set by the Bank of England on the day on which the penalty notice is given.
The ICO can issue an:
- information notice to require any person to provide information they reasonably require for the purposes of carrying out its functions, or investigating suspected failures or offences. It is an offence to fail to comply with an information notice, whether intentionally or recklessly and the court can make an order to compel the person to comply with the information notice.
- assessment notice to permit the ICO to carry out an assessment of a business to identify if they have complied with, or are complying with, data protection legislation. This can be done through means such as allowing the ICO access to specified premises, technology and directing the ICO to certain documents, and explaining such documents.
- an enforcement notice which requires a person to take steps specified in the notice, or refrain from taking steps specified in the notice, or both. The notice must include details of what the person has failed, or is failing, to do and the ICO's reasons for reaching that opinion.
An organisation can appeal if they consider that a decision notice issued by the ICO is wrong. They can also appeal against certain decisions made under the Data Protection Act 2018 (DPA 2018).
Any person who has suffered material or non-material damage (including distress) as a result of an infringement of the DPA 2018 has the right to raise a claim against and the right to receive compensation from a controller or processor for the damage suffered. They can also complain to the ICO and relevant supervisory authorities.
The Swedish Data Protection Authority can impose administrative fines of up to EUR 20 million, or in the case of an undertaking, up to four (4) percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
For less serious violations, the Swedish Data Protection Authority can impose administrative fines of up to EUR 10 million or, in the case of an undertaking, up to two (2) percent of total worldwide turnover of the preceding year, whichever is the higher.
Public authorities may also be fined, up to SEK 10 million for serious infringements and SEK 5 million for less serious infringements.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (article 83(1) of the GDPR). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be taken into consideration, among other things, how serious the infringement is, how much harm has been caused, if sensitive personal data is involved, and if the infringement is intentional.
Fines can be imposed in combination with other corrective powers.
The decisions of the Swedish Data Protection Authority may be appealed to the Swedish Administrative Court.
According to Law 2472/1997 and article 57 of the GDPR, as well as article 62 of the Greek draft law, the HDPA is entrusted with supervisory and sanctioning powers related to the application of the rules on the protection of personal data.
With regard to the extent of the administrative fines threatened, the delimitation of which depends on the nature and specific circumstances of each infringement, the GDPR provides the amount of up to EUR 20,000,000 or, in the case of enterprises, the amount of up to 4% of the total world annual turnover of the preceding financial year, whichever is higher. The orders of the regulators are subject to appeal before the competent administrative Courts.
Furthermore, with regards to the criminal sanctions provided for in article 22 of Law 2472/1997, these vary in terms of severity depending on the specific circumstances of each offense. Article 23 of the same law provides for civil liability as explained above.
In addition, article 78 of the GDPR and article 66 of the Greek draft law explicitly provide for the possibility of a natural or legal person to lodge a judicial remedy against a legally binding decision of a supervising authority concerning them.
In contrast with the GDPR, Article 17 of the Law No. 6698 envisages the application of the provisions of the Turkish Penal Code with regards to offences concerning personal data. In this respect, a criminal sanction of up to a maximum six years of imprisonment shall be imposed upon persons who (i) unlawfully record personal data, (ii) unlawfully transfer, disclose or acquire personal data and (iii) do not destroy personal data from his/her systems, in despite of expiration of periods prescribed by laws.
Article 18, on the other hand, lists several misdemeanours and the range of the administrative fines to be imposed upon.
Breach of Obligation to Inform
From TRY 5.000 up to TRY 100.000
Breach of Data Security Obligations
From TRY 15.000 up to TRY 1.000.000
Failure to Comply with Decisions Given by the Board Under Article 15 of the Law
From TRY 25.000 up to TRY 1.000.000
Failure to Register with or Notify the Registry of Data Controllers
From TRY 20.000 up to TRY 1.000.000
The Data Protection Authority may impose fines for violations provisions on data protection.
The fines can be in an amount of up to € 20.000.000,-- or up to 4% of the total worldwide annual turnover of the previous business year.
The amount of the specific fine will depend upon on the type, severity and duration of the data protection violation and of the degree of fault.
The CNIL has a large set of powers to enforce privacy laws and can take the following actions:
- A notice recalling the obligations of data protection law;
- An order to bring the processing into conformity with the obligations arising from the French DPA 1978 and the GDPR or to comply with requests submitted by data subjects to exercise their rights, which may be accompanied, by a penalty payment in an amount not exceeding €100,000 per day of delay from the date fixed by the CNIL;
- A temporary or definitive limitation of processing, its prohibition or the withdrawal of an authorisation granted;
- The withdrawal of a certification or the injunction, to the certification body concerned, to refuse a certification or to withdraw the certification granted;
- The suspension of data flows addressed to a recipient located in a third country or to an international organisation;
- Partial or total suspension of the decision to approve binding corporate rules; and
- An administrative fine of up to €20 million or, in the case of an undertaking, 4% of the previous year's total worldwide annual turnover, whichever is higher.
