"I know what you’re thinking: "Did he fire six shots, or only five?" Well, to tell you the truth, in all this excitement, I’ve kinda lost track myself. But being this is a .44 Magnum, the most powerful handgun in the world, and would blow your head clean off, you’ve got to ask yourself one question: "Do I feel lucky?" Well do ya, punk?"
Just based on some anecdotal observations over the past week after talking to various people, I get the feeling that people's attitudes towards privacy and data protection laws (and compliance with them) range from blissful ignorance to ambivalence to over-confidence:
"I don't think it will be enforced that seriously"
"I hope that it won't happen to me"
"we are a US / European company and I am sure we are compliant".
Perhaps it is due to the fact that I am in Singapore which to-date does not have a data protection law of general application on its statute books and not much of a tradition in privacy protection (though it is currently in the midst of introducing a data protection law).
Anyway, all that led me to think about the various things which could happen if a breach of a local privacy law occurred. It will come as no surprise to some that certain countries in Asia have pretty harsh penalty frameworks for privacy breaches. We are not just talking about fines levied at the organisation, but in some cases personal liability for directors, officers and employees and in some countries that may include jail time (though on the topic of fines, the jaw-dropping potential for a financial penalty of 2% of annual worldwide turnover suggests that EU data protection regulators may soon be fitting out with larger calibre guns).
Well, some of us will remember the 4 Google executives who were found guilty of violating Italy's privacy code (note: the matter is currently on appeal). If you don't already know of Peter Fleischer's run in with the Italian police, take some time to read it. Now, imagine having your senior executives (or yourself, if you are the relevant executive in-country) arrested on the street in certain countries. If the Italians can do this, I am sure some of us will know of more than one Asian country which could easily go down this path as well, and you definitely will not be getting police officers wearing Armani that's for sure.
So it is on that note that I thought that it would be useful to find out where in Asia you might find yourself locked up for primary data protection breaches, and compare that with a sample of regimes in Europe (just some quick caveats: I am not including breaches of secondary offences like a failure to provide information or correct information to the regulator, and I have left out the countries which do not have or are not proposing general data protection laws yet. Also, jail times reflected are the maximum periods that can be imposed. Finally, the list is not exhaustive and is not meant to be legal advice ... whew).
|European country||Imprisonment term||Asian country||Imprisonment term|
|Austria||Yes (1 year in the situation where a person uses the data to make a profit or to harm others)||Hong Kong||Yes (2 years)|
|Belgium||Yes (3 months to 2 year imprisonment for repeat offences or breach of prohibition on processing personal data)||India||Yes (3 years)|
|Bulgaria||No||Japan||Yes (6 months for failure to follow a corrective order)|
|Czech Republic||No (though there is criminal offence punishable by imprisonment created under the criminal code for unauthorised processing in connection with public administration)||Malaysia||Yes (various durations for various offences, but maximum up to 3 years)|
|Denmark||Yes (4 months)||Singapore||Yes (3 years but only for offences where no penalty is expressly provided for)|
|Finland||Yes (1 year)||South Korea||Yes|
|France||Yes (5 years)||Taiwan||Yes (5 years)|
|Germany||Yes (2 years, and like in Austria, in the situation where a person uses the data to make a profit or to harm others)|
|Netherlands||Yes (up to 6 months in limited situations)|
A few comments:
- Attribute it to cultural differences but you get the sense from the table that there is a consistent possibility of imprisonment in Asian countries for breaches of the local privacy law.
- to be fair, just looking at the penalty framework and the top-line penalty amount or maximum jail sentence would not be useful in itself. You would have to consider the practice and the culture in which the regulator operates, and any precedent which the regulator may have set in previous enforcement actions. And to-date, I don't know of instances where directors, officers or employees of a company have gone to jail for privacy breaches where they were not personally involved in.
- that all said, regulators are getting more serious with enforcement and penalties