What is the maximum fine that can be applied for breach of data protection laws?
There is no maximum fine in most circumstances. Fines are determined in the first instance by the regulator or state attorney general enforcing the statute or regulation. The targeted organization may appeal a fine through the courts. One exception is that the federal department of Health and Human Services may apply a maximum fine of $1.5 million per year for each HIPAA violation.
The maximum administrative fine that may be imposed is that of €23,300, for instance such a fine might be applied if the rectification of data processed in an unlawful manner has not been carried out, following an order by the Commissioner. Further to this, the DPA makes certain acts an offence, such as if the controller provides the data subject with untrue information or if sensitive personal data is processed in contravention to the provisions of the DPA, which may attract a maximum fine of €23,000, as well as, a period of imprisonment which may range from 3 to 6 months.
In addition to the above, the Third Country (Data Protection) Regulations, Subsidiary Legislation 440.03 of the Laws of Malta, which apply to transfers of personal data to third countries, lay out an administrative fine of €23,293.73 for each violation whereby a daily fine of €2,329.37 may be imposed for each day which the violation persists. Any contraventions in relation to the Processing of Personal Data (Electronic Communications Sector) Regulations, Subsidiary Legislation 440.01 of the Laws of Malta, attracts the same latter administrative fine.
The Data Protection Authority may issue orders to the effect that violation of provisions laid down in or pursuant to the Personal Data Act shall result in a fine to the Treasury of maximum 10 times the National Insurance Basic Amount, currently NOK 936 340.
Maximum fine is TRY 1.000.000 (EUR 245.000 approx.) however please note that this fine is for each case of a breach. Therefore the fine may go higher.
According to Article 42 of the Cyber Security Law, network operators shall not divulge, tamper with or damage the personal information they have collected, and shall not provide the personal information to others without the consent of the information subjects. Any network operators violating the Article 42 of the Cyber Security Law shall be fined no less than one time but no more than ten times of the illegal gains; where there is no illegal gain, the fine may be up to RMB 1,000,000.
The sanctions would depend on the action carried out and could go from a warning to fines that go from 100 to 320,000 days of general current minimum salary in Mexico City.
In the event of repeated infractions, an additional fine will be applied, such fine goes from 100 to 320,000 days of general current minimum salary in Mexico City. In the event of infractions committed when processing sensitive Personal Data, the fines could be doubled.
Considering the amount of the general minimum salary in Mexico in force during 2017 and the currency exchange rate, fines could go from $421.00 USD to $1’348,042.00 USD approximately.
In addition, the Mexican Data Protection Law establishes crimes in matters of improper processing of personal data.
Currently in the UK the maximum fine that can be levied by the Information Commissioner's Office is £500,000 (and as at April 2017, the highest fine that has in fact been levied is £400,000). This will, however, change in 2018, when the General Data Protection Regulation (GDPR) comes into effect in the UK (as it will, prior to Brexit taking effect in the period thereafter). At that point, the maximum fines will increase to €20m / 4% of worldwide turnover re (for example) breaches of the basic principles of processing (eg re: consent), or a lower threshold of €10m / 2% of annual turnover for breaches of some of the more ancillary obligations such as security arrangements or breach notifications.
Article 34 of the Data Protection Act provides that the maximum applicable fine is RON 500,000,000 (at this date the equivalent of EUR 109,492,212) for breach of confidentiality and security rules.
The Privacy Code does not provide for a specific maximum fine. The fines that can be applied by the DPA depend on the number and type of the violations, as well as actual circumstances of the breach, such as the nature of the relevant personal data, the seriousness of the breach, the number of the affected data subjects and the economic status of the offender. The highest fine issued by the DPA to date is Euro 11 million.
Under the GDPR, the level of fines will be significantly higher. Some infringements (for example of provisions relating to keeping records of processing) are subject to fines of up to €10,000,000, or for an ‘undertaking’, up to 2% of worldwide annual turnover in the previous financial year, whichever is higher. Others (such as breaches of the basic principles for processing/conditions for obtaining consent) are punishable by higher fines of up to €20,000,000, or for undertakings, up to 4% of worldwide annual turnover in the previous financial year, whichever is higher.
Currently in the Netherlands the maximum fine that can be levied by the Dutch Personal Data Protection Authority is € 820,000 or 10% of the violators turnover. This will, however, change in 2018, when the GDPR goes live. At that point, the maximum fines will increase to €20m / 4% of worldwide turnover.
The fines may vary depending on the claimant and the rules that were not complied in each specific case. For example, if a consumer protection agency is responsible for issuing the fine (e.g. for violation of Consumer Code’s rules), the maximum fine would be around USD 4 million (with few exceptions, depending on the agency). Public prosecutors may file class actions and ask for a compensation for collective damages and, in this case, there is no statutory limit for this kind of claim.
