Sanctions for data breaches

Resource type: Article

Status: Law stated as at 01-Jun-2012

Jurisdictions: Australia, Austria, Belgium, Brazil, Canada, China, Czech Republic, Finland, France, Germany, Hungary, Ireland, Italy, Japan, Luxembourg, Mexico, Norway, Poland, Qatar, Romania, Russian Federation, Saudi Arabia, South Africa, Spain, Sweden, Thailand, Turkey, USA, United Arab Emirates, United Kingdom

This table is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

Jurisdiction

Sanctions available for data breaches

Australia

The Office of the Australian Information Commissioner can issue determinations including declarations that:

  • The respondent has engaged in conduct constituting interference with the privacy of an individual and must not repeat or continue such conduct.

  • The respondent must perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant.

  • The complainant is entitled to a specified amount by way of compensation for any loss or damage.

Austria

  • Imprisonment of up to one year for a wilful infringement of data protection legislation with the intention of unjustified enrichment or to harm another person.

  • Administrative penalties of up to EUR25,000 for certain breaches of data protection legislation.

  • In some cases of data protection infringement, the Penal Code (Strafgesetzbuch) may apply, providing for financial fines or imprisonment.

Belgium

  • The processing of personal data in breach of the DPL may constitute a criminal offence, penalised with fines up to EUR550,000.

  • Any repeat offences are punishable by a term of imprisonment from three months to two years, and/or a fine of EUR550 to EUR550,000.

Brazil

  • Collective damages order resulting from a class action. No limit on the amount of damages.

  • Administrative fine of up to about US$1.7 million, if consumer rights are involved.

Canada

  • The sanctions for violations of privacy legislation differ based on the jurisdiction within Canada and the specific offence.

  • The highest legislative sanction available for failure to maintain adequate security safeguards for an organisation is Can$100,000.

  • Compliance orders, orders to publish corrective notices and orders for damages are also possible.

China

No specific sanctions and remedies are imposed for data protection breaches under Chinese law or by the national regulator.

Czech Republic

Non-compliance with the PPD Act:

  • Natural persons:

    • less serious offences: up to CZK100,000;

    • more serious offences: up to CZK1 million;

    • more serious offence under certain circumstances: up to CZK5 million.

  • Legal entities:

    • general offences: up to CZK5 million;

    • offences under certain circumstances: up to CZK10 million.

Non-compliance with other regulations:

  • Up to CZK1 million.

  • In cases involving disclosure to the public: up to CZK5 million.

Finland

  • Personal data offence: fine or imprisonment up to one year.

  • Personal data violation: fine.

  • Computer break-in: fine or imprisonment up to one year.

  • Aggravated computer break-in: fine or imprisonment up to two years.

  • Secrecy offence: fine or imprisonment up to one year.

  • Secrecy violation: fine.

  • Breach and negligent breach of official secrecy: fine or imprisonment up to two years.

France

Under the general administrative sanctions regime, the CNIL can:

  • Impose a fine up to EUR150,000 (for a first violation) or up to EUR300,000 or 5% of the data controller's turnover (limited to EUR300,000) (for a second violation).

  • Order the data controller to immediately cease the data processing.

Criminal penalties apply for certain offences, for example:

  • Up to five years' imprisonment, and/or a fine up to EUR300,000 (for natural persons).

  • A fine up to EUR1.5 million and/or other sanctions (for legal persons).

Germany

  • A maximum EUR300,000 fine for administrative offences.

  • Criminal sanctions (maximum of to two years imprisonment or a fine).

  • Reputation damages.

  • Confiscation of profit and benefit derived from a violation.

  • Civil liability and injunctive relief (under competition law).

Hungary

  • The Authority can impose a fine of between HUF100,000 to HUF1 million on the data controller.

  • Abuse of personal data can be punished by between one to three years' imprisonment depending on the circumstances.

Ireland

Under Section 31 of the DPA:

  • Maximum fine on summary conviction is EUR3,000.

  • Maximum fine on indictment is EUR100,000.

