Comparing the Deterrence Value in GDPR and PIPA
For tech companies, data compliance regulations have been at the forefront. Many businesses hire dedicated compliance officers to ensure that processed data is handled legally. In a previous article, I discussed the key similarities and differences between the GDPR and the PIPA (1). In this article, I'd like to delve deeper into these two prominent data protection laws and see how effectively they've achieved their goals.
While the primary goal of the laws is to ensure that user data and privacy are maintained to the highest standards, the penalties for violating the same play an important role. Because large corporations typically have large balance sheets, an effective penalty is required to deter companies from breaking the law.
Deterrence Theory?
The theory of deterrence dates back to the early twentieth century, with the outbreak of World War I. With the slow progress of nuclear weapons, it has become critical for statesmen and political analysts to develop guidelines to ensure minimal damage for the good of humanity.
While deterrence theory is fundamentally concerned with combat, modern deterrence theory has a broader scope in which deterrence is used as a form of punishment to "set an example." Setting a good example discourages others from following suit.
Penalties are the most significant deterrent when it comes to data protection laws. High fines ensure that businesses place a greater emphasis on adhering to the legal provisions outlined in regulations. The practical effect of the penalties, however, is a far cry from the requirements on paper. Still, a few recent cases involving tech behemoths have made headlines in the regulations, forcing companies to clean up their tracks and act with greater caution in order to maintain data privacy. Google was fined nearly $40 million for failing to comply with the GDPR Regulations. (2)
1. GDPR
The General Data Protection Regulation Act (GDPR) was passed to address the emerging needs for data protection in the rapidly evolving digital world. GDPR focuses on protecting the rights of both individuals and the environment in which they live. GDPR has gradually established itself as the primary and most important data protection law in the world.
Let us now take a closer look at the GDPR's penalty provisions: -
· Article 82 of the GDPR talks about the “Right to Compensation,” wherein subsection states, “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” (3)
· Article 83 deals with the conditions which need to be fulfilled to impose the said fines, whereas Article 84 elaborates on the penalties. For violations that are not severe, the liability under Article 83 can be anywhere up to 10 million Euros or 2% revenue of the company. The penalty is increased to 20 million Euros or 4% of revenue for severe violations, whichever is higher. (4)
The penalties under the GDPR are high, and well-documented cases deal with fines issued on big corporations. Let’s take a look at some of the important cases: -
领英推荐
Famous Case Laws?
2. PIPA
The Personal Information Protection Act (PIPA) is the primary data protection regulation in South Korea. Considered one of the strictest, PIPA requires a high level of compliance and affects subjects who don’t conduct their business in Korea.
The legal backing of data protection is derived from the Korean Constitution, wherein Articles 16,17, and 18 talk about privacy and individual rights. Article 34 of the PIPA deals with data breaches, whereas Article 34(2) talks about the penalty wherein the maximum fine is in the tune of 500 million Won (roughly $420,000). (7)
The reduced penalty fails to act as a deterrent, despite having stricter laws. Because of the reduced fines, large organizations often overlook the cost-benefit analysis of complying and misusing the provisions because of a reduced penalty. There have been a few crucial cases wherein the Personal Information Protection Commission (PIPC) has fined large tech organizations. However, the fines are minuscule compared to other global protection laws such as the GDPR. Let’s take a look at the most prominent cases: -
Famous Case Laws?
Conclusion
Given the provisions of GDPR and PIPA, it's safe to assume that policymakers recognize the importance of data regulation and protection. However, with the amount of money that large corporations have, individual rights must be protected in a more effective manner. With tech giants profiting handsomely from user data and no effective penalties, corporations profit from noncompliance because their profits exceed the fines they must pay. As a result, a comprehensive revaluation of the laws is required to amend the liabilities and effectively deter future violations.
Founder and Managing Partner | Comprehensive Solutions for Growth
2 年Here are the references I cited in the article! (1) A Benchmark For Data Protection Regulations: GDPR and PIPA https://bit.ly/3DFbcd3 (2) Google hit with £44m GDPR fine over ads? https://bbc.in/3HOE9Wk (3) Art. 82 GDPRRight to compensation and liability? https://bit.ly/3cVvbbT (4) Art. 83 GDPRGeneral conditions for imposing administrative fines? https://bit.ly/3r2Lwn2 (5)Luxembourg DPA issues €746 Million GDPR Fine to Amazon? https://bit.ly/3nFk90q (6)GDPR fine: WhatsApp faces €225 million for transparency violation https://bit.ly/3DNeCuh (7)PERSONAL INFORMATION PROTECTION ACT? https://bit.ly/3xiDh7M (8)South Korea: PIPC fines Netflix KRW 223.2M for violations of PIPA? https://bit.ly/32vUOy1 (9)Five corporations with 100 thousand and more personal data leaked out subject to fine for negligence of 42 million won? https://bit.ly/3xiQSvB