Skip to main content

Global data risk

National trends


German DPAs come down hard on employee monitoring (issuing a €35m fine in 2020 and a €10.4m penalty in 2021). Germany is the third most active EU jurisdiction for GDPR enforcement actions (after Spain and Romania) and its courts have heard more individual damage claims for data protection violations than those of any other member state. 


Most fines are given anonymously.


Europe’s most active GDPR enforcer. Spain’s DPA, the AEPD, has repeatedly fined the same companies (particularly telcos) and has recently issued its first seven-figure penalties (€5m in December 2020 and €6m in January 2021), both to banks. 


Italy’s DPA has repeatedly targeted telcos, handing down individual fines of more than €10m to the country’s three biggest operators in 2020. The Garante takes a tough line in cases of non-compliance with previous injunctions or warnings. 


The Information Commissioner’s Office (ICO) has issued only four GDPR fines but they are among the biggest. ICO has shown a particular interest in data breaches and security incidents resulting from insufficient technical or operational protections. Past decisions show that co-operation with ICO can lead to significant fine reductions; two major penalties the authority issued in 2020 were both reduced significantly.


Sweden’s DPA is particularly strict in cases relating to unlawful access to health or patient data. It issued six times as many penalties in 2020 than 2019.


Recent amendments to the Personal Data Protection Act, which were passed in November 2020 and which are being brought into force on a phased basis, include an increased financial penalty on organisations for breaches of the Personal Data Protection Act of the higher of up to 10 per cent of its gross turnover in Singapore or SGD1m (previously capped at SGD1m). The amendments also introduce new offences for individuals, including for the unauthorised disclosure or improper use of personal data and the unauthorised re-identification of anonymised information. These offences come with penalties that include a fine of up to SGD5,000 or imprisonment of up to two years.  

Hong Kong

Proposed revisions to Hong Kong’s Personal Data (Privacy) Ordinance are currently being considered by the legislative council panel on constitutional affairs. These proposals include mandatory data breach notifications for incidents constituting a real risk of significant harm and enhanced sanctioning powers. The Personal Data Protection Commissioner would be given powers for the first time to issue direct administrative fines for breaches of the ordinance. The panel is exploring the feasibility of introducing an administrative fine linked to the annual turnover of the data user, within different turnover bands.