Cybercrime & Digital Law

Data Privacy and Criminal Liability: Why GDPR's Fines Are Only Half the Story

The General Data Protection Regulation (Regulation (EU) 2016/679) does not create criminal liability for data privacy violations on its own. Article 83 authorizes the administrative fines that generate headlines: up to 20 million euros or 4 percent of global annual turnover, imposed by national data protection authorities. Article 84 handles criminal penalties differently: it requires each of the 27 EU Member States to legislate its own "effective, proportionate and dissuasive" criminal rules and leaves the content entirely to national law. The result is 27 separate criminal regimes, not one European criminal privacy code.

Italy's Codice Privacy criminalizes unlawful processing carried out to profit or cause harm, requiring proof of concrete injury, nocumento, before conviction. Germany's BDSG (Bundesdatenschutzgesetz) Section 42 penalizes the commercial, unauthorized transfer of personal data affecting a large number of people, alongside older Criminal Code provisions on data espionage and professional-secrecy breaches. France stands apart: it alone criminalizes negligent, not just intentional, disclosure of personal data, at a reduced penalty.

The Data Protection Officer carries no general criminal exposure under the GDPR itself; France's narrow exception applies only to intentional breach or knowing complicity. Corporate criminal liability diverges sharply: Italy formally denies that a company can commit a crime, then reaches corporate wrongdoing anyway through a separate statute, while the United States has no GDPR-equivalent criminal privacy statute, relying instead on sector-specific laws such as HIPAA and the Computer Fraud and Abuse Act.

GDPR's Two Tracks: Administrative Fines Under Article 83, Criminal Penalties Under Article 84

The GDPR runs on two separate enforcement tracks, and conflating them is the most common error in popular discussion of data protection law. Article 83 fines are imposed directly by national data protection authorities. Article 84 does something different: it requires each Member State to "lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83," and mandates that those penalties be "effective, proportionate and dissuasive."

Recital 149 makes clear that these other penalties can include criminal penalties, extending even to breaches of national rules the Regulation permits Member States to adopt on their own.

This delegation is a deliberate feature of the Regulation, not an oversight: the EU's competence to legislate criminal law under the Treaties is narrower than its competence over the internal market, where the GDPR's administrative-fine architecture rests. A single, harmonized GDPR criminal code was never a legally available option.

The line between the two tracks is more contested than most compliance guidance suggests. In Deutsche Wohnen SE (Case C-807/21, judgment of 5 December 2023), the Court of Justice of the European Union (CJEU) held that Article 83 fines require intentional or negligent conduct, rejecting strict liability, and that a data protection authority need not first identify a specific culpable individual before fining the legal entity itself. That ruling settles the fault standard for the administrative track.

What the ruling does not settle is whether a massive fine, such as the Irish Data Protection Commission's 530 million euro penalty against TikTok in 2025, remains administrative in substance or becomes functionally criminal once weighed against the Engel test from Engel and Others v. the Netherlands (1976), which can reclassify a nominally administrative sanction as criminal for fair-trial and legality purposes. This raises a genuine question for the largest GDPR fines rather than settling one; it is scholarly framing, not a court holding on the point.

The stakes are not abstract: under Article 50 of the Charter of Fundamental Rights of the European Union, a Member State may combine a criminal prosecution with an administrative fine for the same conduct only if the fine is not itself found to be "criminal in nature."

The GDPR Enforcement Tracker Report 2025/2026 puts cumulative administrative fines since 2018 at 7.1 billion euros, with 1.2 billion euros issued in 2025 alone and an average fine of 2,277,122 euros. No comparable running total exists for criminal convictions, because there is no single criminal-privacy statute to count against.

Italy's Criminal Privacy Offenses Under the Codice Privacy

Italy folds its data-protection criminal law into Legislative Decree 196/2003, the Codice in materia di protezione dei dati personali (Codice Privacy), realigned to the GDPR by D.Lgs. 101/2018. Title III of the Codice Privacy sets out a set of offenses:

Two holdings from the Corte di Cassazione (Italy's Supreme Court) shape how these provisions operate. First, Article 167 requires proof of nocumento, a legally relevant prejudice to the data subject or a third party, as a constitutive element of the crime; unlawful processing that produces no such prejudice is not automatically a crime, though it may still draw an administrative sanction from the Garante. Second, the offense is not limited to controllers or other formally "qualified" processing subjects: a private citizen who incidentally obtains sensitive or judicial-category data and unduly disseminates it can commit the crime just as a company can.

