The first quarter of 2019 has already seen a flurry of enforcement activity resulting in more than $100,000,00 in fines across the world. Check out the table below to learn more:
Fine Amount (USD)
Global Enforcement In Review
Globally across every sector and region, the average fine amount in 2018 was nearly $9.3 million. Many of the largest fines came in response to breaches that occurred in 2015-2016 (see below). Of the non-monetary penalties, most required the infracting party to either cease the infracting behavior or provide some further information to data subjects (e.g. publish notice). Interestingly the United States, United Kingdom, and Italy remain at the top of the list in terms of fine amounts.
The United States, the United Kingdom, and Singapore led the pack in 2018 in terms of issuing the greatest number of enforcement decisions. With the GDPR going into effect in May 2018, we began to see enforcement actions increase around Europe, notably in France. Among the countries in Asia, Singapore was the most active in enforcement both in 2018 and in 2017.
2019 has already produced two major enforcement actions, one in France and the other in the United States–we are interested in what the regional breakdown will look like this year.
77% of the enforcement decisions in 2018 involved a fine. The graph below illustrates the different levels (bands) of these penalties across various sectors. The Consumer Discretionary sector (retail, hospitality, marketing) saw the most enforcement actions last year; and Non Profits the least. The Healthcare sector’s floor for fine amounts was the highest ($100K – $1M) among all sectors with fines in two bands, indicative of the heightened risk and scrutiny in the healthcare industry. The Information Technology sector (software, internet, social-media, etc) had the most Band 1 fines of any sector and tied with the Consumer Discretionary sector for the most Band 5 fines. Interestingly, while the Education and Finance sectors saw an equal number of enforcement decisions, the finance sector on average faced a higher fine amount.
Comparing enforcement action history from 2017 to 2018 we can see several interesting trends and observations.
- Globally, enforcement decisions per year seem to be behaving in a cyclical or wavelike pattern.
- In 2017, Q2 and Q3 were very active quarters. This may explained in part by the UK’s Information Commissioner’s Office (ICO) action against 11 UK charities in April 2017. Q2 and Q3 were active quarters in 2018 as well.
- November was the most active month in 2018 with a total of 15 enforcement actions globally.
The OneTrust privacy team tracks, categorizes, and indexes enforcement decisions around the globe. An “enforcement decision” includes both regulatory actions by a data protection authority (e.g. CNIL, Garante, FTC, etc.) and judicial decisions (e.g. U.S. District Court, CJEU, etc.). Some decisions include a monetary penalty and others require some sort of conforming behavior (e.g. provide notice, cease misrepresentation, etc.) while others have no penalty at all. We will continue to update this page with the most recent and relevant enforcement information from across regions, industries, and time periods.
Last Updated: May 18, 2019
DataGuidance by OneTrust provides a suite of privacy solutions designed to help you monitor regulatory developments, mitigate risk and achieve global compliance.
OneTrust is the largest and most widely used technology platform to operationalize privacy, security and third-party risk management. More than 2,500 customers, both big and small and across 100 countries, use OneTrust to implement their privacy, security and third-party risk programs, automatically generating the specific record keeping needed to demonstrate compliance with privacy regulations including the EU GDPR, California Consumer Privacy Act (CCPA), Brazil LGPD, and hundreds of the world's privacy laws.