US—beyond monetary penalties

Deletion of data and algorithms

In a March 2022 settlement with the Federal Trade Commission (FTC), in addition to paying a US$1.5m penalty, a company agreed to delete both the personal data of children that it had allegedly improperly obtained and any algorithms and models developed using that personal data. This follows on a similar consent order issued in 2021 against a photo storage service.

Personal consequences for executives

As part of its January 2023 consent order with Drizly Inc. and CEO James Rellas involving the company’s alleged failure to use appropriate information security practices, the FTC issued detailed requirements for the information security program of any company for which Rellas is a majority owner or senior officer for ten years following the entry of the order.

Criminal liability

In May 2023, a former Chief Information Security Officer (CISO) was sentenced to three years’ probation and fined after being convicted of charges related to obstruction in connection with an FTC investigation. The CISO is alleged to have taken steps to conceal information from the FTC regarding a second breach that he learned of during the agency’s investigation of a prior breach, both of which exposed personal data.

UK—a move to an outcomes-based approach

The anticipated flurry of major fines, which was expected after the UK data regulator, the ICO, imposed double-digit million-pound fines in 2020, has not materialised and, instead, the ICO’s recent approach has been to focus on outcomes, rather than punishment.

Focus on outcomes based approach

In a speech in November 2022, John Edwards, the Information Commissioner since January 2022, stated that:

This indicated the shift in approach from heavy fines for non-compliance, to an outcomes-based approach where the most appropriate enforcement steps are taken to ensure that the best outcome is chosen. Under this approach, where a company takes the right remedial steps in good time to correct their privacy shortcomings, a public reprimand may be deemed more appropriate than a large fine. However, where the same company has repeatedly breached their obligations under privacy laws, or where there is a particularly serious breach, reprimands alone may not be sufficient. In John Edwards’ words, ‘monetary penalties remain an important regulatory tool and we will use them in instances where they are truly needed’.

Cookie banners

In November 2022, the ICO published its ICO25 strategic plan and its regulatory approach, which focuses on a number of priorities, including safeguarding vulnerable individuals. Reflecting this focus, in August 2023, the ICO announced that it will evaluate the cookie banners of the most frequently visited websites in the UK and take action where it finds that harmful design is impacting users.

In the UK the use of cookies is primarily regulated by the Privacy and Electronic Communications Regulations (PECR). One of the changes being introduced by the UK Data Protection and Digital Information Bill is to increase the maximum level of fines the ICO can issue for breaches of PECR, from £500,000 to the higher of 4% of worldwide turnover, or £17.5m (ie, the maximum penalty under the UK GDPR). Therefore, if this Bill is passed, we can expect to see much higher fines for breaches of PECR, especially with the ICO’s renewed focus.

EU GDPR’s five-year journey: fines, corrective measures, and current trends

(Source: Freshfields data)

Since the introduction of the EU’s General Data Protection Regulation (GDPR) five years ago, the EU GDPR’s enforcement regime has exhibited an evolving maturity with an impressive record of financial sanctions but also a broader spectrum of corrective measures on the horizon. Fines have particularly impacted technology companies. While fines have made headlines, the EU’s GDPR empowers DPAs with diverse corrective measures. Limitations on processing, for instance, could have a more profound business impact than financial penalties.

Data transfers to the US

Data transfers to the US have been heavily scrutinised by EU DPAs in recent years, given the conclusion of the EU Court of Justice in 2020 that the US does not offer a sufficient level of protection for personal data. In this context, DPAs raised the concern that organisations often do not implement sufficient additional technical and/or organisational measures when relying on standard contractual clauses (which are one of the most common transfer mechanisms relied on).

A new EU-US Data Privacy Framework (EU-US DPF) was adopted in July 2023 to facilitate personal data transfers to US entities participating in that scheme. Given the continued uncertainty over whether the EU-US DPF will survive an expected legal challenge (and other limitations) it is likely that many personal data transfers to the US will continue to rely on other mechanisms such as standard contractual clauses.

It remains to be seen how the various additional safeguards and recourse mechanisms introduced by the US to support the new EU-US DPF, but which also have relevance to other common transfer mechanisms, will be reflected in future regulatory decisions.

Cookie banners

Regarding cookie banners, in particular various forms of nudging are regularly criticised by EU DPAs. Examples include cookie banners that use a traffic light-like colour and design scheme (‘accept all’ = green button; ‘reject all’ = red button) or which make rejection of cookies more onerous than accepting them.

The French DPA has been particularly pro-active in enforcing against cookie banners and imposed over €400m of fines in recent years in relation to alleged violations of cookie laws.

Companies, especially those with a French user base, should therefore consider auditing their cookie banners to ensure they are compliant.

Looking ahead

The enforcement trends outlined above show the importance of companies and other organisations continuing to place emphasis on compliance with privacy and related laws. There is ample opportunity for regulators on both sides of the Atlantic to impose onerous non-monetary penalties on organisations in addition to, or instead of, heavy fines.

The risk of personal liability for CISOs and other corporate officers not only elevates the stakes for organisational compliance but makes it a personal imperative for executives.

Regulators are demonstrating a concentrated effort to shield the rights of vulnerable individuals, especially children. Companies need to be particularly diligent with data concerning minors, ensuring that any data collection practices are transparent and consensual.

In addition, those companies leveraging AI must maintain their data sources’ integrity and ensure algorithms are built in accordance with privacy law standards.

More generally, companies can expect continued regulatory scrutiny of their online practices, with the UK and EU focusing on cookie-banners and user consent—areas which are often overlooked.

Finally, in the EU, international data transfers are likely to remain a major area of focus from regulators.

Back to top.