ADPPA vs GDPR: Comparing their enforcement

In our past posts, we compared the scope, principles and individuals’ rights under the proposed US federal data privacy legislation, the American Data and Privacy Protection Act (ADPPA), and the EU GDPR. Both Acts provide for strict enforcement mechanisms for businesses violating their provisions. If you are subject to (one of) the Acts, you must of course firstly adequately adapt your processing operations to avoid any enforcement actions against you. However, it is equally crucial to be aware of possible procedures and fines that your business might face, if you fail to do so. In this blog, we compare the different enforcement procedures under the Acts.

Enforcement by public authorities

ADPPA: Federal Trade Commission or Attorney General

Both Acts allows for enforcement by public authorities. The ADPPA would give the attorney generals of each state and the Federal Trade Commission (FTC) the power to enforce its provisions. If you disrespect data processing requirements under the ADPPA, be aware that the FTC can enforce these under its existing enforcement mechanisms and will treat any violations as unfair or deceptive acts or practices under the Federal Trade Commission Act. The ADPPA does not prescribe the height of fines for its violations, but fines under the Federal Trade commission Act generally amount up to 40.000-50.000$. Similarly, an attorney general can start civil action in the name of its State or on behalf of its residents in the federal courts if he believes that a resident of his State has suffered damage due to your violation of the act. You may then face an order to carry out a specific action, to comply with a provision, to pay damages, restitution, attorney fees and/or litigation costs.

EU GDPR: Supervisory authorities

The EU GDPR provides for an elaborate enforcement framework via designated national authorities. If you disregard your obligations under the GDPR, you risk heavy fines imposed by these authorities. Generally, the supervisory authority of the EU Member State in which the processing takes place is competent. If you are for instance a small business established in the Netherlands and only process personal data of Dutch residents, you will mainly be subject to enforcement by the Dutch supervisory authority. Conversely, if you process personal data also of data subjects in Germany, France and Belgium, the Dutch Supervisory authority will remain primarily competent as the authority of your main establishment (the ‘lead authority’) but it must cooperate with its German, French and Belgium counterparts when investigating your processing operations.

The competent supervisory authority has a broad range of investigative and corrective powers. It can investigate if it suspects you to be in breach of the GDPR and request you to make available various documents such as your data processing records or impact assessments. If you are subject to such investigations, it is of paramount importance that you cooperate well with the authority. Otherwise, you risk heavy fines. Different to the ADPPA, the GDPR contains concrete indications as to the height of the fines you might face. If you violate one of the GDPR’s core provisions, such as the requirement to have a lawful basis for processing or to comply with data subjects’ requests to exercise their rights, you risk fines of up to 20m€ or 4% of your annual turnover determined by the seriousness of your infringement. Violations of other provisions equally risk fines of up to 10m€ or 2% of a company’s annual turnover. When determining the height of the fine, the authorities take account of your degree of cooperation. Therefore, always demonstrate that possible breaches were unintentional by taking adequate measures to remedy violations early on. This way, you might escape excessive fines.

Private right of enforcement

Both Acts further allow individuals to directly take action against you. You should be particularly aware of this option if you are a small business, and you might consider yourself on the safe side as the FTC or GDPR supervisory authorities have more interest in pursuing violations by large corporations. Individuals, often represented by consumer associations, could still sue you in court!

ADPPA:  private right of action

Under the ADPPA, be aware that individuals can directly sue you for damages, injunctions, litigation costs and attorney’s costs in federal court. However, such private right of action is more limited than under the GDPR. First, it is only possible four years after the Act’s enactment. Second, individuals must notify the FTC and attorney general of their state of residence of their intention to start a civil action. They then have 60 days to decide whether they wish to intervene in the action. Additionally, the ADPPA provides you with a right to cure. Even before informing the FTC and the attorney general, individuals must give you a possibility to address the violation. You have 45 days to correct any alleged violation. Make careful use of this opportunity if the claim by the individual is well-founded. If you succeed to cure the violation, an action for injunctive relief against you may be dismissed. This is a possibility to avoid court proceedings initiated by individuals which you do not enjoy for alleged violations under the GDPR.

GDPR: complaint with supervisory authority + judicial remedy

Under the GDPR, you may equally face enforcement proceedings initiated by individual data subjects. For once, individuals can issue a complaint against you with the supervisory authority of their habitual residence, place of work or the place of the processing of the personal data (usually your main establishment). In such cases, if the supervisory authority decides to pursue the complaint, it can make use of its enforcement powers described above.

Importantly, the GDPR also allows data subjects to directly sue you in court. They might lodge an action against you before the courts of the Member States in which you have an establishment (note: this does not need to be the authority of your main establishment, any establishment suffices) or in which they reside. If convicted, courts can then equally order you to pay compensation, impose fines, bans on processing etc.

Accordingly, both acts have effective enforcement mechanisms in place to address violations of their provisions. It is therefore important that you align your processing operations with the legal requirements so that there is no reason for public authorities or individuals to initiate proceedings against you. Should you however become subject of (well-founded) enforcement proceedings, ensure to address any violations early on, take the necessary remedying steps and cooperate with the authorities to avoid heavy fines.

Enforcement: ADPPA vs GDPR