Priya PatelTLDR:
- Data privacy enforcement practices have evolved over the past year, with regulators in the US, UK, and EU pursuing non-monetary remedies in addition to fines.
- Regulators are focusing on outcomes-based approaches to enforcement, where the most appropriate steps are taken to ensure compliance with privacy laws.
- Regulators in the US have pursued personal consequences for executives, including criminal liability, while EU regulators have criticized cookie banner designs and scrutinized data transfers to the US.
- Organizations must prioritize compliance with privacy laws and be aware of the potential for onerous non-monetary penalties and personal liability for executives.
Over the past year, regulators in the US, UK, and EU have been implementing changes in data privacy enforcement practices. While large fines used to dominate the headlines, regulators have increasingly pursued non-monetary remedies alongside or instead of financial penalties. In the UK, the Information Commissioner’s Office (ICO) has shifted from heavy fines for non-compliance to an outcomes-based approach, where the most appropriate enforcement steps are taken to ensure the best outcome. This may include public reprimands instead of large fines if a company takes timely remedial steps to address privacy shortcomings. However, repeat and serious breaches may still warrant monetary penalties.
In the US, regulators have gone beyond fines to impose additional penalties and requirements. For example, in a settlement with the Federal Trade Commission (FTC), a company not only had to pay a $1.5 million penalty but also had to delete personal data and related algorithms obtained improperly. Personal consequences, such as criminal liability, have also been pursued for executives. In the UK, the ICO is focusing on evaluating harmful cookie banner designs and increasing fines for breaches of the Privacy and Electronic Communications Regulations (PECR).
EU regulators have criticized certain cookie banner designs and scrutinized data transfers to the US. The EU-US Data Privacy Framework (EU-US DPF) was adopted to facilitate personal data transfers, but its survival is uncertain and additional safeguards and recourse mechanisms introduced by the US are yet to be reflected in future regulatory decisions.
The trends in data privacy enforcement highlight the importance for organizations to prioritize compliance with privacy laws. Regulators have the power to impose onerous non-monetary penalties and personal liability for executives, increasing the stakes for organizational compliance. Businesses should be aware of the evolving enforcement landscape and take proactive measures to ensure they meet privacy requirements.
