What is the maximum fine that can be applied for breach of data protection laws?

Technology (3rd edition)

Armenia Small Flag Armenia

Administrative sanctions, for infringements that are not subject to

Fines vary depending on the rule violated. The highest fine is AMD500,000 (about USD1,000).

criminal liability

· monetary penalties from AMD200,000 to AMD500,000; or

· imprisonment for one to two months

Dominican Republic Small Flag Dominican Republic

Any person that breaches the provisions of the Law No. 172-13 could be penalized with imprisonment from six (6) months to two (2) years, and a fine consisting the payment of the equivalency of a hundred (100) to a hundred and fifty (150) Dominican minimum wages.

Egypt Small Flag Egypt

Given the fact that the Egypt does not have a law regulating the protection of the personal data, the fines and penalties of breaching any of the provisions and restrictions mentioned above in our answers to questions no. 8 and 9 depend on the relevant applicable provisions and laws. However, it is worth mentioning that the Data Protection Law Draft includes imprisonment penalties as well as fines amounting to two (2) million Egyptian Pounds in case of breach of the provisions of the said law.

Estonia Small Flag Estonia

The Estonian Personal Data Protection Act stipulates different offences for breaches of data protection requirements. Each type of offence has its own upper limit for a fine. The highest fine which can be imposed is 20,000,000 EUR or 4 % of the entity’s total worldwide annual turnover of the preceding financial year, whichever is higher.

However, we note that at the present moment, the fines outlined above cannot be imposed, since Estonia has not yet made the necessary amendments to the Penal Code. According to the Penal Code currently in force, the maximum amount of a fine can be 400,000 EUR. The amendments to the Penal Code are currently under review by the legislator.

France Small Flag France

Under the GDPR, the maximum amount that may be imposed by the CNIL amounts to 20 million euros or 4% of the data controller’s global turnover, whichever is greater. However, this only concerns certain types of breaches, such as non-compliance with the rights conferred on data subjects. The GDPR provides for graduated sanctions regarding other types of breaches.

China Small Flag China

The maximum fine is currently RMB 1 million if no illegal gains result from such breach. If illegal gains do result, such gains will be confiscated and the fine will be one to ten times the illegal gains from the breach.

Israel Small Flag Israel

The PPA is entitled to impose administrative fines ranging from 10,000 NIS (approx. 2,800 USD) to 25,000 NIS (approx. 7,000 USD) for breach of certain provisions of the Privacy Law (e.g. failure to register a database, failure to provide privacy notices, failure to allow data subjects to fulfil their access and correction rights, etc.), whereas for continued violations, the administrative fine will include 1/10 of the amount provided for the said violation, for each day that the violation continues to occur (i.e., a daily fine may be imposed for each day in which the violation occurs following the notice of violation issued by the PPA).

In addition, a breach of the right to privacy of an individual constitutes both a civil and criminal offence.

Section 4 to the Privacy Law states that any act or omission in violation of the Privacy Law constitutes a tort to which the Civil Wrongs Ordinance (New Version) shall apply. In this regard, a person who has been harmed may file a claim for damages against the infringing party without limitation in amount (as long as such damages are proven) and also file a petition for certification of a class action. In addition, according to Section 5 of the Privacy Law, the breach of privacy also gives rise to a criminal offense. Where the infringement is committed wilfully, the offence is punishable by up to 5 years imprisonment.

Section 29A(a) of the Privacy Law authorizes a court to order a person who has been convicted under Section 5 of the Privacy Law to pay the injured person statutory damages of up to approx. 50,000 NIS (approx. 14,000 USD; linked to the Consumer Price Index). In addition, Section 29A(b) of the Privacy Law states that in a civil tort proceeding under Section 4 of the Privacy Law, the court may order the defendant to pay the plaintiff statutory damages of up to 50,000 NIS as well. However, in civil tort proceedings where it is proven that the infringement of privacy was carried out with intent to cause harm, the court may order the defendant to pay the plaintiff statutory damages of up to 100,000 NIS (approx. 28,000 USD).

Italy Small Flag Italy

In accordance with Section 83, para. 5, of the GDPR, the maximum fine amounts to 20,000,000 euros, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Such fine is applicable with respect to the infringement of the provisions indicated under the same rule.

In addition, Section 166 of the Privacy Code specifies the provisions contained therein that, if violated, entail the application of the sanctions established under Section 83, para. 5, of the GDPR. Some rules under Section X of the Privacy Code, on electronic communications services, are included in said list.

For the sake of completeness, Section 166 of the Privacy Code also specifies the provisions contained therein that, if violated, entail the application of the sanctions established under Section 83, para. 4, of the GDPR, thus falling within the range of lower sanctions (10,000,000 euros, or up to 2% of the worldwide annual turnover, whichever is higher).

