The European Union is threatening to suspend the U.S.-EU Safe Harbor agreement that U.S. companies depend on to do business with Europe, claiming that America doesn't enforce its side of the bargain. Any way you cut the data, however, the U.S. dwarfs Europe and every other jurisdiction in doling out fines for data privacy violations. If privacy is measured by its weight in gold, America is the safest place on earth for personal data.
Mining the Safe Harbor
Fifteen years ago last month, the EU's newly formed Article 29 Working Party declared in its 15th opinion that U.S. laws provided inadequate protection for European citizens' personal data. The opinion expressed the widely held view across Europe that because America didn't have a single privacy law like Europe, but only a patchwork of sectoral laws, European data wasn't safe in America.
The white paper also voiced concerns about the emerging "safe harbor" agreement between Europe and the U.S. European privacy regulators thought the general privacy principles and voluntary nature of the program would result in an agreement without teeth.
In 2003, two years after the launch of the Safe Harbor, I declared in this column that the innovative agreement was already a success. About 300 companies, including prominent Fortune 500 multinationals, had joined, facilitating international commerce. Today, that number has climbed to over 4,000.
In spite of this high rate of participation, European privacy regulators stand poised to hit the nuclear button on the agreement in their ongoing reaction to revelations about U.S. government surveillance.
Without the Safe Harbor, companies would have to turn to EU "model contracts" as the next-best method to use European personal data. These contracts would bring the companies out from under the jurisdiction of the U.S. Federal Trade Commission and into the embrace of the EU privacy regulators.
But would that result in greater enforcement of European privacy laws?
Adding up the fines
To answer that question, I assigned several researchers to mine our databases, publications and regulator websites for any instance of a fine imposed by a government agency for a violation of data privacy. We set the threshold of materiality at a minimum of $100,000. In practice, I've noticed that this is the amount where larger corporations even start to take notice. Anything less is a rounding error.
What did we discover?
* Increasing over time. We found 358 enforcement actions since January 1999, the first year big privacy fines came online. Only 130 of these carried fines that met or exceeded our $100,000 threshold. Of these, 60% were levied in the last three years. All fines totaled $225 million, with 52% of that sum imposed since 2011.
* Security breaches the top cause. Over the last 15 years, security breaches were the most likely to draw a large fine. They accounted for some 35% of the sizable penalties in our database. Other privacy violations, such as disclosing personal data, either by accident or deliberately, and failing to provide opportunities for choice and consent were the next mostly like to trigger large fines. Each accounted for roughly 20%, respectively, of the large penalties in our survey.
* Top industries. Looking at fines by sector, healthcare providers, health insurance companies and drug stores account for the biggest share, 22%, of the large fines levied since 1999. Government entities at the national and local levels were faulted in 20% of cases, and telemarketers, providers of credit reports, loan collectors, market researchers and business-intelligence providers accounted for another 18%.
* Top geographies. Continental European data-protection authorities have chided their U.K. counterpart in the past for being too lax, but the evidence shows the Brits are the heaviest-handed in all of Europe. U.S. and U.K. regulators have, by a wide margin, imposed most of the large fines for privacy violations. U.S. regulators levied some 55% of the penalties exceeding $100,000 worldwide, with U.K. regulators following at 35%. The vast majority of fines levied by other EU and Asian privacy regulators, by comparison, fell below our $100,000 threshold.
I need here to confess the limitation of our analysis. Many privacy-enforcement actions outside the U.S. and U.K. don't find their way into the English-language press unless they're large amounts or levied against large multinationals. The Spanish privacy watchdog, for example, has reportedly taken 399 privacy-enforcement actions netting $26.7 million -- or $67,000 on average -- for the Spanish treasury over the past decade. Only one -- its December 2013 fine against Google for its Street View product, hitting its maximum level allowed by law of $1.23 million -- made the recent headlines in the English-language press.
