So, what are the potential consequences for failing to comply with data protection principles and global privacy regulations?
Most privacy regulations grant regulatory authorities a wide range of powers that may include the ability of the regulatory authority to:
- Impose excessive amounts of fines against organizations,
- Issue warnings and reprimands to the responsible organization,
- Temporarily or permanently stop the data processing,
- Require the notification of personal data breaches,
- Order the rectification, restriction, or erasure of data, or
- Suspend cross-border data transfers.
As far as the imposition of fines is concerned, there have been several cases where organizations had to pay vast amounts of money for failing to comply with applicable data privacy regulations. For example:
- In 2019, the US Federal Trade Commission imposed a hefty fine of $575 million against Equifax Inc. for failing to take reasonable security measures, thereby leading to personal data breaches. (Source: Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach)
- In January 2020, the Italian regulatory authority imposed a fine of €27.9 million on telecommunications operator TIM for failing to obtain data subjects’ valid consent, aggressive marketing strategies, and personal data breaches. (Source: GDPD.it)
- In April 2020, the Dutch regulatory authority imposed a fine of €725,000 to an unknown company for using employees’ fingerprint scans unlawfully. (Source: autoriteitpersoonsgegevens.nl)
- In December 2020, the Spanish regulatory authority imposed a fine of €75,000 against EDP Comercializadora SA for failing to obtain data subjects’ consent before processing personal data. (Source: PS/00025/2019)
- In December 2020, the French regulatory authority imposed a fine of €2,250,000 against Carrefour France for failing to obtain data subjects’ consent before the installation of cookies. (Source: CNIL fines Carrefour France 2,25 million € and Carrefour Banque 800,000 € | CNIL)
- In December 2020, the French regulatory authority fined Google €100 million and Amazon €35 million for failing to obtain data subjects’ consent before using cookies (Source: Cookies: financial penalty of 35 million euros imposed on the company AMAZON EUROPE CORE | CNIL)
- In March 2021, the UK Information Commissioner’s Office imposed a fine of €250,000 for sending 2,670,140 marketing text messages to individuals without their consent (Source: Leads Work Limited)
- In March 2021, the Spanish regulatory authority imposed a fine of €30,000 against Twitter for an unlawful cookie consent banner. (Source: PS-00299-2019)
- In March 2021, the Spanish regulatory authority imposed a fine of €8.15 million against Vodafone for sending marketing communications to individuals without their consent and other violations of data protection provisions. (Source: PS/00059/2020)
- In March 2021, the Canadian Radio Television and Telecommunications Commissioner imposed a penalty of $75,000 for sending 670,000 marketing emails to individuals without their consent. (Source: CRTC issues largest ever penalty to an individual for sending messages without consent – Canada.ca)
| GDPR | CCPA | LGPD |
| The maximum fine that can be granted under the GDPR depends on the type of violation. It can be €20 million or 4 percent ofthe organization’s global annual turnover (whichever is higher), or €10 million or 2 percent of global annual turnover (whichever is higher). | The maximum fine under the CCPA can be $7,500 for every intentional violation and $2,500 for unintentional violations. Data subjects may also bring private lawsuits from between $100 to $750 for the breach of their personal information due to the organization’s inadequate security measures. | The maximum fine under the LGPD can be BRL 50,000,000 per infraction, depending on the severity of the violation. |
As indicated in the table and examples above, the failure to comply with global privacy regulations may expose organizations to excessive amounts of fines, reputational damages, and potential criminal liabilities. In some jurisdictions, it could also lead to permanent bans on processing data from that jurisdiction.
Depending on the context, there may also be other penalties the responsible organization will have to face for failing to meet data protection principles and obligations outlined in privacy regulations, such as:
- Compensation to the data subject granted by the court of law or the responsible organization’s regulatory authority is payable. An affected data subject may also bring a claim against the accountable organization.
- Criminal prosecution, including punishment, imprisonment, conviction, etc., granted by a court of law or the regulatory body against the responsible organization’s officers.