Regarding administrative fines, there is a two tier system reflecting the seriousness with which a breach of specified obligations is viewed. For example breaches of the principles, conditions applicable to consent, lawful basis, individual's rights and restricted transfers provisions are subject to the higher tier of up to €20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Breaches of obligations such as maintaining the record of processing activities, conducting a data protection impact assessment, a processor's obligation, privacy by design and appointing a data protection officer (amongst others) are subject to a lower standard tier where the maximum fine is €10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Please note that until 2016, the maximum amount of the fine was solely up to €150,000 and was then increased to €3,000,000 from 2016 until the entry into force of the GDPR.
Decisions issued by the CNIL may be appealed to the French Council of State.
In addition, civil actions brought by persons who suffered material or non-material damage may also result in civil sanctions to compensate the harm suffered by the persons concerned.
Finally, violations of the French DPA 1978 may also be punished by criminal penalties of up to €300,000 in fines and to 5 years' imprisonment.
Federal and state privacy laws are enforced at the federal and state levels, respectively. At the federal level, enforcement is typically handled by the FTC, although other agencies and/or state attorneys general may dually enforce certain laws. For example, HIPAA is enforced by the federal Department of Health & Human Services and state attorneys general. The FTC may seek consent decrees with or bring actions against companies in violation of U.S. privacy laws or Section 5 of the FTC Act (prohibiting deceptive and unfair practices), but only under certain laws such as COPPA can issue fines. Typically the FTC’s authority is restricted to restitution and injunctive relief, though violation of a consent order settling a matter can incur civil penalties for contempt of court. Fines, penalties or other relief are laid out in and limited by the specific privacy law under which the regulator brings an action (see below).
At the state level, enforcement of privacy laws typically falls to the state attorney general, situated within the state’s chief law enforcement body, its justice department. There is substantial variation in enforcement power and actions among the different state regulators. Certain states, such as California, Connecticut, Illinois, Massachusetts and New York, are the most active in enforcing privacy laws, as these states also have some of the most robust privacy laws in the U.S. Generally speaking, most enforcement actions and settlements are made public. For example, the State of California Department of Justice has a privacy enforcement actions page. Individual state privacy laws set out the range of fines or penalties that may be issued and may provide for equitable remedies, such as injunction, as well as monetary fines. Fines at the state level are usually issued on a per-violation basis.
Below is a summary of the penalties laid out in several key federal privacy laws:
- FCRA: Damages for willful violations by the consumer reporting agency, information furnisher or entity using the information are either actual damages or statutory damages between $100 and $1,000 per violation or punitive damages, as decided by the court, and also attorneys’ fees and costs. Damages for negligent violations include actual damages and attorneys’ fees and costs. Actual damages can include damages for emotional stress even if the plaintiff suffered no economic damages.
- HIPAA: Penalties depend upon a number of case-specific factors, including the flagrancy of the violation and any mitigating steps the entity may have taken. Fines are issued in four categories: (1) minimum of $100 per violation, up to $50,000; (2) minimum of $1,000 per violation, up to $50,000; (3) minimum of $10,000 per violation, up to $50,000; and (4) minimum of $50,000 per violation. Fines are generally issued on a per-violation basis, per year that the violation occurred. The maximum fine per category, per year is $1,500,000. Data breaches resulting from a violation may trigger additional fines. State attorneys general may also enforce HIPAA and can issue fines up to $25,000 per violation category per year. HIPAA violations may also carry criminal penalties.
- COPPA: Courts may hold operators liable for civil penalties up to $42,530 per violation. Penalties are determined by a number of factors, including the egregiousness of the violations, whether the entity has previously violated the statute, and the number of children affected.
The CCPA will subject violators to civil penalties of $2,500 per violation, $7,500 if intentional, and plaintiffs in the limited private right of action are potentially entitled to minimum statutory penalties of $750 per violation, or actual damages.
As also discussed in Section 21., judicial relief may be available for individuals affected by a violation of certain U.S. federal and state privacy laws. Consumer class action lawsuits, brought by groups of similarly situated individuals affected by the same violation, for example, can be a powerful means of compelling compliance. Class action lawsuits have been settled under the FCRA and TCPA for significant amounts. The penalties available for consumer judicial actions under federal and state laws vary and may also include injunctive relief.
