Data Privacy Fines: Where Does the Money Go?

Contributor(s): Nonhlanhla Mohlaba, Danie Strachan
Related topic(s): US Privacy LawsEU Privacy Laws, UK Privacy Laws

We’re all familiar with the idea that actions have consequences, and usually the severity of the action (or offense) determines the severity of the consequence. This notion also holds true in the privacy world: non-compliance with data privacy laws has consequences, with administrative fines often being one of them. Have you ever wondered what happens to the money collected from such fines? This blog post explores this question in the EU, UK, and U.S.

How Administrative Fines Are Determined

Generally speaking, an infringement of a data protection law may result in an administrative fine, among other corrective measures. The supervisory authority, or the respective court, often has discretion regarding the magnitude of the fine to be awarded. In some instances, there may be guiding principles for how fines should be calculated, such as the European Data Protection Board’s (EDPB) Guidelines on the Calculation of Administrative Fines under the GDPR.

Administrative Fines Under the EU GDPR and the UK GDPR

Article 83 of the EU GDPR, as well as Article 83 of the UK GDPR, which govern administrative fines, serve a dual purpose: (1) prescribing the types of fines that may be issued; and (2) prescribing the factors that a data protection authority (DPA) must consider to determine whether the non-compliance in question warrants a fine, and if so, how much the fine should be. This is to ensure that all administrative fines imposed are effective, proportionate, and dissuasive. As mentioned above, the EDPB has issued guidelines to help DPAs calculate the size of the fine that should be imposed. Unlike the EDPB, the UK Information Commissioner’s Office (UK ICO) has not yet published detailed guidelines on how fines should be calculated. However, they have published Statutory Guidance on Regulatory Action and are also consulting on draft Data Protection Fining Guidance.

Under the EU GDPR and UK GDPR, there are two categories of infringements which may lead to fines. The first category relates to less severe infringements, which may result in administrative fines of up to €10 million or £8,7 million (respectively), or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. The second category relates to more severe infringements, which may result in administrative fines of up to €20 million or £17,5 million (respectively), or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Administrative Fines Under U.S. Data Privacy Laws

Unlike in the EU, there is no comprehensive federal privacy law in the U.S. However, several U.S. states have implemented their own privacy laws in an effort to protect the personal data of their residents. As a result, the laws governing data privacy, as well as the enforcement thereof, can vary from state to state. For example, under the California Consumer Privacy Act (CCPA), fines range from civil penalties of up to $2,500 for each unintentional violation, to up to $7,500 for each intentional violation. Under Virginia’s Consumer Data Protection Act (CDPA), the Attorney General may seek civil penalties of up to $7,500 for each violation with no distinction between an intentional and an unintentional violation.

Fine Revenue Allocation

Fine Revenue Allocation in the EU and the UK

In the EU there is a general understanding that the proceeds of fines in most EU countries become national funds, and the national treasury allocates the money as part of the national budget. There are, however, unique cases, such as in Spain, where the DPAs keep the money (or a portion thereof) accrued through administrative fines.

In Denmark and Estonia, the DPAs cannot impose administrative fines but they can make recommendations to their respective national courts (Recital 151 of the EU GDPR). Possibly, the fines collected then become state funds.

In the UK, the ICO retains a portion (up to £7,5 million annually) of the money paid in fines. Previously, all fine proceeds were collected in full by the Consolidated Fund, the UK Government’s general bank account. This differs from the position in Spain, where the Spanish DPA keeps the full amount collected.

Fine Revenue Allocation in the U.S.

Unlike in the EU, state privacy laws in the U.S. provide more guidance regarding where fine proceeds should go.

  • California: Under the CCPA, all fine proceeds must be deposited in the special Consumer Privacy Fund to fully offset any costs incurred in connection with the CCPA by the state courts, the Attorney General, and the California Privacy Protection Agency. 
  • Virginia: The CDPA prescribes that all civil penalties, expenses, and attorney fees collected must be paid into the state treasury and credited to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. 
  • Colorado: This state’s Privacy Act requires the state treasurer to credit all money collected pursuant to any enforcement action. 
  • Utah: The Consumer Privacy Act provides that all money received from an enforcement action must be deposited into the Consumer Privacy Account. 
  • Connecticut: Unlike the above state laws, Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring does not provide guidance on where any fine proceeds must go.

On a federal level, the Federal Trade Commission (FTC) also gets involved in consumer and privacy matters. Fine proceeds collected by the FTC generally go to the general fund of the U.S. Treasury. In some cases, the FTC will earmark money to compensate consumers seeking redress or use it to fund consumer education.

Are There Checks and Balances?

In light of increasing enforcement action by DPAs, and administrative fines becoming more common, one might question whether there are checks and balances in place. For example, 1. are there sufficient checks and balances to ensure that DPAs act consistently and do not abuse their power to fine companies; and 2. do DPAs have sole and absolute discretion when determining the size of a fine (knowing that they will keep the proceeds)?

In the EU, in cases involving cross-border processing of personal data, the EU GDPR makes provision for collaboration between lead supervisory authorities and concerned supervisory authorities. In such cases, to ensure the correct and consistent application, the EU GDPR creates a dispute resolution mechanism (Article 65) for when the respective supervisory authorities disagree on the infringement or appropriate enforcement action. For example, this mechanism was followed in the Irish Data Protection Commission’s Meta Platforms Ireland Limited Decision, where the matter was referred to the EDPB for resolution. According to the EDPB, the Guidelines aim to: 1. harmonize the methodology DPAs use to calculate fines; and 2. create harmonized starting points for those calculations. Notably, the EDPB Guidelines were published in response to the divergent applications of the EU GDPR regarding fines across the EU’s DPAs. 

Once the new guidance in the UK is finalized, more concrete principles will serve as checks and balances to the fining procedure in the UK. In the U.S., the respective attorneys general (and the California Privacy Protection Agency) are empowered to enforce the respective privacy laws. These agencies must generally seek action in the respective state courts, and do not have the sole discretion to issue fines to infringing parties. The procedure of having to seek relief from the courts means that there are sufficient checks and balances in place for these enforcement agencies.

Conclusion

In conclusion, national and state treasuries generally collect all fines, with some unique cases where fines are deposited into dedicated funds to cover enforcement costs. Of course, once collected fines find their way into treasuries and special funds, it is up to the relevant administrators to spend the money wisely. Unfortunately, this is not always the case, as can be seen from maladministration and corruption cases across the world.

You may also like:
Picture Perfect: Photographs and the GDPR’s Special Categories of Personal Data
Data Privacy Automation: Pros, Cons, and Pitfalls of Streamlining Compliance
Dark Patterns: How To Detect and Avoid Them

Contact VeraSafe to discuss your data security management and privacy program today.