Under S.I. No. 336 of 2011:

  • On summary conviction each call or message can attract a maximum fine of EUR5,000.

  • If convicted on indictment the fines can be:

    • a maximum of EUR50,000 for natural persons;

    • a maximum of EUR250,000 for body corporates.

It is necessary for the ODPC to apply to a court to impose these fines.

India

The remedies available for breach of data protection laws vary depending on the nature of the contravention.

The penalty for non-compliance with the provisions of the IT RSPPSPI Rules is INR25,000 (section 45, IT Act).

Penalties under the IT Act can extend up to INR50 million and include imprisonment. Specific penalties include the following, among others:

  • Tampering with computer source documents (section 65, IT Act): imprisonment up to three years and/or a fine of up to INR200,000.

  • Offences as provided in section 43 of the IT Act (section 66, IT Act): imprisonment up to three years and/or a fine of up to INR500,000.

Italy

Depending on circumstances, data breaches can attract sanctions of:

  • Fines of up to EUR1.2 million.

  • Imprisonment of up to three years.

Japan

  • Failure to file a report of a security breach or filing a false report when requested by a governmental ministry can result in a maximum fine of JPY300,000.

  • Failure to take recommended measures to correct data protection security breaches can result in an order to take those measures. Violating an order can lead to fines up to JPY300,000 and imprisonment (with labour) of up to six months.

Luxembourg

  • Criminal fines for breaches to the data protection rules can range from EUR251 to EUR125,000 or imprisonment from eight days up to one year, or both.

  • The data protection authority can also impose various administrative sanctions.

Mexico

The main sanctions for non-compliance are economic fines, though criminal offences are also included in the Personal Data Protection Law.

Norway

The Data Inspectorate can:

  • Issue fines of a maximum of 10 times the National Insurance Basic Amount, currently EUR110,000.

  • Order the cessation of unlawful processing.

  • Impose conditions which must be met to bring the processing in compliance with the PDA.

  • Impose coercive fines which will run for each day from expiry of the time limit set for compliance until the order has been complied with.

More serious breaches (wilful or grossly negligent) can result in sanctions from the prosecuting authorities (fines and imprisonment, in severe circumstances, for a maximum of three years).   

The controller may also be liable to compensate the data subject for both financial and non-financial damages.

Poland

  • Liability under the PDPA. Failure to comply with decisions of the General Inspector may result in a maximum fine of about EUR50,000.

  • Criminal liability. A person who is liable (usually a member of a management board of the company which is the data controller) may be subject to:

    • a fine (from about EUR25 to EUR270,000);

    • a partial restriction of freedom;

    • a prison sentence of up to three years.

Qatar

There is no specific data protection law. Various laws provide for certain privacy rights and protections, the breach of which may give rise to a criminal offence (and subsequently penalties of imprisonment and/or a fine) and/or civil remedies.

Qatar (including Qatar Financial Centre (QFC))

  • The QFCA can make recommendations to data controllers, issue them with warnings or admonishments, and bring breaches to the attention of the QFC Regulatory Tribunal.

  • The QFCA does not impose fines and instead has a policy of assisting firms to prevent non-compliance.

Romania

The level of fines range from about:

  • EUR120 to EUR2,325 for failure to file the notification or filing an incomplete or bad-faith notification.

  • EUR230 to EUR5,800 for illegal data processing operations to include those made by processors.

  • EUR230 to 3,500 for failure to provide the authority with the required clarifications.

  • EUR3,500 to EUR11,700 for failure to comply with the security measures.

Russian Federation

  • A maximum administrative fine of RUB10,000.

  • Orders to cure violations.

  • Criminal liability (with a maximum sentence of two years).

  • Suspension of the violating company's business activity.

Saudi Arabia

  • SAR5 million or five years' imprisonment or both (for breaches of the Electronic Transactions Law).

  • Fines beginning from SAR5 million for breaches of the Telecommunications Act and Anti-Cyber Crime Law 2007.

  • A maximum fine of SAR3 million and four years' imprisonment apply to breaches of personal data privacy laws.

  • Additional sanctions may apply under sharia law.