Cassazione has also held that Article 167 and Article 615-ter of the Criminal Code (Codice Penale, c.p.), which punishes unauthorized access to a computer system, are autonomous offenses that can both apply to the same conduct. A lawyer who leaves a firm and takes client files can be charged with both computer trespass and the privacy offense, because neither absorbs the other. Unauthorized computer access offenses like Italy's Article 615-ter c.p. and Germany's Section 202a StGB are treated in full in the companion article on cybercrime legislation.

Germany's Layered Framework: BDSG Section 42 and the Older Criminal Code Provisions

Germany's data-protection-specific offense sits in Section 42 of the Bundesdatenschutzgesetz (BDSG), the federal data protection act:

Unlike Italy's Article 167, Section 42 applies to "anyone," not only controllers or processors acting in that formal capacity. Both German offenses require intent, Vorsatz, rather than mere negligence, Fahrlässigkeit, as the fault standard, the same intent-based pattern found in Italy's core Codice Privacy offenses.

Two older provisions of the Strafgesetzbuch (StGB, the German Criminal Code) frequently apply alongside Section 42 rather than instead of it. Section 202a StGB, data espionage (Ausspähen von Daten), criminalizes overcoming specific access-security measures to obtain data not intended for the offender. Section 203 StGB, violation of private secrets (Verletzung von Privatgeheimnissen), criminalizes unauthorized disclosure of a secret entrusted to certain professionals, including doctors, lawyers, and tax advisors, in their professional capacity. Both predate the GDPR by decades and were not written with data protection in mind, but German prosecutors reach for them regularly in cases that also implicate Section 42.

German criminal data-protection law is therefore layered, not singular: one data-protection-specific offense sitting on top of two much older, narrower criminal provisions.

France's Outlier Rule: Criminalizing Negligent Disclosure

France's Code pénal is, among the three European jurisdictions surveyed here, both the most punitive and the broadest. Its Section 5, "Des atteintes aux droits de la personne résultant des fichiers ou des traitements informatiques" (Articles 226-16 to 226-24), creates a cluster of offenses built around GDPR compliance failures rather than a single unlawful-processing offense.

Four provisions anchor this cluster:

Article 226-22, unauthorized disclosure of personal data that harms a person's reputation or privacy, carries five years and 300,000 euros if the disclosure is intentional, but a reduced three years and 100,000 euros if the disclosure is merely negligent. That negligence tier means France is the only jurisdiction that criminalizes negligent, not just intentional, disclosure of personal data, where Italy requires dolo (intent) and Germany requires Vorsatz for their core offenses.

France's statute is broader than Italy's or Germany's in a second respect: it targets compliance failures directly (missing security measures, missing legal formalities, unlawful retention) rather than requiring, as Italy does, proof of concrete harm to a specific data subject. A French prosecutor need not show that anyone was actually hurt by a security lapse under Article 226-17; the failure to secure the data is itself the offense, a materially lower evidentiary bar than Italy's nocumento requirement.

Does the Data Protection Officer Face Personal Criminal Liability?

A recurring misconception among compliance practitioners holds that the Data Protection Officer carries meaningful personal criminal exposure for an organization's data-protection failures. Under the GDPR itself, this is not correct: compliance responsibility sits with the controller or processor, not the DPO, who pays no Article 83 fine and answers to no one personally for the organization's non-compliance. The misconception likely traces to a conflation: the DPO monitors compliance and reports internally, which some read as though the role also carries the organization's legal exposure. It does not.

Where personal exposure for a DPO can arise, it comes from the same general national law that would apply to any employee or officer in a similar position: employment, contract, and tort law, plus general criminal law that has nothing to do with the DPO title. None of this is a GDPR-specific DPO liability regime.

France supplies the one genuine, narrow exception among the jurisdictions covered here. French commentary on Article 226-17 and the related provisions holds that a DPO is not liable for the organization's GDPR non-compliance in general, but can face personal criminal liability if the DPO intentionally breaches the criminal data-protection provisions, or knowingly acts as a complice (accomplice) in the controller's or processor's breach of them. This exposure is intent- and complicity-based, not a strict-liability trap that catches a DPO doing the job in good faith; it catches a DPO who personally commits the underlying conduct or knowingly helps someone else do it.

