What are the potential penalties for non-compliance with data protection provisions?  

Austria DORDA

Non-compliance with Austrian data protection provisions can incur the following penalties:

  • claims by data subjects based on the right to data protection – compensation for damages (unlikely), omission or publication of judgment (both likely);
  • claims by competitors for omission based on unfair competition law – compensation for damages (very unlikely), omission or publication of judgment (both likely);
  • an administrative penalty of up to €10,000 (the first penalty is usually only a fraction of the highest possible penalty);
  • an administrative penalty of up to €25,000 for transferring data without the Data Protection Authority’s approval (again, the first penalty is usually low);
  • control proceedings by the Data Protection Authority (ie, onsite audits) resulting in prohibition from further processing or transfer of personal data; and
  • a damaged reputation in the media.

This regime will change drastically as of May 2018. Besides the DSB's control rights, the authority will also become competent to impose administrative fines of up to €20 million or 4% of the total worldwide annual turnover. The new, high fines will primarily be imposed directly against the responsible legal entity as data controller or processor. The authority is still entitled to punish natural persons in charge (managing directors or representatives appointed under administrative law, not the Data Protection Officer). Primarily, the company shall be directly liable. Additional fines to individuals shall be imposed only under special circumstances. The Data Protection Act 2018 provides for a catch-all administrative penalty of up to €50,000 applicable to less severe infringements of data protection provisions not subject to fines under the EU General Data Protection Regulation (Section 62 of the act). These penalties will especially cover violations of national specifics under the act.

Brazil Mattos Filho, Veiga Filho, Marrey Jr e Quiroga Advogados

The Consumer Code imposes criminal liability (six to 12 months’ imprisonment) for certain conduct that may qualify as a crime, although imposing criminal liability for violation of cybersecurity and data protection laws is very rare. In any case, a fine may be imposed on an organisation that is non-compliant with privacy laws or in the event of a data breach. Fines may encompass direct and moral damage. Collective claims may be filed for data protection violations.

The Internet Act establishes a fine of up to 10% of the breaching entity’s economic turnover in Brazil in the previous fiscal year, or the suspension or prohibition of doing business in Brazil. 

France ADSTO

Administrative penalties for non-compliance with data protection regulations are adjudicated by the Commission National Informatique et Liberté (CNIL) (the French data protection authority). It can take the form of fines of up to €3 million, injunctions, prohibition from carrying out further data processing or by way of public warnings.

Further, the Criminal Code also lists a number of offences for non-compliance with or violation of data protection legislation. Some types of infringement may lead to a five-year prison term and a €300,000 fine for individuals (the fine is five times higher for legal entities). These penalties are issued by the criminal courts and not by an administrative body such as the CNIL.

Germany Mayer Brown LLP

The Federal Data Protection Act provides for fines in case of administrative offences, or even imprisonment in case of criminal offences. Fines may amount to up to €300,000 per case. Fines must exceed the financial benefit derived by the perpetrator. If the aforementioned amount is insufficient to do so, it may be increased. In case of a criminal offence, imprisonment for up to two years is possible.

India Kochhar & Co

Under Section 43A, if a breach results in a wrongful gain or loss, the adjudicating officer or the courts (as the case may be) can order compensation to be paid. There is no maximum compensation prescribed.

The following penalties apply:

  • Under Section 66 (use of cookies without consent), the penalty is imprisonment of up to three years, a fine of up to Rs500,000 or both.
  • Under Section 72, the penalty is imprisonment of up to two years, a fine of up to Rs100,000 or both.
  • Under Section 72A, the penalty is imprisonment of up to three years, a fine of up to Rs500,000 or both. 

Israel S Horowitz & Co

The maximum penalties are specified in Section 16 of the Protection of Privacy Law, which provide as follows:

“No person shall disclose any information obtained by him by virtue of his functions as an employee, manager or possessor of a database save for the purpose of carrying out his work or implementing the Law or under a court order in connection with a legal proceeding; where the request is made before a proceeding has been instituted, it shall be heard in the Magistrate’s Court. A person who infringes the provisions of this section shall be liable to imprisonment for a term of five years.”

Section 5 of law also imposes a maximum of five years’ imprisonment in the case of wilful infringement of the privacy of another, among other things, by using or transferring information about a person’s private affairs other than for the purpose for which the information was given.

Section 31A of the law also imposes a maximum of one year’s imprisonment for violations of specific sections of the law.

The potential penalties also include fines of up to IS226,000 (depending on the specific sanction).

Italy ICT Legal Consulting

Non-compliance with the data protection rules could lead to administrative penalties in the form of fines, injunctions and criminal charges. It is worth underling that, pursuant to Section 143 of the Data Protection Code, the Data Protection Authority will block or prohibit processing, in whole or in part, if:

  • it is found to be unlawful or unfair and this is partly due to the data controller’s failure to take the necessary measures to align the processing to applicable law; or
  • there is an actual risk that it may be considerably prejudicial to one or more of the data subjects with regard to:
    • the nature of the data;
    • the arrangements that apply to the processing; or
    • the effects that may be produced by the processing.

In case of failure to comply with the security provisions or where activities are conducted with the intent to cause harm – for example, in the event of unlawful data processing or false declarations or notifications submitted to the Data Protection Authority – criminal penalties may be imposed by the court.

With the applicability of the General Data Protection Regulation, sanctions for data controllers are increased up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Malta GVZH Advocates

Penalties for non-compliance depend on the level of breach. The courts may impose the following penalties:

  • Level 1: a fine between €120 and €600 and/or a maximum of one month’s imprisonment;
  • Level 2: a fine between €250 and €2,500 and/or one to three months’ imprisonment; or
  • Level 3: a fine between €2,500 and €23,300 and/or three to six months’ imprisonment.