U.S. leads gold-medal count for privacy fines, lawsuits
We also set out to rank-order the top privacy fines in history. When we did this, the U.S. dominated the leader board. (See Table 1)
Table 1: Top 20 government-imposed data privacy fines worldwide, 1999-2014
| Rank | Fined entity | Amount of fines and penalties | Year | Country | Privacy principles violated |
|---|---|---|---|---|---|
| 1 | Apple | $32.5M | 2014 | U.S. | Choice and Consent |
| 2 | $22.5M | 2012 | U.S. | Collection | |
| 3 | $17M | 2013 | U.S. | Collection and Notice | |
| 4 | ChoicePoint | $15M | 2006 | U.S. | Security |
| 5 | Hewlett-Packard | $14.5M | 2006 | U.S. | Collection |
| 6 | LifeLock | $12M | 2010 | U.S. | Accuracy, Security |
| 7 | TJ Maxx | $9.8M | 2009 | U.S. | Security |
| 8 | Dish Network | $6M | 2009 | U.S. | Choice and Consent |
| 9 | DirecTV | $5.3M | 2005 | U.S. | Choice and Consent |
| 10 | HSBC | $5M | 2009 | U.K. | Security |
| 11 | US Bancorp | $5M | 1999-2000 | U.S. | Disclosure |
| 12 | Craftmatic | $4.4M | 2007 | U.S. | Choice and Consent |
| 13 | Cignet Health | $4.3M | 2011 | U.S. | Access |
| 14 | Barclays Bank | $3.8M | 2013 | U.S. | Use and Retention |
| 15 | Certegy Check Services | $3.5M | 2013 | U.S. | Accuracy |
| 16 | Playdom | $3M | 2011 | U.S. | Collection and Notice |
| 17 | The Broadcast Team | $2.8M | 2007 | U.S. | Collection |
| 18 | Equifax, TransUnion and Experian | $2.5M | 2000 | U.S. | Access |
| 19 | CVS Caremark | $2.3M | 2009 | U.S. | Security and Disposal |
| 20 | Norwich Union Life | $1.8M | 2007 | U.K. | Disclosure |
Government agencies aren't the only players that can make a company pay for its privacy wrongdoings. In some jurisdictions, individuals can join together in a class-action lawsuit and sue a company. In this manner, individuals make the long arm of the law stretch even further. This is nowhere truer than in the U.S., home to the top 10 privacy lawsuits in history. Like their government-enforcement cousins, these cases have also picked up steam in recent years, with 2013 alone registering four of the top 10 cases. (See Table 2)
Table 2: Top 10 data-privacy lawsuit settlements worldwide, 1999-2014
| Rank | Entity sued | Year | Amount of award | Jurisdiction | Privacy principles violated |
|---|---|---|---|---|---|
| 1 | LensCrafters | 2008 | $20M | U.S. (California) | Disclosure |
| 2 | 2013 | $20M | U.S. (California) | Choice and Consent | |
| 3 | 2013 | $9.5M | U.S. (California) | Collection, Disclosure | |
| 4 | Netflix | 2010 | $9M | U.S. (California) | Retention |
| 5 | AOL | 2013 | $6M | U.S. (Virginia) | Disclosure |
| 6 | Time Warner | 2009 | $6M | U.S. (New York) | Choice and Consent |
| 7 | NebuAd | 2011 | $2.4M | U.S. (federal court) | Collection and Notice |
| 8 | TD Ameritrade | 2009 | $1.9M | U.S. (California) | Security |
| 9 | Minneapolis City Council, City of St. Paul, and other city governments | 2012 | $1.06M | U.S. (Minnesota) | Collection |
| 10 | Louis Vuitton | 2013 | $1M | U.S. (California) | Collection |
What does this all mean? If you're a consumer, violations of your privacy are more likely to be punished in an effective manner in the U.S. If you're a business, your top compliance risk is not in Europe but in the U.S., especially if you deal with personal-health information. If you're a publicly traded company in the U.S., your privacy compliance risk may be escalating this year to a material-enough level to be included in your U.S. Securities and Exchange Commission reports.
If you're a European privacy regulator, however, you're going to have to muster at least a $2 million fine to make it into the privacy Olympics. And until then, get used to hearing the Star Spangled Banner play.
Jay Cline is president of Minnesota Privacy Consultants.