The practical answer to whether a DPO can go to prison for a company's data breach is: no under ordinary circumstances, yes only in the narrow French scenario described above, where the DPO's own intentional or complicit conduct, not the organization's failure alone, is what a court would need to find.

When a Company "Can't" Commit a Crime But Gets Punished Anyway

Continental civil-law systems historically operated on the Roman-law maxim societas delinquere non potest: a legal entity cannot itself commit a crime, only the natural persons who act for it can. Italy formally still adheres to this principle, which taken at face value would mean no Italian company could ever be criminally punished for a data-protection offense.

D.Lgs. 231/2001 (Decreto Legislativo 8 giugno 2001, n. 231) supplies the workaround. It creates the administrative liability of entities dependent on a crime, a status that is technically administrative on paper, preserving societas delinquere non potest, but is adjudicated by the criminal court alongside the underlying crime. Liability attaches when a representative commits one of an enumerated, closed catalogue of predicate offenses (reati presupposto) in the entity's interest or to its benefit. That catalogue, expanded repeatedly since 2001, now includes IT and privacy-protection offenses, so a data-protection crime by a company representative can trigger corporate-level sanctions. An entity can largely avoid this exposure by adopting and effectively implementing a compliance model suited to preventing crimes of the relevant kind; a model that exists only on paper is not sufficient.

France, by contrast, imposes direct corporate criminal liability: the 1.5 million euro figure under Article 226-17 is the penalty for the corporate entity itself. French law treats the legal person as a criminal defendant in its own right, with no workaround needed.

The full history of this statute, including how its predicate-offense catalogue has expanded since 2001, is covered separately in this site's article on corporate criminal liability.

How the United States Handles Privacy Crimes Differently

The United States has no federal equivalent to GDPR Article 84: no comprehensive federal data-protection law exists, so no general criminal privacy statute exposes a company or individual to prosecution for violating one.

The Health Insurance Portability and Accountability Act (HIPAA), at 42 U.S.C. Section 1320d-6, criminalizes knowingly obtaining or disclosing individually identifiable health information, or misusing a unique health identifier, in violation of the statute. Its penalty structure is tiered by intent:

The "knowing" element requires only that the defendant knew the underlying facts, such as accessing records without authorization, not that the defendant knew the conduct violated federal law.

The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. Section 1030, is a 1986-era statute criminalizing unauthorized access, or knowingly exceeding authorized access, to a protected computer. That jurisdictional hook, covering financial institutions, the federal government, and any computer used in or affecting interstate or foreign commerce, is broad enough to reach almost any networked computer, with penalties up to twenty years' imprisonment depending on the offense variant. The CFAA does the same job in the American system that Italy's Article 615-ter c.p. and Germany's Section 202a StGB do in theirs: an unauthorized-computer-access statute, not written for privacy, doing privacy-adjacent work.

State privacy statutes, including California's CCPA and CPRA and the Colorado Privacy Act, remain civil and administrative, enforced by state attorneys general or dedicated agencies such as California's Privacy Protection Agency. Per-violation penalties in this state layer run from roughly $2,500 to $20,000, an order of magnitude below GDPR's percentage-of-turnover model, and none of these statutes provides a criminal-conviction pathway comparable to Italy's, Germany's, or France's.

The accurate comparative statement is not that the US lacks criminal consequences for privacy violations. HIPAA's ten-year maximum and the CFAA's twenty-year maximum both exceed the custodial exposure under several of the European statutes surveyed here. The difference is structural: a patchwork of sector-specific American criminal statutes layered onto a civil state-law baseline, against a Member-State-by-Member-State general criminal privacy statute layered onto the GDPR's unified administrative fine regime in Europe.

Frequently Asked Questions

Does the GDPR impose criminal penalties for data breaches?

Not on its own. Article 83 authorizes administrative fines only. Article 84 requires each EU Member State to write its own criminal rules, so the criminal law involved is entirely national, never supranational.

Can a company be criminally prosecuted for a data crime in Italy, given that Italian law says companies cannot commit crimes?

