What are the potential penalties for non-compliance with data protection provisions?

Argentina
Allende & Brea

The Data Protection Act stipulates that violations to the act will be determined by the National Data Protection Agency. Potential penalties include a written warning, suspension, a fine of between Ps1,000 and Ps100,000 and closure of the database.

Austria
Dorda Brugger Jordis

Non-compliance with Austrian data protection provisions can incur the following penalties:

  • claims by data subjects based on the right to data protection – compensation for damages (unlikely), omission or publication of judgment (both likely);
  • claims by competitors for omission based on unfair competition law – compensation for damages (very unlikely), omission or publication of judgment (both likely);
  • an administrative penalty of up to €10,000 (the first penalty is usually only a fraction of the highest possible penalty);
  • an administrative penalty of up to €25,000 for transferring data without the Data Protection Authority’s approval (again, the first penalty is usually low);
  • control proceedings by the Data Protection Authority (ie, onsite audits) resulting in prohibition from further processing or transfer of personal data; and
  • a damaged reputation in the media.

Belarus
SORAINEN

Belarusian law provides no specific penalties for non-compliance with data protection provisions. However, parties that use information protection systems or technical or cryptographic means of protection that are not certified in accordance with Belarusian law face administrative liability in the form of a fine and, possibly, confiscation of the means of protection. The administrative fine can total up to 20 basic units (approximately €190) for individuals and individual entrepreneurs and up to 100 basic units (approximately €947) for legal entities.

Canada
Dentons

Penalties for certain offences under the Personal Information Protection and Electronic Documents Act (SC 2000, c 5) (PIPEDA) and the private sector legislation in British Columbia and Alberta (eg, using deception or coercion to collect personal data, disposing of personal data in an attempt to evade a request for access to personal data and obstructing the privacy commissioner) may result in a fine of up to C$10,000 for an individual or up to C$100,000 for an organisation. Fines for similar offences under Quebec legislation are from a minimum of C$1,000 to a maximum of C$50,000 (C$100,000 for some subsequent offences).

China
Mayer Brown LLP

Under the Law on the Protection of Consumer Rights and Interests, a company shall incur civil liabilities if it:

  • collects or uses consumers’ personal information without consent;
  • discloses, sells or illegally provides others with consumers’ personal information; or
  • sends commercial information to consumers without their consent or request, or after the consumer has expressly refused consent.

Additionally, the administrations of industry and commerce and their local counterparts may issue a corrective order or warning, confiscate illegal gains and/or impose a fine of between one and 10 times the value of the illegal gains, or up to Rmb500,000 where no illegal gains were made. If the circumstances are severe, the company may be suspended from operations or have its licence revoked.

Violations of the Provisions on Protecting the Personal Information of Telecommunications and Internet Users and the Provisions on Regulating the Market Order of Internet Information Services are subject to corrective orders, warnings, fines of between Rmb10,000 and Rmb30,000 and criminal liabilities.

Czech Republic
Havel, Holásek & Partners s.r.o.

The following breaches of the Act on the Protection of Personal Data constitute administrative offences and may incur fines:

  • A natural person breaching confidentiality may incur a fine of up to Kr100,000 (approximately €3,700).
  • A natural person acting as a data controller may incur a fine of up to Kr1 million (approximately €37,000).
  • A legal person acting as a data controller may incur a fine of up to Kr5 million (approximately €185,000).
  • A natural person endangering a larger number of persons by unlawful intrusion of privacy or breach of obligations concerning the processing of sensitive personal data may incur a fine of up to Kr5 million (approximately €185,000).
  • A legal person endangering a larger number of persons by unlawful intrusion of privacy or breach of obligations concerning the processing of sensitive personal data may incur a fine of up to Kr10 million (approximately €370,000).

In addition, criminal penalties might apply in case of unlawful use or disclosure of personal data, including up to eight years’ imprisonment in extreme cases.

