cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
leroux
Community Champion

Where are we with GDPR Criminal penalties (including imprisonement)?

 

Currently, I have seen this only in Germany:

 

Imprisonment or a fine for

  •  unlawful transfer / making accessible of non-publicly accessible personal data of a large number of individuals for commercial purposes;
  • unlawful processing of non-publicly accessible personal data if done for money or with the intent of obtaining for himself or a third person enrichment or damaging another person;
  • fraudulent obtaining of non-publicly accessible personal data if done for money or with the intent of obtaining for himself or a third person enrichment or damaging another person (personal offences based on responsibility). 

Do you know any other one?

 

5 Replies
flyingboy
Newcomer III

The main focus of GDPR is to encourage organisations to have good hygiene data protection practices. The emphasis is on the legal liability of data controllers and processors where Article 83 and 84 advocate administrative fines. I believe Germany has taken extraordinary steps where personal liabilities (eg. imprisonment) may implicate DPOs too and discourage anyone willing to step forward to assist their organisation in compliance.

 

I have seen punishments like imprisonment for the listed illicit activities in other laws such as Computer Misuse Act, Cybersecurity Law. 

Tekmic
Newcomer II

Hi Yves,

 

In Denmark we are still debating if public authorities should be able to receive administrative fine. Very depressing....

 

/Michael

Compliance and InfoSec Consultant
Early_Adopter
Community Champion

It's not in the EU, but here in Singapore the Personal Data Protection Act(PDPA) has got some teeth in the form of a catch all on inspection:

 

General Offences and Penalties

It is an offence under section 51(3)(b) and (c) of the PDPA to:

  • obstruct or impede the PDPC, its inspectors or other authorised officers in the exercise of their powers or performance of their duties under the PDPA; or
  • knowingly or recklessly make a false statement to the PDPC, or knowingly mislead or attempts to mislead the PDPC, in the course of the performance of the duties or powers of the PDPC under the PDPA.

An organisation or person that commits an offence under section 51(3)(b) or (c) of the PDPA is liable to:

  • in the case of an individual, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both; and
  • in any other case, to a fine not exceeding $100,000.

 

Also as you might expect there are some pretty far reaching powers of investigation:

 

https://www.pdpc.gov.sg/organisations/enforcement-matters/personal-data-protection-breaches

 

flyingboy
Newcomer III

If that is the case, there are also Malaysia, South Korea, Philippines...

 

On the other hand, China may surprise everyone in terms of criminal penalties including imprisonment for those listed activities even though they do not have a law specific to data protection/privacy like the GDPR.

Early_Adopter
Community Champion

Yes, the more 'Authoritarian' the country is perceived to be the higher likelihood there are criminal penalties covering actions.

 

Chinese Cyber Security Law covers privacy in the PRC, it's just that it's amalgamated with Critical Information Infrastructure protection(bits of it do read as an homage to GDPR).

 

Article 63 does actually cover 5-15 days of detention as well as fines for breach of article 27,and you could stretch the 'stealing of online data' and map that to privacy information and that seems to me to be a criminal sanction.

 

 

https://assets.kpmg.com/content/dam/kpmg/cn/pdf/en/2017/02/overview-of-cybersecurity-law.pdf