In the 2024 edition of its annual Global Cyber Policy report, information assurance firm NCC Group estimated governments have handed out at least 2,700 fines totaling around $7.3 billion (€6.6 billion) over data privacy violations since 2020.
The report shows the increasing complexity of compliance with existing data regulations across the globe. For example, the US issued 72 of those fines, while the UK issued just 14. Yet Spain single-handedly issued over 840 fines, or over 30% of the entire global pool. Meanwhile, Ireland issued just 20 fines—but those amounted to $2.7 billion. (Ireland has historically served as a tax haven for US tech firms, which also places the nation on the front lines of European Union tech regulation.)
Enforcement strategies across jurisdictions and sectors differ dramatically. For example, two-thirds of fines in the US were in healthcare, and three out of five of those were related to data subject rights, indicating the complaints originated from consumers. The French government, though, appears to have pursued a prosecutorial strategy focusing on high-impact cases. NCC Group researchers found that while most enforcement was directed at public sector organizations, those actions tended to have far smaller fines.
According to Katharina Sommer, NCC Group’s head of government affairs and analyst relations, governments across the globe are beginning to take a “whole of society” approach to data regulations, with increasing obligations from the private sector. At the same time, governments have prioritized harmonizing data privacy regulations with the aim of producing “a more coherent regulatory architecture that organizations have to follow,” Sommer told IT Brew.
This will particularly affect organizations that “operate across jurisdictions and across sectors, so might have to comply with multiple and overlapping regimes,” Sommer said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Another trend to watch out for? Regulators are increasingly holding senior directors at companies personally responsible and in somecases liable for violations of privacy regimes.
For example, the EU’s NIS2 and DORA laws hold senior directors personally liable for overseeing risk management programs, with “consequences for non-compliance including temporary suspension from senior management roles.” US authorities have “more limited” powers to put leadership’s feet to the fire, according to the report, but there has been progress on steps like the Securities and Exchange Commission’s breach reporting rules for publicly traded firms.
“We are seeing that increasing trend of boards and executive committees looking at cyber risk management, not just through the lens of, ‘This is really quite important for the business that I’m running and responsible for,’ but also through the lens of, ‘Oh no, if I don’t take this seriously, there might be serious personal implications for me, such as jail time or fines or bans,’” Sommer said.
While cyber policy making has slowed down in the US and EU, Sommer said, that’s a temporary lull caused by election seasons. At the same time, she added, courts and regulators have used their own authorities to add pressure in the absence of clear guidance. She advises data professionals to stay aware and ahead of the rapidly changing landscape.
“The enforcement that we’re seeing happening around data privacy is probably two, three years ahead of what we’re likely to see, in how the cyber rules are being enforced,” Sommer said. “So, we’ve been through this period of cyber rule-making, where new laws are being enacted, coming into force, regulatory requirements and standards are being sharpened up, and guidance is being published.”