Privacy organization and privacy protection
legislation |
Most recent year in which the organization was
granted enforcement powers by statute or amendment |
Power to issue orders and ensure accountability |
Statutory damages and sanctions |
Canada
OPCC
PIPEDA |
2000 |
No power to issue orders.
Can launch an investigation further to a complaint or
initiate an audit if there are reasonable grounds to believe an organization
is contravening the Act.
Has the power to collect evidence and visit the
premises. |
No power to impose fines or statutory damages.
Must appear before the Federal Court to act on
findings. |
France
French Data Protection Agency (CNIL)
Act on Information Technology, Data Files and Civil
Liberties(LIL) |
2004 |
Can issue a decision.
Must inform the company before entering the premises
and beginning its investigation.
Must obtain authorization from the court to proceed if
the company objects to the investigation at the start. |
Can impose a fine from €10,000 to €50,000 if a
security lapse is noted after a compliance assessment.
Under the criminal code, the penalty for insufficient
privacy protection cannot exceed a fine of €300,000 and a jail sentence of
five years in the case of an individual, or a fine of €1,500,000 in the
case of a corporation. |
Germany
Federal Commissioner for Data Protection and Freedom of Information
Federal Data Protection Act (BDSG) |
2009 |
Commissioner oversees telecommunications companies and
postal services. Data protection monitoring falls to the states for other
areas of the private sector.
Mandatory data breach notification.
Can order organizations to fix problems that have been
identified. |
- Can fine organizations up to €300,000 for
non-compliance with data protection provisions.
- Heavier fines can be imposed if the infraction
resulted in commercial gain.
|
Ireland
Data Protection Commissioner
Data Protection Act
|
2003 |
Has the power to obtain information.
Has the power to ensure compliance.
Can appoint an “Authorised Officer” to enter and
examine premises.
Can initiate proceedings and file a lawsuit (summary
proceedings). |
Can impose a maximum fine of €3,000 on summary
conviction. On convictions of indictment, the maximum penalty is a fine of
€100,000. |
Spain
Spanish Data Protection Agency
Spanish Data Protection Act
|
2011 |
Has the power to issue orders, including ordering the
destruction of data and data storage equipment.
No obligation to notify of data breach. |
Has the power to impose penalties for three categories
of infringements (minor, serious and very serious), with penalties ranging
from €600 to €600,000. |
United Kingdom
Information Commissioner’s Office
Data Protection Act
|
2010 |
Has the power to impose fines and prepare assessment
notices.
Can investigate private-sector companies, but only
with the organization’s consent.
As part of certain investigations, has the power to
enter the premises without giving notice and with a warrant, if needed.
Can bring a case before the criminal court in England,
Wales and Northern Ireland. |
Can fine organizations up to £500,000 for serious
data breaches. |
United States of America
Federal Trade Commission
Federal Trade Commission Act
|
1938 (the Federal Trade Commission Act of 1914
was amended to provide for administrative fines for non-compliance with
orders issued under section 5). |
Has the power to summon witnesses and compel the
production of documents.
Can require that annual or special reports be
submitted in order to obtain information about an organization, its practices
and management.
Can initiate administrative proceedings or bring the
case before the courts.
Can prescribe rules defining deceitful or unfair
practices.
Can ask for compensation for harm suffered by the
consumer. |
Can impose administrative fines, with support from the
courts, if an order to cease and desist is not respected after an administrative
proceeding. |
Australia
Office of the Australian Information Commissioner
(PASSED, BUT WILL NOT COME INTO FORCE UNTIL MARCH 2014)
Enhancing Privacy Protection
|
The bill amends the Privacy Act of 1988. |
The Commissioner will have the power to conduct
assessments of privacy performance for both private-sector businesses and
government agencies.
The Commissioner will be able to make a binding
decision further to an investigation initiated by the Commissioner.
The Commissioner will be able to accept a written
statement from a company committing either to take certain measures or to
abstain from certain measures. |
The Commissioner will be able to impose administrative
fines of up to $1,100,000 for serious or repetitive breaches of privacy.
If the Commissioner believes that an organization has
not respected a commitment, he or she can ask the court to order the
organization to respect its commitment. |
European Union
European Commission (PROPOSED)
General Data Protection Regulation
|
Currently under consideration |
The authorities in charge of data protection would all
have the power to issue orders to cease certain activities, correct data,
delete data or destroy data, and to give individuals access to their personal
data.
They would be able to carry out an investigation to
obtain from the controllers and institutions:
(a) access to all personal data and all information
necessary for their inquiries;
(b) access to any premises, including equipment and
data processing methods, if there are reasonable grounds to assume that the
Regulation is being contravened. |
The Regulation states that each supervisory body is
able to impose administrative sanctions, including a warning for a first,
unintentional offence and then up to three levels of fines:
A maximum fine of €250,000 (for government agencies or
non-profit organizations) or up to 0.5% of a company’s annual global revenue
(for businesses);
A maximum fine of €500,000 (for government agencies or
non-profit organizations) or up to 1% of a company’s annual global revenue
(for businesses);
A maximum fine of €1,000,000 (for government agencies
or non-profit organizations) or up to 2% of a company’s annual global revenue
(for businesses). |