Skip to main content

Global data risk

Legal trends

Why are companies being fined?

Direct marketing

Focus for: US

A significant number of US data privacy fines relate to direct marketing, which includes e-marketing, telemarketing, SMS/MMS communications and postal marketing. The penalties in question generally relate to spam or cookie consent. 

Data breaches/data security

Focus for: UK

Enforcement authorities are issuing major fines to companies that suffer data breaches or are deemed to lack adequate data security measures.

The UK ICO has focused heavily on pursuing data breaches (eg the British Airways and Marriott cases in 2020) while US authorities have also handed out significant penalties (eg Dish Network, which was fined the equivalent of more than €170m by multiple agencies in 2020). Data breaches often lead to further financial exposure, particularly group action litigation by the individuals affected; these claims are often brought because of a general perception that a data breach must be the result of the business not fulfilling its data security obligations. However, the increasing sophistication of hacking attacks means even the best-prepared companies are vulnerable. To read our guidance on how to protect your business and respond to a data crisis, including litigation, request a copy of our report Anatomy of a Data Breach: what really happens in a global cyber crisis?

Protecting employee data

Focus for: Germany

There is an emerging trend for DPAs in Europe to come down hard on employee surveillance, particularly in Germany where several big fines have been issued.

In 2020 the Hamburg DPA fined a major retailer €35m for unlawfully collecting and storing health information on employees at its customer service centre in Nuremberg.

In response to the rise in home-working driven by the COVID-19 pandemic, many countries have issued specific guidance on the do’s and don’t’s of employee monitoring.

Further reading

Health data

Focus for: US and Sweden

Health information is considered a special category of data and requires a higher level of protection.

As a result, the way companies handle health data is closely scrutinised, with authorities looking at issues such as how it’s transferred and who has access to it.

There is a particular focus on health data in the US and Sweden, where big fines are common.

In the US, the Department of Health and Human Services' Office for Civil Rights (OCR) is a nexus of enforcement. In Sweden, hospitals and health insurance companies have been fined for giving staff unlawful access to individuals’ health information.

Health data is in focus as a result of the COVID-19 pandemic, playing as it does a central role in contact tracing apps.

Further reading


While the UK is no longer treated as part of the European Union following the end of the Brexit transition period, the EU GDPR has been largely retained in UK law (at least for now). A major factor in the UK/EU negotiations was the GDPR’s ban on sending personal data out of the EEA to countries that do not have ‘adequate’ data protection laws (with certain carve-outs, eg where the data is protected by contract). There was a concern that data flows from the EEA to the UK would be affected, as the EU had not officially declared the UK’s law to fall into this category. This issue was partially addressed in the EU/UK Trade and Cooperation Agreement (TCA), which governs the relationship between the EU and the UK. The TCA includes a new six-month transitional period for EEA/UK data flows , giving the EU more time to assess the UK’s ‘adequacy’. If the European Commission decides that the UK does not have an adequate level of data protection, businesses will need to use additional safeguards, such as putting in place the model data export contracts approved by the EU.

Following Brexit, many multinational businesses will now be subject to both the UK and EU data regimes. Among other things, this means considering who their relevant regulator will be and whether they need local representatives in either or both jurisdictions. These issues should be addressed sooner rather than later; if a business suffers a data breach it must notify relevant regulators quickly, so multinational enterprises need to be joined up.

Further reading