This post is also available in: Español

In our current environment, one of the most serious risks for a company has been to be found guilty of non-compliance with data protection regulations and suffer a great reputational harm. The potential loss of customer confidence and the weakening of the brand reputation in the market have been more serious than the penalties that the authorities could impose.

While this remains true, in recent months, we have seen that the cost of these fines rise significantly, becoming an increasing concern for companies.

In Europe, this can be explained first by be the full entry into force of the General Data Protection Regulation, which — as repeatedly announced — enables the authorities to impose fines of up to 4% of the overall turnover of the company’s corporate group. Although significant penalties were not imposed in the first few months after full entry into force of the Regulation, the scenario is changing at a staggering speed.

The first example of this new trend is the €50 million fine imposed by the French data protection authorities in January 2019 because the duties of transparency and information were not adequately complied with when setting online service accounts (in particular, the visibility preferences for the data generated when using the accounts). In addition, they penalized the absence of sufficient legal basis for some processing linked to advertising personalization, creating a significant precedent on the cost of fines.

This considerable fine was followed by the British data protection authorities announcing in early July that they would impose fines north of €100 and €200 million. As we discussed in a previous post, these penalties arise from investigation of security breaches. The British authorities reached the conclusion that failure to implement adequate security measures by the companies involved led to a risk and actual harm to their customers, whose data was disclosed without their consent.

The American authorities have not lagged behind in increasing fines on infringements of data protection regulations. In fact, the Federal Trade Commission has just announced that, along with other federal and state authorities, it has reached an agreement with Equifax for it to pay at least USD 575 million for violating data protection regulations.

Equifax suffered a cyber attack in 2017 that compromised the security of the data of 147 million customers. Thus, this penalty is not only intended as an administrative fine but, according to the FTC itself in the announcement of the agreement, it will set up a compensation fund for the  parties whose data were illegally disclosed.

Much higher fines are likely to follow, so the financial cost of penalties for non-compliance with data protection regulations is becoming a further reason for companies to step up their efforts to comply with personal data protection regulations on both sides of the Atlantic.

This post is also available in: Español



106 artículos