Nearly every company in the world is struggling to effectively manage the broad range of legal and operational risks associated with data.  Data is everywhere, and everyone is working to maximize its organizational value, while avoiding wrongful disclosures, theft of informational assets, and the losses related to the costly legal fallout.  This is the result, in large part, of new legislation, heightened regulatory scrutiny and marketplace expectations, and increased dependence on service providers for core business functions.

Baker & McKenzie 2016 Global Data Protection Enforcement Guide

Against this backdrop, Baker & McKenzie is pleased to present the results of its 2016 Global Data Protection Enforcement Guide.  We set out to give legal and compliance risk managers an understanding of the data enforcement laws in place around the world in the hopes of better equipping them to make informed decisions about how to manage risks associated with data.  To this end, we surveyed local counsel in 37 jurisdictions throughout the Americas, EMEA, and APAC, and asked them to describe the legal risks associated with violations of data protection laws, and summarize enforcement activities among local data protection authorities.

Global Data Protection Enforcement Overview

Overall, we found that the United States continues to dominate the enforcement scene by imposing some of the largest multi-million dollar fines against individual companies.  Federal agencies like the Federal Trade Commission, Department of Health & Human Services, and the Federal Communications Commission are swift and active in securing large settlements from unsuspecting privacy and data security violators.  In other parts of the world, the fines are less, but the operational risks (e.g., loss of a business licenses) are potentially greater.  In LatAm, data protection authorities in Mexico have been most active, imposing fines worth just over $5 million (USD) since 2012.  In EMEA, countries like France, Germany, and Spain are among the most active in civil enforcement actions against companies who violate data protection laws.  Other countries like Italy have focused on public censure and onsite audits to carry out local enforcement activities.  In APAC, countries like South Korea and Taiwan are the most active in enforcing local data protection laws through fines and other civil penalties.

Changing EU Data Protection Landscape

But this regulatory risk landscape could soon change now that the European Union has agreed on a new General Data Protection Regulation.  The new law imposes up to €20 million or 4 percent of annual worldwide turnover for groups of companies, whichever is higher.  Only time will tell just how aggressive authorities will be on violators going forward.

The findings of this report further demonstrate how important it is to enhance compliance controls in large, multi-national corporations with the goal of reducing the risk of an enforcement action on foreign soil.  These internal compliance controls include conducting Privacy Impact Assessments, preparing data flow maps as part of any new project involving cross-border data transfers, and creating a culture of awareness surrounding privacy and the wide spectrum of potentially applicable laws.  We hope you find it useful within your organizations.  To read more about the enforcement activity in a respective country, and other issues impacting cross-border and multi-jurisdictional privacy issues, click here.


Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.