A breach of the DPA constitutes a criminal offence. Upon conviction, violators may be subject to a fine of up to US$100,000, imprisonment of up to five years, or both. A body corporate is punishable on conviction to a fine of up to US$500,000.

The Information Commissioner has broad investigative and corrective powers under the DPA, including the power to request and obtain information from parties subject to the law and to issue orders to carry out specific remediation activities.

The DPA provides for a private right of action where data subjects suffer damage or distress due to a breach of the DPA by a public or private body.

In addition, the DPA explicitly provides for personal liability in respect of offences committed by a body corporate where the offence is proven to have been committed with the consent or connivance of, or to be attributable to neglect on the part of, any director, secretary, or similar officer, or any person purporting to act in such capacity. Where the affairs of a body corporate are managed by its members, this personal liability also applies to the acts and defaults of a member in connection with the member’s function of management.