Over the past year we have observed an evolution in scrutiny of data privacy practices and the enforcement of cyber regulations in a number of jurisdictions. These trends signify the priorities of regulators tasked with safeguarding cybersecurity and can be informative to businesses navigating a dynamic regulatory landscape.
Exploring Non-Monetary Remedies
While recent, sometimes record, fines have made headlines, regulators in the US, UK, and EU have also begun pursuing non-monetary remedies. In the UK the anticipated flurry of fines, which was expected after the UK data regulator, the ICO, imposed double-digit million-pound fines in 2020, has not materialized.
In a speech in November 2022, the UK Information Commissioner, John Edwards, stated that: “There is nothing in the law that says enforcement must equal fines. Enforcement happens across a spectrum. Rather than being one thing, it is a series of graduated responses to non-compliance.”
Edwards indicated the shift in approach from heavy fines for non-compliance, to an outcomes-based approach where the most appropriate enforcement steps are taken to ensure the best outcome. Under this approach, where a company takes the right remedial steps in good time to correct their privacy shortcomings, a public reprimand may be deemed more appropriate than a large fine.
However, where the same company has repeatedly breached their obligations under privacy laws, or where there is a particularly serious breach, reprimands alone may not be sufficient. In Edwards’ words, “monetary penalties remain an important regulatory tool and we will use them in instances where they are truly needed.”
Regulators in the US have also recently imposed penalties beyond fines. In a March 2022 settlement with the Federal Trade Commission (FTC), in addition to paying a $1.5m penalty, a company agreed to delete both the personal data of children that it had allegedly improperly obtained and any algorithms and models developed using that personal data. This follows a similar consent order issued in 2021 against a photo storage service.
In the EU, the General Data Protection Regulation (GDPR)’s enforcement regime has exhibited an evolving maturity with an impressive record of financial sanctions, including €2.3bn ($2.5bn) in fines issued by EU data protection authorities (DPAs) between September 1 2022 and August 31 2023. But like regulators in the US and UK, the EU’s GDPR also empowers DPAs with diverse corrective measures. Limitations on processing, for instance, could have a more profound impact on businesses than only financial penalties.
Moving Toward Personal Consequences
In some cases, US regulators have recently pursued personal consequences for executives, including criminal liability. For instance, as part of its January 2023 consent order with Drizly Inc. and CEO James Rellas involving the company’s alleged failure to use appropriate information security practices, the FTC issued detailed requirements for the information security program of any company for which Rellas is a majority owner or senior officer for 10 years following the entry of the order.
In October 2023, the Securities and Exchange Commission (SEC) announced charges against SolarWinds and its Chief Information Security Officer for fraud and internal control failures relating to allegedly known cybersecurity vulnerabilities. The complaint alleges that SolarWinds was the target of a two-year long cyber-attack and that both SolarWinds and Brown defrauded investors by overstating cybersecurity practices and failing to disclose known risks.
A Focus on Cookie Banners
In November 2022, the UK’s ICO published its ICO25 strategic plan and regulatory approach, which focuses on a number of priorities, including safeguarding vulnerable individuals. Reflecting this focus, in August 2023, the ICO announced that it will evaluate the cookie banners of the most frequently visited websites in the UK and take action where it finds that harmful design is impacting users.
In the UK, the use of cookies is primarily regulated by the Privacy and Electronic Communications Regulations (PECR). One of the changes being introduced by the UK Data Protection and Digital Information (DPDI) Bill is to increase the maximum level of fines the ICO can issue for breaches of PECR, from £500,000 to 4% of worldwide turnover, or £17.5m (i.e., the maximum penalty under the UK GDPR), whichever is higher.
Therefore, if this Bill is passed, we can expect to see much higher fines for breaches of PECR, especially with the ICO’s renewed focus.
In the EU, various forms of cookie banner nudging are now being regularly criticized by EU DPAs. Examples include banners that use a traffic light-like color and design scheme (‘accept all’ = green button; ‘reject all’ = red button) or which make rejection of cookies more onerous than accepting them.
The French Data Protection Authority (DPA) has been particularly proactive in enforcing against cookie banners, with particular attention paid to ‘dark patterns,’ ‘tracer walls,’ and alternatives to third-party cookies used to circumvent limitations on the deposit of cookies. The French DPA has imposed over €400m ($435m) of fines in recent years in relation to alleged violations of cookie laws.
Data Transfers to the US
Data transfers to the US have been heavily scrutinized by EU DPAs in recent years, given the conclusion of the Court of Justice of the European Union in 2020 that the US does not offer a sufficient level of protection for personal data.
A new EU-US Data Privacy Framework (EU-US DPF) was adopted in July 2023 to facilitate personal data transfers to US entities participating in that scheme.
The UK and US also implemented a ‘data bridge’ mechanism structured as an extension of the DPF.
There is, however, continued uncertainty over whether the EU-US DPF will survive an expected legal challenge. It also remains to be seen how the various additional safeguards and recourse mechanisms introduced by the US to support the new EU-US DPF will be reflected in future regulatory decisions.
Looking Ahead
The enforcement trends outlined above show the importance of organizations continuing to place an emphasis on compliance with privacy and related laws. There is ample opportunity for regulators on both sides of the Atlantic to impose onerous non-monetary penalties on organizations in addition to, or instead of, heavy fines, and the risk of personal liability for CISOs and other corporate officers not only elevates the stakes for organizational compliance but makes it a personal imperative for executives.
Tochukwu Egenti, Associate (London), Michael Schwaab, Principal Associate (Frankfurt) and David Cornell (Associate), Silicon Valley, from Freshfields also contributed to this article