South Africa

  • Protection of Personal Information Bill: administrative fine of up to ZAR10 million for certain offences under the PPI Bill (which is not yet in force).

  • Consumer Protection Act: administrative fines of up to 10% of a respondent's turnover or ZAR1 million for offences with regard to provisions contained in the CPA relating to direct marketing.

Spain

  • Depending on the severity of the breach, fines from EUR40,001 to EUR600,000.

  • A cessation order, for very serious breaches (such as illegal use or transfer of data, which seriously affects the rights of data subjects). If this order is not complied with, the AEPD may freeze the relevant files.

  • There are no criminal sanctions available.

Sweden

Default fines: Are rarely used in relation to the PDA and there is no established practice.

Damages: Compensation to data subjects for non-pecuniary damages (normally EUR 120 to EUR3500) and the damage caused.

Fines: The fines applied by Swedish courts rarely exceed EUR5,000.

Imprisonment: Maximum six months respectively, in case of gross negligence or intent, maximum two years. Imprisonment sentences are very rare and the few imprisonment sentences rendered by Swedish courts have involved additional offences such as defamation.

Thailand

There are currently no sanctions or remedies for non-compliance with data protection laws.

There are sanctions for Specific Businesses who must ensure appropriate security for data or face either:

  • Between six and 18 months' imprisonment.

  • A fine of between THB5,000 and THB20,000.

  • Both of the above.

Turkey

Under the Criminal Code:

  • Persons who store personal data unlawfully are subject to imprisonment from six months to three years.

  • Persons who transfer or publish personal data unlawfully are subject to imprisonment of one to four years.

Other fines and sanctions will apply under the Draft Law on Data Protection when in force.

United Kingdom

  • Fines up to GB£500,000 for serious breaches of the Data Protection Act or the Privacy and Electronic Communications (EC Directive) Regulations 2003.

  • Enforcement notices requiring organisations to take (or refrain from taking) specified steps.

  • Information notices requiring organisations to provide the ICO with specified information.

  • Undertakings committing an organisation to a particular course of action.

  • Assessment notices to conduct compulsory audits to assess an organisation's compliance.

  • Prosecution for criminal offences under the DPA.

United Arab Emirates

There is no specific data protection law. However, various laws provide for certain privacy rights, the breach of which can give rise to criminal penalties (including imprisonment and/or fines) and/or civil remedies.

United Arab Emirates, Dubai International Financial Centre (DIFC)

  • Providing false or misleading information to the Commissioner: US$20,000.

  • Non-compliance with a direction or order from the Commissioner: US$15,000.

  • Processing sensitive personal data without the required permit: US$10,000.

  • Transferring personal data outside the DIFC without the required permit: US$20,000.

USA

  • FTC Act provides civil penalties of up to US$16,000 for each offence. Criminal penalties include imprisonment for up to ten years or fines of up to US$500,000 (for an individual) and US$1 million (for a company).

  • GLB Act penalties are determined by the authorising statute of the agency that brings the enforcement action.

  • The HIPAA authorises civil penalties of up to US$25,000. Criminal penalties can increase to US$250,000 and/or up to ten years in jail.

 
Actions
Resource information
Show resource details Hide resource details
  • Resource ID: 5-518-8056
  • Law stated date: 01-Jun-2012
  • Products:  Media & Telecoms, Data Protection multi-jurisdictional guide, IP&IT, PLC China, PLC Cross-border, PLC UK Commercial, PLC UK Corporate, PLC UK Employment, PLC UK Financial Services, PLC UK Law Department, PLC UK Public Sector, PLC US Intellectual Property & Technology, PLC US Law Department
    • Series: Feature table
Ask a question
Print
Related content
Related content
Topics
Articles
Country Q&A
{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247614516798", "objName" : "Sanctions for data breaches", "userID" : "2", "objUrl" : "http://crossborder.practicallaw.com/cs/Satellite/5-518-8056?source=relatedcontent", "pageType" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-65e08793:13f5a638676:1add", "analyticsSessionCookie" : "2-65e08793:13f5a638676:1ade", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }