The Sony Data Breach Fine: A Hand-Slap From London Now, But What Would It Have Been Under The Proposed New EU Data Protection Regulation?


The UK Information Commissioner's Office (ICO) has fined Sony £250,000 for the widely publicized 2011 security breach during (see here, here, and here) which hackers gained access to personal data (including credit card information) of over 77 million users.

For a company of Sony's size, £250,000 is a hand-slap — and Sony's announcement that it will appeal the fine is surely based on a matter of principle (or a desire to avoid a bad precedent) rather than a purely economic decision.

But what would Sony's fine have been under the proposed new EU Data Protection Regulation?

Two percent of Sony's worldwide turnover.

I'm not sure how much that is, but it's a lot more than £250,000.

How exactly would the ICO be able to arrive at a fine equal to two percent of Sony's worldwide turnover under the draft Regulation?

Article 79 of the draft Regulation provides for fines of up to 2% of an enterprise's worldwide turnover in the event of a serious violation of the Regulation. Article 79 expressly calls out violations of Article 30, which requires data controllers and processors to...

To continue reading