RB

Criminal Investigations Division – Laws, Evidence & DPS Policy

1. Introduction to Data Privacy

Data privacy regulations are laws and guidelines that govern the collection, storage, processing, and sharing of personal data. Their primary goal is to protect individuals' rights concerning their personal information and ensure organizations handle data responsibly and transparently. Key regulations include GDPR (General Data Protection Regulation) in Europe and CCPA (California Consumer Privacy Act) in the U.S.

2. Scope and Principles

These regulations typically cover:

  • Lawfulness, Fairness, and Transparency: Data must be processed lawfully, fairly, and transparently.

  • Purpose Limitation: Data collected for specified, explicit, and legitimate purposes.

  • Data Minimization: Only necessary data should be collected.

  • Accuracy: Data must be accurate and kept up to date.

  • Storage Limitation: Data should be stored no longer than necessary.

  • Integrity and Confidentiality: Data must be protected from unauthorized or unlawful processing.

  • Accountability: Organizations must demonstrate compliance.

3. Penalties for Non-Compliance

Non-compliance with data privacy regulations can lead to significant penalties, varying based on the severity of the breach, the number of affected individuals, the type of data involved, and the efforts made to mitigate the breach.

3.1. Types of Penalties

  • Monetary Fines: This is the most common form of penalty.

    • Under GDPR, fines can be substantial:

      • Lower-level infringements (e.g., failure to keep records) can result in fines up to €10 \text{ million} or 2\% of the company's annual global turnover, whichever is higher.

      • Higher-level infringements (e.g., violations of core principles like consent) can result in fines up to €20 \text{ million} or 4\% of the company's annual global turnover, whichever is higher.

    • Under CCPA, fines can reach \$2,500 per violation, or \$7,500 per intentional violation.

  • Reputational Damage: Significant negative publicity, loss of customer trust, and damage to brand image, which can have long-term financial implications exceeding direct fines.

  • Legal Action by Individuals: Affected individuals may sue for damages.

  • Operational Restrictions: Regulatory bodies may issue orders to halt specific data processing activities or implement stricter security measures.

  • Requirement to Notify: Organizations may be compelled to notify data breaches to affected individuals and supervisory authorities, further exacerbating reputational damage.

3.2. Factors Influencing Severity

Regulators often consider:

  • Nature, gravity, and duration of the infringement.

  • Number of data subjects affected.

  • Categories of personal data affected.

  • Intent: Was the infringement intentional or negligent?

  • Mitigation efforts: Steps taken by the organization to mitigate damage.

  • Prior infringements.

  • Cooperation with the supervisory authority.

3.3. Purpose of Penalties

Penalties serve multiple purposes:

  • Deterrence: To discourage organizations from violating regulations.

  • Punishment: To hold organizations accountable for their non-compliance.

  • Remediation: To compel organizations to rectify unlawful data processing practices.

  • Consumer Protection: To protect individuals' rights and provide recourse for harm suffered due to data breaches.

The current notes focus on penalties for non-compliance with data privacy regulations like GDPR and CCPA, which include monetary fines (e.g., up to €20 ext{ million} or 4\% of global turnover under GDPR, and up to \$7,500 per intentional violation under CCPA), reputational damage, and legal action. They do not cover general "penal code penalties," which typically refer to criminal law offences.