Global Data Privacy Laws: EU Leads US and the Rest of the World in Enforcement by Penalties
(2023) 181 Privacy Laws & Business International Report 24-29
13 Pages Posted: 20 Apr 2023
Date Written: February 4, 2023
Financial penalties are often not the most important method of enforcement of data privacy laws. But they are easier to obtain (though still a non-trivial task), and can be extracted from the records of courts, data protection authorities (DPAs), government agencies, and other authorities responsible for data privacy enforcement, and from non-government organisations (NGOs) and academic institutes which keep track of such matters. Cases that are settled before a penalty or compensation verdict is announced will also often have financial settlement that are public, particularly in the US. Financial penalties also provide an objective means of comparison across jurisdictions, complicated though this is by the differing means of parties being penalised and therefore the dissuasive effect of the penalties. Financial penalties are therefore a practical place to start in comparing enforcement of data privacy laws, but not the final destination.
This article gives a snapshot of the penalties and settlements included in recent data privacy decision across the globe. It considers enforcement instances only for the last two years, from 1 February 2021-31 January 2023 (abbreviated as ‘2021-02’), to better allow comparisons across this study, and with future studies.
The focus of this article is the large multinational companies that dominate the Internet, often described as ‘platforms’. These platforms need to be distinguished from companies, often large, that have a primarily ‘domestic’ customer base or audience.
What is the minimum quantum of penalties likely to have a ‘dissuasive effect’ on the continuation of abusive surveillance activities by such platforms? This is necessarily a subjective assessment, but for this article it is assumed that that penalties of less than €5 million or US$5 million would have too little effect, and only then would be dissuasive if repeated regularly and in different countries.
There are few known examples outside Europe or the United States which meet the criterion of €/US$5M (million) in penalties, therefore they have been grouped together as ‘Rest-of-the-World (ROW) enforcement’. The EU (25 decisions) is considered first, then the US (13 decisions), and finally the ROW (3 decisions). We can conclude that, globally, only the EU, US and some North Asian countries are currently significant in terms of whether the enforcement of their laws by financial penalties might have a serious dissuasive effect against global platforms continuing objectionable privacy invasive practices.
Keywords: privacy, data protection, penalties, enforcement, global
Suggested Citation: Suggested Citation