Jay Cline: U.S. takes the gold in doling out privacy fines

EU privacy regulators say U.S. privacy laws are too weak to protect EU personal data. But a new analysis of 358 privacy-enforcement actions paints the opposite picture.

The European Union is threatening to suspend the U.S.-EU Safe Harbor agreement that U.S. companies depend on to do business with Europe, claiming that America doesn't enforce its side of the bargain. Any way you cut the data, however, the U.S. dwarfs Europe and every other jurisdiction in doling out fines for data privacy violations. If privacy is measured by its weight in gold, America is the safest place on earth for personal data.

Mining the Safe Harbor

Fifteen years ago last month, the EU's newly formed Article 29 Working Party declared in its 15th opinion that U.S. laws provided inadequate protection for European citizens' personal data. The opinion expressed the widely held view across Europe that because America didn't have a single privacy law like Europe, but only a patchwork of sectoral laws, European data wasn't safe in America.

The white paper also voiced concerns about the emerging "safe harbor" agreement between Europe and the U.S. European privacy regulators thought the general privacy principles and voluntary nature of the program would result in an agreement without teeth.

In 2003, two years after the launch of the Safe Harbor, I declared in this column that the innovative agreement was already a success. About 300 companies, including prominent Fortune 500 multinationals, had joined, facilitating international commerce. Today, that number has climbed to over 4,000.

In spite of this high rate of participation, European privacy regulators stand poised to hit the nuclear button on the agreement in their ongoing reaction to revelations about U.S. government surveillance.

Without the Safe Harbor, companies would have to turn to EU "model contracts" as the next-best method to use European personal data. These contracts would bring the companies out from under the jurisdiction of the U.S. Federal Trade Commission and into the embrace of the EU privacy regulators.

But would that result in greater enforcement of European privacy laws?

Adding up the fines

To answer that question, I assigned several researchers to mine our databases, publications and regulator websites for any instance of a fine imposed by a government agency for a violation of data privacy. We set the threshold of materiality at a minimum of $100,000. In practice, I've noticed that this is the amount where larger corporations even start to take notice. Anything less is a rounding error.

What did we discover?

* Increasing over time. We found 358 enforcement actions since January 1999, the first year big privacy fines came online. Only 130 of these carried fines that met or exceeded our $100,000 threshold. Of these, 60% were levied in the last three years. All fines totaled $225 million, with 52% of that sum imposed since 2011.

* Security breaches the top cause. Over the last 15 years, security breaches were the most likely to draw a large fine. They accounted for some 35% of the sizable penalties in our database. Other privacy violations, such as disclosing personal data, either by accident or deliberately, and failing to provide opportunities for choice and consent were the next mostly like to trigger large fines. Each accounted for roughly 20%, respectively, of the large penalties in our survey.

* Top industries. Looking at fines by sector, healthcare providers, health insurance companies and drug stores account for the biggest share, 22%, of the large fines levied since 1999. Government entities at the national and local levels were faulted in 20% of cases, and telemarketers, providers of credit reports, loan collectors, market researchers and business-intelligence providers accounted for another 18%.

* Top geographies. Continental European data-protection authorities have chided their U.K. counterpart in the past for being too lax, but the evidence shows the Brits are the heaviest-handed in all of Europe. U.S. and U.K. regulators have, by a wide margin, imposed most of the large fines for privacy violations. U.S. regulators levied some 55% of the penalties exceeding $100,000 worldwide, with U.K. regulators following at 35%. The vast majority of fines levied by other EU and Asian privacy regulators, by comparison, fell below our $100,000 threshold.

I need here to confess the limitation of our analysis. Many privacy-enforcement actions outside the U.S. and U.K. don't find their way into the English-language press unless they're large amounts or levied against large multinationals. The Spanish privacy watchdog, for example, has reportedly taken 399 privacy-enforcement actions netting $26.7 million -- or $67,000 on average -- for the Spanish treasury over the past decade. Only one -- its December 2013 fine against Google for its Street View product, hitting its maximum level allowed by law of $1.23 million -- made the recent headlines in the English-language press.