Estonia
SORAINEN

Violation of applicable data processing requirements is punishable by a fine of up to €1,200 for natural persons and up to €32,000 for legal persons.

Officials of the Data Protection Inspectorate can issue precepts to processors of personal data and adopt decisions for the purposes of ensuring compliance with the Personal Data Protection Act. On failure to comply with a precept, the Data Protection Inspectorate may impose a penalty payment in administrative proceedings. The upper limit for a penalty payment is €9,600, which may be imposed repeatedly until compliance is achieved.

Finland
Bird & Bird

Penalties for non-compliance with the Personal Data Act range from fines to imprisonment for up to one year. Special legislation may impose additional penalties. 

France
ADSTO

Administrative penalties for non-compliance with data protection regulations are administered by the national authority for data control (CNIL). It can issue fines for natural persons of up to €150,000 for a first violation and €300,000 for a second violation occurring less than five years after the first violation.

The Criminal Code also lists a number of offences for non-compliance with or violation of data protection legislation, the gravest of which can lead to a five-year prison term and a €300,000 fine for individuals (the fine is five times higher for legal entities). These penalties are issued by national crime authorities.

Germany
Mayer Brown LLP

The Federal Data Protection Act provides for fines in case of administrative offences, or even imprisonment in case of criminal offences. Fines may amount to up to €300,000 per case. Fines must exceed the financial benefit derived by the perpetrator the administrative offence. If the aforementioned amount is insufficient to do so, it may be increased. In case of a criminal offence, imprisonment for up to two years is possible.

Greece
Karageorgiou & Associates Law Firm

The penalties for non-compliance with data protection provisions depend on the specific violation:

  • Improper notification or failure to notify is punishable by imprisonment for up to three years and a fine ranging from €2,934.70 to €14,673.51.
  • Failure to obtain a permit is punishable by imprisonment for at least one year and a fine ranging from €2,934.70 to €14,673.51.
  • Failure to notify the interconnection of files is punishable by imprisonment for up to three years and a fine ranging from €2,934.70 to €14,673.51.
  • Unauthorised access or similar is punishable by imprisonment and a fine; if sensitive data is involved, the term of imprisonment is at least one year and the fine ranges from €2,934.70 to €29,347.02.
  • Failure to comply with decisions of the Hellenic Data Protection Authority is punishable by imprisonment for at least two years and a fine ranging from €2,934.70 to €14,673.51.
  • Illegal financial gain is punishable by imprisonment for up to 10 years and a fine ranging from €5,869.40 to €29,347.02.
  • Threat to national security is punishable by imprisonment at the court’s discretion (for between five and 20 years) and a fine ranging from €14,673.51 to €29,347.02.

The Hellenic Data Protection Authority may also impose administrative sanctions, which include:

“a) warning, with a deadline to stop the breach,

b) fines ranging from 880.41 Euros to 146,752.37 Euros (these amounts may be adjusted from time to time upon a decision of the Ministry of Justice),

(c) temporary revocation of permit,

(d) permanent revocation of permit,

e) destruction of a filing system or interruption of processing and destruction, return or engaging (blocking) of the relevant files.”

The above administrative sanctions may be imposed upon considering the seriousness of the violation, independently or cumulatively, and only after hearing the data controller or its representative.

Hong Kong
Mayer Brown LLP

A breach of the Personal Data (Privacy) Ordinance (Chapter 486) may result in an inquiry and investigation by the privacy commissioner (either by the privacy commissioner’s own initiative or based on a complaint). If the privacy commissioner determines that a data user has breached any of the data protection principles, the privacy commissioner can issue an enforcement notice against the data user requiring it to take certain remedial steps to rectify or prevent any recurrence of the breach. Failure to comply with the enforcement notice constitutes an offence and the data user will be liable on first conviction to a maximum fine of HK$50,000 and a further penalty of HK$1,000 for each day that the offence continues, as well as two years’ imprisonment.