Yes. Italy maintains that only individuals commit crimes, but D.Lgs. 231/2001 creates a parallel track, heard in criminal court, that punishes an entity when its representatives commit a listed predicate offense, now including privacy and IT crimes.

Is a Data Protection Officer personally liable if their employer suffers a data breach?

Under the GDPR, no. The controller or processor answers for the organization's compliance, not the DPO. France carves out a narrow exception for a DPO who intentionally breaches the criminal data-protection provisions or knowingly assists someone else's breach.

Can the same conduct trigger both an administrative GDPR fine and a criminal charge?

Sometimes, but not as a matter of course. Under the CJEU's ne bis in idem analysis, a Member State may stack both only where the administrative fine is not itself judged criminal in nature under the Engel test.

Is every unlawful data processing act a crime in Italy?

No. Article 167 of the Codice Privacy requires proof of nocumento, a legally relevant prejudice to someone, along with, generally, intent to profit or cause harm. Processing that is unlawful but produces no such prejudice may still draw only an administrative sanction.

Does the United States have a criminal privacy law equivalent to the GDPR?

No general one exists. Criminal exposure in the US runs through sector-specific statutes: HIPAA for health information (up to ten years) and the Computer Fraud and Abuse Act for unauthorized computer access (up to twenty), layered over a civil and administrative state-law baseline.

What the Divergence Means for Anyone Operating Across Borders

Jurisdiction Core Statute Mens Rea Required Penalty Range Notable Feature
Italy Codice Privacy Arts. 167, 167-bis, 167-ter (D.Lgs. 196/2003, amended by D.Lgs. 101/2018) Intent (dolo) to profit or cause harm; nocumento (concrete prejudice) required 6 months to 6 years' imprisonment, depending on the provision Requires proof of actual harm; corporate liability reached indirectly through D.Lgs. 231/2001
Germany BDSG Section 42(1)/(2), alongside StGB Sections 202a and 203 Intent (Vorsatz); applies to "anyone," not only controllers Up to 2 to 3 years' imprisonment or a fine Self-incrimination safeguard (Section 42(4)) protects breach notifications from use in prosecution
France Code pénal Arts. 226-16 to 226-24, especially 226-17 and 226-22 Intent for most offenses; negligence sufficient under Article 226-22 Up to 5 years / 300,000 euros (individual); up to 1.5 million euros (corporate) Only jurisdiction studied that criminalizes negligent disclosure; direct corporate criminal liability
United States HIPAA (42 U.S.C. Section 1320d-6); CFAA (18 U.S.C. Section 1030) Knowledge of the underlying facts (HIPAA); unauthorized access (CFAA) Up to 10 years (HIPAA); up to 20 years (CFAA) No general criminal privacy statute; exposure is sector-specific rather than comprehensive

The core takeaway from this comparison is that "criminal liability under the GDPR" is a misnomer. No single such regime exists. What exists is a set of national criminal statutes, each triggered by conduct that also happens to violate the GDPR, in which the fault standard, the class of people exposed (controllers, DPOs, individual employees), and even whether a corporation itself can be treated as criminal all diverge by country.

For a multinational controller, or counsel advising a client across more than one of these systems, the practical stakes are concrete: an identical data-breach fact pattern can produce a fine-only outcome under one Member State's law and custodial exposure for a named individual under another's. An analysis of 261 public GDPR enforcement orders through May 2020, published in the Journal of Information Policy in 2021, found that formal penalties of any kind have historically been used relatively rarely, consistent with Europe's longer tradition of data protection authorities acting more like ombudsmen resolving complaints than punitive regulators.

Two developments are worth watching without overstating their effect. The E-Evidence Regulation, applying from 18 August 2026, lets law enforcement in one Member State request electronic data directly from a service provider in another, addressing cross-border digital evidence rules like the E-Evidence Regulation that this site's companion article treats in full; the Regulation is procedural and does not itself create a new criminal-liability rule. The Digital Omnibus package, published in November 2025, proposes to simplify the EU's digital regulatory framework across the GDPR, the Data Governance Act, and the AI Act, but remains a proposal rather than finalized law.

This article describes the law as it stands. It is informational, not legal advice, and anyone facing an actual cross-border data-protection question should consult counsel qualified in the relevant jurisdiction.