Both the Commissioner and the judicial system are involved in enforcing the PDPA. The commissioner is required under the PDPA to implement, monitor and supervise compliance with the PDPA provisions. Section 108 of the PDPA requires the Commissioner to issue enforcement notice directing data users to take necessary steps to remedy any contravention and to cease processing personal data pending the remedy of the contravention by the data user.
In the event there is reasonable belief that any premise has been used for the commission of an offence or reasonable belief that a person has committed or is attempting to commit an offence under PDPA, an authorized officer appointed by the Commissioner is required to investigate, search and seize such premise and/or arrest such person. Further, the prescribed penalties resulting from violations of the PDPA range of fines and/or imprisonment. The fines range between RM 10,000 and RM 500,000, whereas terms of imprisonment could be imposed up to a maximum of 3 years.
Apart from this, Section 93(1) of the PDPA allows aggrieved PII owners (data users) to appeal to the Appeal Tribunal against the decisions of the Commissioner, relating to:
(a) Registration of data users
(b) Refusal to register a code of practice
(c) Service of an enforcement notice
(d) Refusal to vary or cancel an enforcement notice
(e) Refusal to conduct or continue an investigation that is based on a complaint made
Subsequently, if data users are not satisfied with the decision of the Appeal Tribunal, they may proceed to file a judicial review of the decision in the Malaysian High Court, as provided in the official website of the Department of Personal Data Protection and the brochure of “What You Need to Know? – Personal Data Protection Act 2010?” published by the Ministry of Communications and Multimedia Malaysia.
As described in point 21 above, data protection is enforced by the GRA. The GRA is empowered to fine data controllers and data processors up to 4% of its annual global turnover or €20 million (whichever is higher). Data controllers and data processors are entitled to appeal such penalty to the courts. Equally, a complainant who is dissatisfied with how the GRA addresses their complaint can seek redress through the courts.
The DPC has a range of powers it can exercise, including carrying out investigations and audits, imposing a fine and restricting or stopping the processing of personal data.
The DPC can make a decision to impose a fine on a controller or a processor for a breach of the obligations that apply to it. There is a two tier system of fines reflecting the seriousness with which a breach of specified obligations is viewed. For example, breaches of the principles, conditions applicable to consent, lawful basis, individual's rights and restricted transfers provisions are subject to the higher tier of up to €20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Breaches of obligations such as maintaining the record of processing activities, conducting a data protection impact assessment, a processor's obligations, privacy by design and appointing a data protection officer (amongst others) are subject to a lower standard tier where the maximum fine is €10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The GDPR sets out various factors that the DPC will take into account when making a decision as to whether to impose a fine and the amount of the fine. Those factors include the nature, gravity and duration of the infringement, any mitigating action taken, previous infringements and the intentional or negligent character of the infringement.
If the DPC makes a decision to impose a fine, the relevant controller or processor can appeal the DPC's decision to the Irish courts. The courts have authority to approve the decision, vary the decision (including to impose a different or no fine), or annul the decision.
If the controller or processor does not appeal the DPC's decision to impost a fine, the DPC is required to make an application to the Irish courts for confirmation of the decision. The courts will confirm the decision unless the court determines that there is good reason not to do so.
Other enforcement actions the DPC can take include:
- issuing an information notice to require any person to provide information as is necessary or expedient for the performance by the DPC of its functions; and
- issuing an enforcement notice which requires a person to take steps specified in the notice, or refrain from taking steps specified in the notice, or both.
A failure to comply with either such notice is an offence under the DPA 2018, but the issuing of either notice can be appealed to the Irish courts.
With regard to the enforcement of the APPI, the supervision of PII owners is basically centralized to the Personal Information Protection Committee (“the Committee”). The Committee has the authority to demand reports to be produced by business operators and conduct on-site inspections (APPI, Article 40), and may provide guidance or advice (APPI, Article 41), make recommendations and issue orders (APPI, Article 42), and PII owners who violate certain provisions may be subject to criminal penalties (APPI, Articles 84, 85(i), and 87).
If, with regard to the reporting obligation and on-site inspections by the Committee, the PII owner subject to the reporting requirement or on-site inspection has any complaints, such PII owner may demand an administrative review pursuant to the Administrative Complaint Review Act, or may request the revocation of the administrative action under the Administrative Case Litigation Act.
The PII owner subject to the administrative guidance, advice or recommendations may request that such administrative guidance, advice or recommendations to be suspended under Administrative Procedure Act, Article 36-2. However, these will not be subject to, a request for review under the Administrative Complaint Review Act or the Administrative Case Litigation Act.
Additionally, if a PII owner violates an order (APPI, Article 42.2), pursuant to the rules of criminal procedure, such PII owner may file complaints against any imposition of fines or imprisonment.