Japan Small Flag Japan

Under the APPI, there is no administrative fine that can be applied for breach of the APPI, but criminal penalties may be imposed on business operators handling personal information under certain circumstances. The maximum criminal penalties are penal servitude of up to one year or a criminal fine of up to ¥500,000, which may be imposed if any current or former officer, employee or representative of a business operator handling personal information provides such information to a third party or steals such information from a personal information database established in connection with the business of such business operator with the purpose of providing unlawful benefits to himself or herself or third parties.

Malaysia Small Flag Malaysia

Non-compliance with the PDPA may result in the organisation, upon conviction, being liable to a fine ranging from RM100,000 to a maximum of RM500,000 and/or to imprisonment ranging from 1 to 3 years.

Malta Small Flag Malta

In the case of a breach of data protection laws, depending on the provision of the GDPR which was infringed, the maximum administrative fine which the Information and Data Protection Commissioner may impose may be up to €20,000,000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is the higher.

New Zealand Small Flag New Zealand

The maximum fine under the Privacy Act is NZ$10,000 for failure to comply with a transfer prohibition notice, or NZ$2,000 for a range of other offences. The Privacy Bill proposes to increase the maximum penalty for a broader range of offences to NZ$10,000.

Germany Small Flag Germany

In accordance with Art. 83 (4) GDPR the maximum fines for infringements of the provisions set out therein is 10,000,000 EUR or in the case of an undertaking up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. For infringements of provisions set out in Art. 83 (5) GDPR a maximum fine of even 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, is foreseen.

For the telecommunications sector, the maximum fine ranges from 10,000 Euro to 500,000 Euro pursuant to section 149 (2) TKG.

Indonesia Small Flag Indonesia

In general, Indonesian regulatory framework recognizes different type of sentences/sanction as sanction toward any violation to the laws, namely criminal fines, imprisonment, and administrative fines. Specific for criminal fines and imprisonment, its imposition is required to be regulated under a law. For administrative fines, the provision governing the fine may be stipulated under implementing regulation of certain law.

Criminal Sanction

It is important to note that Indonesia does not have its own personal data protection law. Therefore there is no specific imposable criminal sanction against breach of data protection laws. However, the law enforcement agency has seen Law 11/2008 as the legal basis for imposing criminal sanctions against illegitimate action of accessing and/or transferring electronic document/information containing personal data. This is evidenced through the arrest that the police made in 2017 against organized criminal group that illegitimately transferred and sell personal data of bank customers. Nonetheless, such approach, we believe is subject to case-by-case basis.

The EIT sets the following sanctions as follow:

a. Maximum fines of IDR 2.000.000.000 and imprisonment of 8 years may be imposed against any individual that intentionally and illegitimately or unlawfully with any means modifying, increasing, decreasing, transmitting, destroying, deleting, transferring, hiding electronic information (which may include personal data) and/or electronic document of other individuals or public;

b. Maximum fines of IDR 3.000.000.000 and imprisonment of 9 years may be imposed against any individual that intentionally and illegitimately or unlawfully with any means transferring, or relocating electronic information (which may include personal data) and/or document to other unauthorized electronic system; and

c. Maximum fines of IDR 5.000.000.000 and imprisonment of 10 years may be imposed against any individual that intentionally and illegitimately or unlawfully with any means modifying, increasing, decreasing, transmitting, destroying, deleting, transferring, hiding electronic information (which may include personal data) and/or electronic document which shall be protected its confidentiality becomes accessible to public without protecting the integrity of the data.

Administrative Sanction

In addition to the criminal sanction, the GR 82/2012 stipulates administrative sanction on violation to its provisions (including provisions regarding personal data protection). The administrative sanctions may made in the form of:

a. Written warning;
b. Administrative fines;
c. Temporal suspension activities; and/or
d. Expulsion from list of which ESP is registered (i.e. registered ESP, etc).

Pakistan Small Flag Pakistan

With respect to data protection/privacy, while requirements exist for licensees of PTA to maintain general privacy and confidentiality of the data of their subscribers, under the respective terms of such licensee’s license and PTA Laws, there are no specific laws which regulate ‘data protection’ in Pakistan, and while PECA criminalizes unlawful or unauthorized access to information, data, copying or transmission of critical infrastructure data, it does not regulate ‘data protection’ in Pakistan.

Having stated the foregoing, in the event that PTA determines that a licensee has violated a provision of this license, PTA Laws, the conditions of its license, any other order or instructions of PTA, PTA may by order impose one or more sanctions provided in the relevant PTA Laws.

Under the applicable PTA Laws, an operator can be subject to a maximum fine of PKR 350 Million (approx. US$ 2,350,000) or in case of a grave or persistent contravention of its license, PTA may even proceed to terminate the license of the licensee, subject to certain conditions.

