Download the report
Global data risk
There is a long history of significant privacy penalties and settlements in the US (including the biggest ever at $5bn), with major penalties levied for over a decade.
Penalties and settlements generally arise in three cases: data breaches; violations of special-purpose laws like the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLB) or the Children’s Online Privacy Protection Act (COPPA); and violations of general consumer-protection laws like the Federal Trade Commission Act. In addition, 2020 saw the first enforcement action by the New York State Department of Financial Services against an insurer based on that regulator’s recently-imposed cybersecurity regulations. Of note, the federal government agencies responsible for HIPAA enforcement relaxed some of its implementing regulations in response to the COVID-19 pandemic, which you can read about here.
One of the most active regulators in this space has been the Federal Trade Commission (FTC), which wields an assortment of enforcement tools against offending companies. Importantly, the Supreme Court is currently considering the scope of the FTC’s power to require companies to compensate consumers monetarily as part of its order-making powers. The outcome of that question may have a major impact on privacy enforcement in the US.
Penalties are often reached by settlement between the authority and the alleged offender, while more individuals (particularly doctors) are fined for violations than is the case in Europe.
While the US has no generally applicable federal data privacy regulation (just the special-purpose laws mentioned above), the country’s first full-fledged privacy law at the state level came into effect at the start of 2020. Enforcement of the California Consumer Privacy Act (CCPA) is still in its nascent stage; the California Attorney General has begun by issuing warning letters to various companies. The CCPA was extended in late 2020 via the California Privacy Rights and Enforcement Act (CPRA or CPREA), which will come into force in 2023 and bring California’s privacy regime closer to GDPR. The CPRA will create the US’s first true data protection authority and empowers it with an assortment of enforcement tools.
In 2018, the first year of the GDPR, there was little enforcement activity outside Germany and Austria and the fines issued were relatively small.
In 2019 there was a significant uptick in activity, with more than 143 individual penalties issued. The size of the fines however only started to increase towards the end of the year, with the average penalty in 2019 hitting €630,000 (largely on the back of Europe’s biggest data fine to date, a €50m sanction issued by France’s CNIL). By 2020, the average GDPR fine had risen to more than €1m.
DPAs in the three biggest economies in Continental Europe – France, Italy and Germany – were active from the earliest days of the GDPR. Across the Channel, the UK ICO only really entered the fray in 2020 but since then has consistently gone after bigger cases, with its average fine of €11m more than double that of any other European country. Germany now appears to be following the UK’s lead, with its average penalty rising to €18m in 2020. Spain, too, has recently started to issue much larger penalties.
There is also a clear distinction emerging in the types of infringements pursued by different European DPAs – in the UK the ICO has focused on data breaches and security incidents; the German authorities have come down hard on employee surveillance; and Italy’s Garante has taken a tough stance on general compliance and any lack of co-operation with its investigations.
The GDPR has served to align – to some extent - financial penalties across member states. EU DPAs co-operate to ensure that the regulation is applied consistently across the bloc and that enforcement action is effective, dissuasive and proportionate. At the same time, the GDPR gives individual DPAs the flexibility to develop their own methods of calculating penalties. For example, German authorities set fines based on the severity of the violation and do not necessarily consider whether the infringement is a first offence. The Italian authority, on the other hand, will first issue a warning and then a significant fine for failure to comply.
GDPR fines are handed out frequently, driven by the ‘one-stop-shop’ nature of the regulation’s enforcement mechanism (whereby a DPA in one member state can act on behalf of the entire bloc), and the GDPR’s narrow scope, which allows smaller fines to be issued for relatively minor offences.
Unlike their counterparts in the US, European authorities issue fewer fines in relation to direct marketing. EU member states have their own e-communications laws that cover direct marketing, cookies and spam, while the GDPR principles cover marketing more generally. Despite large fines being rare, there have been some significant penalties handed out, including from the CNIL which in December 2020 became the first EU authority to issue a major sanction for cookie violations. The EU is continuing to work on a new ePrivacy Regulation, which could see more enforcement in relation to electronic direct marketing in the future.
The data privacy landscape in Asia is evolving fast. There were several significant regulatory developments in 2020, with amendments to existing privacy laws in Singapore, Japan and Korea, and New Zealand’s new Privacy Act coming into force. 2021 is expected to follow this trend, with further new laws and amendments in the pipeline in India, Indonesia, China and Hong Kong.
In particular, China’s regulatory landscape is expected to undergo its most significant change since the advent of the country’s Cyber Security Law (CSL) in 2017 with the introduction of a new Personal Data Protection Law.