July 24, 2024
The EU-US Data Privacy Framework: What You Need to Know
With the final approval of the EU-U.S. Data Privacy Framework, data can once again flow across the Atlantic. Learn more about the new rules at TrueVault.
GDPR compliance has many benefits of its own: access to European markets, increased consumer trust, and an overall decrease in anxiety and uncertainty. It can also be a requirement for receiving funding from investors. For many organizations, however, GDPR compliance is not so much about enjoying the positive benefits as it is about avoiding the negative consequences of non-compliance, i.e., fines.
For those organizations weighing the risks and benefits of non-compliance, it’s important to understand the potential costs of GDPR fines, how those fines are calculated, and how prevalent enforcement is.
Article 83 of the GDPR gives member states the authority to enforce the privacy law through administrative fines. The fines are “administrative” because they are imposed directly by the supervisory authority (commonly called a data protection authority, or “DPA”) without any requirement to prosecute the case before a court. This makes for quicker, more efficient enforcement, though organizations are still entitled to appeal their cases to a traditional court.
The fines can be broken into two tiers: standard maximum fines and higher maximum fines.
The standard maximum fine for GDPR violations is €10 million or 2% of the organization’s total annual worldwide turnover, whichever is higher. For the most part, this level of fines is imposed for failures to abide by the general responsibilities of controllers and processors, including:
The higher tier of penalties allows for doubled maximum fines—€20 million or 4% of the organization’s total annual worldwide turnover, whichever is higher. These fines can be imposed for violations of:
While the GDPR does not have a specific formula for calculating fines, it does identify a number of criteria that DPAs should take into consideration.
A GDPR violation only has a cost if data protection authorities are actually enforcing it. Though it may come as a surprise, GDPR enforcement is quite robust. Each member nation’s DPA enforces the privacy law within their borders, and they are targeting organizations of all sizes, from small websites to municipal governments to giant tech companies. The fines themselves range from tiny (as little as €50) to massive (Amazon Europe was fined €746 million in 2021). Though they vary based on the country and the organization, most fines fall somewhere between 1000–100,000 Euros. You can see an up-to-date list of fines across Europe here.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