The following is the maximum liability in the event of breach of data privacy under PECA:

(i) unauthorized access to information system or data – imprisonment for up to three months or with fine which may extend to fifty thousand rupees or with both;

(ii) unauthorized copying or transmission of data – imprisonment for up to six months, or with fine which may extend to one hundred thousand rupees or with both;

(iii) interference with information system or data – imprisonment for up to two years or with fine which may extend to five hundred thousand rupees or with both;

(iv) unauthorized access to critical infrastructure information system or data – imprisonment for up to three years or with fine which may extend to one million rupees or with both;

(v) unauthorized copying or transmission of critical infrastructure data – imprisonment for up to five years, or with fine which may extend to five million rupees or with both;

(vi) interference with critical infrastructure information system or data – imprisonment for up to seven years or with fine which may extend to ten million rupees or with both;

(vii) unauthorized use of identity information – imprisonment for up to three years or with fine which may extend to five million rupees, or with both; and

(viii) unauthorized interception - imprisonment for up to two years or with fine which may extend to five hundred thousand rupees or with both.

Romania Small Flag Romania

The maximum applicable fine is the one provided by article 83 paragraph 5 of the GDPR (administrative fine up to EUR 20 000 000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher), except for the public authorities and bodies for which the maximum fine is of Ron 200,000 (approximately EUR 43,000).

South Korea Small Flag South Korea

Under the Network Act, a penalty surcharge of up to 3% of the revenue generated from the act constituting the breach in question can be applied. Under the PIPA, a fine of up to KRW 100,000,000 can be applied.

Spain Small Flag Spain

The fines imposed under the LOPDGDD follow the same criteria as the GDPR, and it establishes three different types of infringements (minor, serious and very serious). Under the GDPR maximum fines for infringements can be up to 20,000,000 EUR, or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever amount is higher. This maximum fine would only be imposed for the breach of certain obligations under the GDPR, such as infringing the data protection principles, not observing the restrictions for international data transfers or failing to satisfy the rights of the data subjects.

On the other hand, persons who have suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered. The total amount that will have to be paid for an infringement that resulted in damages would ultimately depend on those damages, which will be decided by a court. A company may be required to pay a fine as well as compensation to the data subjects.

Sweden Small Flag Sweden

According to article 83 in the GDPR, the maximum fine that can be applied for a breach is EUR 20 million, or 4 % of the company´s annual turnover of the previous financial year, whichever is higher.

Taiwan Small Flag Taiwan

Pursuant to the PDPA, the maximum administrative fine is NTD500,000, in the case of violating certain important provisions under the PDPA, such as collecting and using personal data without a statutory ground, or violating the government's order on international transfer of personal data. The authority may impose administrative fine consecutively until corrective actions are taken.

Turkey Small Flag Turkey

The fines regulated under the DPL vary as per the type and degree of breach. Failure to comply with data security requirements, Board decisions as well as registration and notification requirements may be subject to a maximum administrative fine of 1,000,000 Turkish Liras (approximately USD 170,000).

United Kingdom Small Flag United Kingdom

The Information Commissioner's Office has (unless and until Brexit occurs) the power to levy fines pursuant to the GDPR. The maximum fines will increase to €20m / 4% of worldwide turnover re: (for example) breaches of the basic principles of processing (eg re: consent), or a lower threshold of €10m / 2% of annual turnover for breaches of some of the more ancillary obligations such as security arrangements or breach notifications.

United States Small Flag United States

Typically, violations of data protection laws permit recovery of actual or statutory damages and attorneys' fees. Privacy violations under the FTC Act have a maximum fine of $16,000 per violation. Civil violations of HIPAA have a maximum fine of $1.5M. The maximum civil fine for GLBA violations is $1M.

Australia Small Flag Australia

Currently the maximum penalty that can be imposed by the Federal Court or Federal Circuit Court for serious or repeated interferences with privacy is $2.1 million. However, such a penalty can only be imposed where the Privacy Commissioner makes an application to the court. This is not a common occurrence, with the Privacy Commissioner more likely to follow a conciliatory approach and issue determinations and directions. Some of the typical remedies directed by the Privacy Commissioner include payment of compensation to individuals, issuing an apology to affected individuals, and undertaking a review of information handling procedures.

This situation could change if the Federal Government implements its proposed amendments to the Privacy Act. The proposal includes increasing the penalty for serious or repeated interferences with privacy to the greater of $10 million, three times the value of any benefit gained by the entity through misusing personal information, or 10% of the entity's annual domestic turnover. In addition, the Privacy Commissioner could be given new powers to issue infringement notices of up to $63,0000 where entities fail to cooperate with efforts to resolve minor breaches. This would not require a court application. The government is yet to introduce legislation to this effect.

Updated: August 27, 2019