What are the penalties for noncompliance with any applicable data protection laws?
Noncompliance with Data Privacy Laws and Data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing.
Noncompliance with Chinese data protection laws can result in the following consequences (subject to the type of personal information concerned and the nature and severity of non-compliance):
- Tort liability
- Criminal liability
- Administrative penalties, including warnings, confiscation of illegal business earnings, and/or a fine
Under the Personal Information Protection Law (PIPL), organizations which do not comply with orders to take corrective action, can be fined up to one million Yuan (approximately $150,000). Directly responsible employees can be fined between 10,000 Yuan (approximately $1,500) and 100,000 Yuan (approximately $15,000).
In the event of a serious violation, authorities can impose a penalty up to 50 million Yuan ($7.5 million) or 5% of annual revenue. Individuals directly responsible for the serious violation may be fined between 100,000 Yuan ($15,000) and 1 million Yuan ($150,000) and can be barred from holding senior executive positions for a specified period.
In addition, acts deemed illegal under PIPL will be recorded in a social credit score or equivalent business credit file and made public.