U.S. leads gold-medal count for privacy fines, lawsuits

We also set out to rank-order the top privacy fines in history. When we did this, the U.S. dominated the leader board. (See Table 1)

Table 1: Top 20 government-imposed data privacy fines worldwide, 1999-2014

Rank Fined entity Amount of fines and penalties Year Country Privacy principles violated
1 Apple $32.5M 2014 U.S. Choice and Consent
2 Google $22.5M 2012 U.S. Collection
3 Google $17M 2013 U.S. Collection and Notice
4 ChoicePoint $15M 2006 U.S. Security
5 Hewlett-Packard $14.5M 2006 U.S. Collection
6 LifeLock $12M 2010 U.S. Accuracy, Security
7 TJ Maxx $9.8M 2009 U.S. Security
8 Dish Network $6M 2009 U.S. Choice and Consent
9 DirecTV $5.3M 2005 U.S. Choice and Consent
10 HSBC $5M 2009 U.K. Security
11 US Bancorp $5M 1999-2000 U.S. Disclosure
12 Craftmatic $4.4M 2007 U.S. Choice and Consent
13 Cignet Health $4.3M 2011 U.S. Access
14 Barclays Bank $3.8M 2013 U.S. Use and Retention
15 Certegy Check Services $3.5M 2013 U.S. Accuracy
16 Playdom $3M 2011 U.S. Collection and Notice
17 The Broadcast Team $2.8M 2007 U.S. Collection
18 Equifax, TransUnion and Experian $2.5M 2000 U.S. Access
19 CVS Caremark $2.3M 2009 U.S. Security and Disposal
20 Norwich Union Life $1.8M 2007 U.K. Disclosure
Source: Jay Cline

Government agencies aren't the only players that can make a company pay for its privacy wrongdoings. In some jurisdictions, individuals can join together in a class-action lawsuit and sue a company. In this manner, individuals make the long arm of the law stretch even further. This is nowhere truer than in the U.S., home to the top 10 privacy lawsuits in history. Like their government-enforcement cousins, these cases have also picked up steam in recent years, with 2013 alone registering four of the top 10 cases. (See Table 2)

Table 2: Top 10 data-privacy lawsuit settlements worldwide, 1999-2014

Rank Entity sued Year Amount of award Jurisdiction Privacy principles violated
1 LensCrafters 2008 $20M U.S. (California) Disclosure
2 Facebook 2013 $20M U.S. (California) Choice and Consent
3 Facebook 2013 $9.5M U.S. (California) Collection, Disclosure
4 Netflix 2010 $9M U.S. (California) Retention
5 AOL 2013 $6M U.S. (Virginia) Disclosure
6 Time Warner 2009 $6M U.S. (New York) Choice and Consent
7 NebuAd 2011 $2.4M U.S. (federal court) Collection and Notice
8 TD Ameritrade 2009 $1.9M U.S. (California) Security
9 Minneapolis City Council, City of St. Paul, and other city governments 2012 $1.06M U.S. (Minnesota) Collection
10 Louis Vuitton 2013 $1M U.S. (California) Collection
Source: Jay Cline

Graph 1: Total privacy fines, penalties and settlements worldwide, 1999-2014

Just six weeks into 2014, the world total in privacy damages has already reached half the level of last year's record $74 million.
Fines graph
Source: Jay Cline

What does this all mean? If you're a consumer, violations of your privacy are more likely to be punished in an effective manner in the U.S. If you're a business, your top compliance risk is not in Europe but in the U.S., especially if you deal with personal-health information. If you're a publicly traded company in the U.S., your privacy compliance risk may be escalating this year to a material-enough level to be included in your U.S. Securities and Exchange Commission reports.

If you're a European privacy regulator, however, you're going to have to muster at least a $2 million fine to make it into the privacy Olympics. And until then, get used to hearing the Star Spangled Banner play.

Jay Cline is president of Minnesota Privacy Consultants. You can reach him at cwprivacy@computerworld.com. See more by Jay Cline

Join the discussion
Be the first to comment on this article. Our Commenting Policies