Jay Cline of Minnesota Privacy Consultants compiled some interesting data on privacy breach violations. He writes:
The European Union is threatening to suspend the U.S.-EU Safe Harbor agreement that U.S. companies depend on to do business with Europe, claiming that America doesn’t enforce its side of the bargain. Any way you cut the data, however, the U.S. dwarfs Europe and every other jurisdiction in doling out fines for data privacy violations. If privacy is measured by its weight in gold, America is the safest place on earth for personal data.
I assigned several researchers to mine our databases, publications and regulator websites for any instance of a fine imposed by a government agency for a violation of data privacy. We set the threshold of materiality at a minimum of $100,000. In practice, I’ve noticed that this is the amount where larger corporations even start to take notice. Anything less is a rounding error.
What did we discover?
* Increasing over time. We found 358 enforcement actions since January 1999, the first year big privacy fines came online. Only 130 of these carried fines that met or exceeded our $100,000 threshold. Of these, 60% were levied in the last three years. All fines totaled $225 million, with 52% of that sum imposed since 2011.
Read more on Computerworld, where you’ll find more statistics and charts on privacy fines and lawsuits.
But what can we make of the data? Cline writes (emphasis added by me):
What does this all mean? If you’re a consumer, violations of your privacy are more likely to be punished in an effective manner in the U.S.
He seems to assume or equate handing out more and bigger fines as addressing privacy violations “in an effective manner,” but on what basis does he claim such fines are effective? Have big fines reduced the risk or rate of privacy violations? If so, where are the data to support that claim?
With every big breach or fine, we see “lessons to be learned” articles, but as I’ve noted repeatedly on databreaches.net, those lessons don’t seem to be learned. Congress has yet to do anything serious about data brokers, HHS has only taken a relative handful of enforcement actions since HIPAA went into effect, and the FTC, too, needs to enforce more. And then, of course, there’s our NSA gobbling up tons of revealing metadata and other types of information.
Have we handed out more big fines or judgements than non-U.S. countries? Yes, but so what if we do? Where is there any evidence that the U.S. is better at protecting consumer and patient privacy than non-U.S. countries?
Should EU citizens be concerned about American businesses holding their data or processing it? Absolutely. And until Congress enacts strong privacy-protective legislation, including revoking the NSA’s ability to bulk collect our communications data, they should continue to be very, very concerned.