Subsequent repeat contraventions of the Personal Data (Privacy) Ordinance (Chapter 486) similar to that for which an enforcement notice has been issued and complied with constitute an offence (without the need for a new enforcement notice to be issued). This may result in a maximum fine of HK$50,000 and a further penalty of HK$1,000 for each day that the offence continues, as well as two years’ imprisonment. Repeated breaches of enforcement notices will result in higher fines of HK$100,000 and a further penalty of HK$2,000 for each day that the offence continues, as well as two years’ imprisonment.

A breach of the direct marketing requirements under the Personal Data (Privacy) Ordinance (Chapter 486) constitutes an offence and can result in a maximum fine of HK$500,000 and three years’ imprisonment. A breach involving the sale or transfer of personal data to a third party for direct marketing purposes for the data user’s gain can result in a maximum fine of HK$1 million and five years’ imprisonment. 

Other breaches of the Personal Data (Privacy) Ordinance (Chapter 486) may also amount to an offence and incur a fine of HK$10,000. 

India
Kochhar & Co

Under Section 43A, if a breach results in a wrongful gain or loss, the adjudicating officer or the courts (as the case may be) can order compensation to be paid. There is no maximum compensation prescribed.

The following penalties apply:

  • Under Section 66 (use of cookies without consent), the penalty is imprisonment of up to three years, a fine of up to Rs500,000 or both.
  • Under Section 72, the penalty is imprisonment of up to two years, a fine of up to Rs100,000 or both.
  • Under Section 72A, the penalty is imprisonment of up to three years, a fine of up to Rs500,000 or both. 

Indonesia
K&K Advocates - Intellectual Property

Failure to comply with the Law Concerning Electronic Information Technology or the Government Regulation Concerning Electronic Systems and Transaction Providers could result in:

  • a warning letter;
  • an administrative fine;
  • temporary suspension; or
  • exclusion from the public service provider, electronic agent, electronic certification provider or reliability certification institution lists. 

Italy
ICT Legal Consulting

Non-compliance with the data protection rules could lead to administrative penalties in the form of fines, injunctions and criminal charges. It is worth underling that, pursuant to Section 143 of the Data Protection Code, the Data Protection Authority will block or prohibit processing, in whole or in part, if:

  • it is found to be unlawful or unfair and this is partly due to the data controller’s failure to take the necessary measures to align the processing to applicable law; or
  • there is an actual risk that it may be considerably prejudicial to one or more of the data subjects with regard to:
    • the nature of the data;
    • the arrangements that apply to the processing; or
    • the effects that may be produced by the processing.

In case of failure to comply with the security provisions or where activities are conducted with the intent to cause harm – for example, in the event of unlawful data processing or false declarations or notifications submitted to the Data Protection Authority – criminal penalties may be imposed by the court.

Japan
Nishimura & Asahi

Under the Act on the Protection of Personal Information, ministries may request reports on the handling of personal information and may issue recommendations or corrective orders if a business operator governed by the act breaches an individual’s privacy and violates the act.

Before issuing a corrective order, ministries may take an incremental approach and instruct, advise and make recommendations to business operators governed by the act. A breach of a corrective order is a criminal offence and the person responsible is punishable by imprisonment with work for a maximum of six months, a maximum fine of Y300,000 or both. The business operator will also be subject to a maximum fine of Y300,000.

Latvia
SORAINEN

The violation of data protection rules or the breach of the rights of the data subject is a punishable offence under the Administrative Violations Code. For illegal actions related to personal data (including collecting, organising, classifying, editing, storing, using, transferring, disclosing, blocking or erasing of the personal data) or for a violation of the data protection rules, a fine of up to €11,400 and the possible confiscation of the objects used to commit the violation may be imposed. If the offence is committed with regard to sensitive data or repeatedly, a fine up to €14,000 may be imposed.