The Office of the Information and Data Protection Commissioner may impose the following fines without recourse to a court hearing:

  • Level 1: a fine between €120 and €600 or a daily fine between €20 and €60;
  • Level 2: a fine between €250 and €2,500 or a daily fine between €25 and €250; or
  • Level 3: a fine between €2,500 and €23,300 or a daily fine between €250 and €2,500. 

Portugal Morais Leitão, Galvão Teles, Soares da Silva & Associado

Both administrative penalties and orders and criminal penalties may arise from data protection law violations or breaches.

Law 67/98, a dedicated data law which governs personal data processing, sets out two levels of fine (each of which is then divided into two further levels), depending on the seriousness of the misdemeanour.

In the case of less serious administrative offence acts or omissions, applicable fines range from €498.79 to €4,987.97. This limit is doubled in the case of specific offences (eg, processing data without having obtained the data subject’s unambiguous consent, with the exception of cases where other legal grounds allow processing and such consent is thus not required).

For more serious offences, the value of fines is set at three times the above indicated amounts. Such offences include failing to comply with the obligation to notify the competent data protection authority. These amounts are doubled if the same offence involves sensitive data.

Sector-specific legislation in the electronic communications sector foresees much higher administrative fines for data protection law breaches, with a maximum fine of €5 million.

Law 67/98 also establishes criminal penalties in certain cases, such as:

  • intentionally failing to notify or submit an authorisation application to the competent authority, where applicable;
  • intentionally providing false information to the competent data protection authority;
  • intentionally misappropriating personal data;
  • providing the offender undue and unauthorised access to prohibited personal data, by any means;
  • erasing, destroying, damaging, deleting or modifying personal data, without authorisation, making it unusable or affecting its capacity for use; and
  • breaching the legal duty of confidentiality regarding personal data.

Criminal offences are punishable by up to two years’ imprisonment or a 240-day fine, both of which can be doubled.

Russia Buzko & Partners

The range of punishable actions subject to penalties was recently expanded. Fines are the principal type of penalty. As of July 1 2017, the maximum fine is Rb70,000 (approximately €1,000).

Singapore Taylor Vinters Via LLC

Section 56 of the Personal Data Protection Act provides that any person guilty of an offence under the Personal Data Protection Act (for which no penalty is expressly provided) will be subject to a general penalty of a fine not exceeding S$10,000, imprisonment for a term not exceeding three years or both. If the offence has been committed more than once, a further fine not exceeding S$1,000 per day will be imposed.

According to Section 51, with respect to access or correction requests under Sections 21 or 22 of the Personal Data Protection Act, it is an offence for organisations or persons to:

  • evade a request by disposing, altering, falsifying, concealing or destroying a record containing personal data – maximum fine of S$5,000 (for an individual) or S$50,000 (for an organisation);
  • obstruct or impede the commission in the exercise of its power or performance of its duties – maximum fine of S$10,000 or imprisonment for a term not exceeding 12 months or both (for an individual) or S$100,000 (for an organisation); or
  • knowingly or recklessly mislead the commission – maximum fine of S$10,000 or imprisonment for a term not exceeding 12 months or both (for an individual) or S$100,000 (for an organisation). 


Affärsadvokaterna i Sverige AB

The Data Inspection Board can sanction its decisions through an administrative fine. The administrative fine must be determined in accordance with:

  • what is known about the economic circumstances of the addressee; and
  • in the circumstances of the case, what may be expected to enable the addressee to comply with the injunction.

Therefore, in theory, the amount may be high but, in reality, the damages or penalties that can be sought in the courts are generally quite low. No financial penalties have been issued by the Data Inspection Board as a result of a breach of data protection legislation.

If the board finds that a decision thus sanctioned has been breached, it cannot on its own authority enforce the administrative fine. Instead, it must seek a court order that the fine be paid.

Only the Prosecution Authority can prosecute criminal offences under the Data Protection Act. Prosecution may be brought on the authority’s own initiative or following a complaint from the board, a perceived victim or the general public.

When the EU General Data Protection Regulation enters into force, the board will be able to enforce administrative fines.

Switzerland Walder Wyss

If a recommendation made by the data protection and information commissioner in the course of an investigation is not complied with or is rejected by the affected data handler, the commissioner may refer the matter to the Swiss Federal Administrative Court. Both the commissioner and the affected data handler have the right to appeal against such a decision before the Swiss Federal Supreme Court. However, these administrative procedures do not directly result in a penalty. Likewise, the commissioner has no power to issue fines.

However, to the extent that a violation of the Data Protection Act amounts to a criminal offense, the competent criminal judge may fine private persons up to Sfr10,000.

According to the preliminary draft, it is expected that the revised act will contain more incisive penalties in case of non-compliance with data protection law.

USA Hunton & Williams LLP

Because the United States does not have a dedicated data protection law, penalties for non-compliance are pursuant to the various federal and state data protection laws. Violations of federal and state privacy and data protection laws in the United States generally lead to civil, not criminal, penalties, except for violations of surveillance laws. Civil penalties may include monetary penalties, affirmative obligations (eg, mandatory compliance audits and the required implementation of a comprehensive information security programme) and injunctions prohibiting future violations of the relevant laws. 

Use the Lexology Navigator tool to compare other answers.

For more information on how to contribute in your jurisdiction, please contact Sophie Kernohan (skernohan@globebmg.com