According to the Internet Act, companies that fail to comply with Brazilian rules concerning data protection may be subject to a fine of up to 10% of the income of the economic group revenues generated in Brazil in the previous fiscal year.
The maximum fine that can be applied for breach of data protection laws is contained in Law No. 11 of 2008 regarding Electronic Information and Transactions (April 21, 2008), as amended (“ITE Law, as amended”), namely IDR12 billion (approximately USD900,000 at current conversion rates).
The IT Act provides for monetary penalties, to the extent of any actual wrongful loss or wrongful gain incurred, against a person who fails to follow the practices and procedures specified in Question 7 above, in relation to personal information including sensitive personal data or information. Further, if a service provider including an “intermediary”, in the course of performing a contract, discloses an individual’s personal information including sensitive personal data or information without such individual’s consent and in breach of contract, then such service provider may be liable for monetary penalties of up to INR 500,000 (approximately US$ 7,700) and/or imprisonment of up to 3 years. “Intermediary”, as per the IT Act includes a telecom service provider, network service provider, internet service provider, web-hosting service provider, search engine, online payment site, online-auction site, online-market place and cyber cafe. Further, the IT Act lays down penalty for breach of confidentiality and privacy, whereby a service provider is liable for imprisonment for a term extending up to 2 years, and/or with a fine extending to INR 100,000 (approximately US$ 1,500) or with both.
Breach of the PPL (especially in relation to databases) may result in a declaration of violation by ILITA and imposition of administrative fines. Such fines may amount up to NIS 5,000 if the breach is by an individual, and NIS 25,000 if it is a corporation. Breach of privacy with no intent constitutes a civil tort, and the data-subject may also sue for statutory damages in an amount up to NIS 50,000 (without proving actual damages). In addition, breach of privacy with intent constitutes a criminal offense, which is punishable by a 5-year imprisonment term, and breach of database related provisions constitutes a criminal offense, which is punishable by a 1-year imprisonment term.
The PDPC may impose financial penalties of up to S$1 million on an organisation that is in breach of the PDPA provisions.
Currently in France, the maximum fine that may be imposed by the CNIL amounts to 3 million euros. As from 25 May 2018, under the GDPR, the maximum amount will increase to 20 million euros or 4% of the worldwide turnover of the data controller, whichever is higher. This will concern, however, only certain types of breaches, such as non-compliance with the rights conferred on data subjects. The GDPR provides for graduated sanctions regarding other types of breaches.
In accordance with section 43 (3) BDSG, the maximum fine that can be applied for breach of data protection laws is 50,000 Euro or 300,000 Euro respectively, depending on the breach. For the telecommunications sector, the maximum fine ranges from 10,000 Euro to 500,000 Euro pursuant to section 149 (2) TKG.
In contrast, the fines regulated in the GDPR are much higher. In accordance with Article 83, the GDPR fines go up to – depending on the breach – 10,000,000 Euro or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, and up to 20,000,000 Euro, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover depending on the individual case.
Private persons are liable to a fine of up to CHF 10,000 for wilfully failing to provide information as regards safeguards in the case of cross-border data transfers or to notify data collections (or in so doing wilfully providing false information) or for wilfully providing the FDPIC with false information in the course of an investigation or for refusing to cooperate. On complaint, the wilful provision of false or incomplete information to data subjects who exercise their right of information or when collecting sensitive personal information of personality profiles, including the wilful failure to inform data subjects as required pursuant to the DPA, is sanctioned by a fine of up to CHF 10,000.
The preliminary draft of the revised DPA (see Question 7) imposes fines of up to CHF 500,000 for the wilful breach of the obligations set forth above and further obligations set forth in the DPA. A negligent breach is intended to be sanctioned with a fine of up to CHF 250,000. Further, wilful breach of professional secrecy shall be punishable by imprisonment of up to three years or monetary penalty. This new sanction will not be limited to the usual bearers of professional secrets but extend to any profession for which protection of confidentiality is essential.
As set forth in the Organic Integral Criminal Code, personal data is afforded protection from the criminal law. The fore mentioned law establishes that the person that access, intercepts, examines, retains, records, reproduces, discloses or publishes personal data, data, voice, audio and video messages, postal consignments, information contained in computer storage media, private or reserved communications of another person by any means, without consent or legal authorization, is punishable with imprisonment from one to three years.
In addition, the person whose personal information was disclosed is entitled to initiate damages claims against the natural or legal person that disclosed the information.