Criminal penalties apply to unlawful actions involving personal data if the action causes serious harm or is carried out by the controller or processor for the purpose of blackmail, to gain monetary benefit or for revenge. However, these are enforced only in extremely rare cases.

Lithuania
SORAINEN

Failure to comply with data processing requirements may raise liability under the Code on Administrative Offences with regard to illegitimate processing of personal data and violations of data subjects’ rights. The maximum administrative fine for improper processing of personal data is €289 (€579 for repeat offences). For data protection violations of a legal person, this fine is imposed on the chief executive officer of the entity in question. The statute of limitations is six months from the date of the offence and, in case of continued offences, within six months of the offence being identified.

Senegal
LPS Law

There are two kinds of penalty for non-compliance with data protection provisions: those set down by the Senegalese Data Protection Authority (CDP) and those ordered by the court.

CDP penalties
The CDP can order:

  • the provisional withdrawal of authorisation for three months – this withdrawal becomes permanent at the end of the three-month period if the data controller still does not comply with data protection laws; and
  • a fine of between CFAfr1 million and CFAfr100 million.

In urgent cases the CDP can also:

  • interrupt data processing for up to three months;
  • freeze certain kinds of data for up to three months; and
  • prohibit – temporarily or permanently – any processing that does not comply with CDP rules.

Court penalties
The court can impose one of more of the following penalties:

  • imprisonment of between six months and seven years; and
  • fines of between CFAfr200,000 and CFAfr10 million.

Slovakia
Havel, Holásek & Partners s.r.o.

Processing personal data in breach of the Data Protection Act may constitute an administrative offence, subject to fines of up to €200,000. The penalties vary depending on the obligations breached.

In addition, criminal penalties may apply, including up to 10 years’ imprisonment in extreme cases.

Switzerland
Walder Wyss

If a recommendation made by the data protection and information commissioner in the course of an investigation is not complied with or is rejected by the affected data processor, the commissioner may refer the matter to the Swiss Federal Administrative Court. Both the commissioner and the affected data processor have the right to appeal against such a decision before the Swiss Federal Supreme Court. However, these administrative procedures do not directly result in a penalty. Likewise, the commissioner has no power to issue fines.

However, to the extent that a violation of the Data Protection Act amounts to a criminal offense, the competent criminal judge may fine private persons up to Sfr10,000.

Thailand
Tilleke & Gibbins

Individuals who suffer damage due to the unauthorised disclosure of their personal data may claim against the responsible party in tort. Criminal charges may also be possible, depending on the circumstances (eg, criminal defamation). The Child Protection Act sets out penalties (ie, fines and prison sentences) in relation to the exploitation of information concerning children and their parents or guardians. Laws and regulations applicable to parties operating within the telecommunications, banking and finance, insurance, securities, healthcare, consumer credit and electronic payment services sectors and government agencies set out other specific penalties for breaches, which may include fines, imprisonment and administrative action (eg, loss of licence).

Turkey
ELIG, Attorneys-at-Law

Article 17 of the Data Protection Law refers to the provisions of the Criminal Code relevant to crimes involving data protection. Article 18 regulates minor offences and provides for administrative fines of between TRY5,000 to TRY1 million for breaches of the Data Protection Law.

USA
Sidley Austin LLP

Potential penalties can be significant. Federal and state privacy laws are enforced by an expanding network of federal regulatory agencies, federal prosecutors, state attorneys general, other state regulators and private plaintiffs. Many states have created formal units charged with privacy oversight, and state attorneys general often cooperate in joint enforcement actions against companies that experience data breaches or privacy violations. In the United States, coordinated and comprehensive privacy regulation combined with active enforcement and sizable fines establish a strong deterrent to motivate compliance with US privacy and security requirements.

Use the Lexology Navigator to compare other answers.

For more information on how to contribute in your jurisdiction, please contact Sophie Kernohan (skernohan@GlobeBMG.com)