You know how you can be standing at a bus stop for ages, only to have two buses come along at once? Well, it’s been over a year since the General Data Protection Regulation (“GDPR”) came into force and data protection professionals across the UK have been watching and waiting for the first GDPR fine to be issued by the Information Commissioner’s Office (“ICO”). That wait looks like it will soon be over because in the last two days, the ICO has announced its intention to levy huge fines for data breaches under the GDPR on not one, but two organisations.
Back in October 2018, there had been some false hope around the case of Facebook’s involvement in the Cambridge Analytica data scandal, where the penalty levied was trumpeted as the largest ever awarded by the ICO. However, the case began under pre-GDPR data protection rules, so £500 million was the maximum fine that could be levied.
Instead, according to the ICO’s latest statements, British Airways (“BA”) and Marriott International (“Marriott”) could end up being the first organisations in the UK to feel the impact of the GDPR’s penalty system, where maximum fines can reach €20 million or 4% of annual global turnover, whichever is greater.
What happened?
At BA, the case began when it notified the ICO in September 2018 of a cyber incident whereby users of its website had been diverted to a fraudulent site. Hackers used this false site to harvest customer details, compromising the personal data of about 500,000 customers, according to the ICO’s investigation. The ICO believes that the breach began in June 2018 and that data relating to logins, payment cards, travel booking details, names and addresses was “compromised by poor security arrangements at the company”. It intends to fine the airline £183.39 million.
In the case of Marriott, it notified the ICO in November 2018 of a cyber incident involving the exposure of personal data contained in approximately 339 million guest records. Of these, 30 million related to residents in the European Economic Area (“EEA”), of which 7 million related to UK residents. The vulnerability is believed to have begun in 2014, in the computer systems of the Starwood hotels group. Marriott acquired Starwood in 2016, but it was two more years before the exposure of personal data was discovered. The ICO’s investigation found that Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”. It intends to fine the US hotel group more than £99 million.
Can the organisations appeal?
The two fines (BA’s amounts to about 1.5% of its £11.6 billion global turnover last year) aren’t a done deal. Both organisations can now make representations to the ICO about its findings and the proposed sanction.
Willie Walsh, the chief executive of BA’s parent company, International Airlines Group (“IAG”), has declared his intention to do so, saying, “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
Marriott’s president, Arne Sorenson, confirmed that it would be taking the same approach, saying, “We are disappointed with this notice of intent from the ICO, which we will contest.”
After reviewing the representations, the ICO will decide whether to proceed as intended with the monetary penalty notice, or indeed apply a different penalty. If the ICO issues a penalty notice, BA and Marriott would have 28 days to pay the fine or lodge an appeal at the Tribunal. If they pay on time, they get a 20% discount!
Does anyone else get a say?
The ICO has been conducting its investigations into BA and Marriott as the lead supervisory authority acting on behalf of data protection authorities (“DPAs”) in other EU member states. Therefore, in accordance with the GDPR’s “one-stop-shop mechanism”, the ICO will be inviting comment on its findings from those EU DPAs whose residents have been affected. It has announced that it will consider carefully representations from the two organisations and other DPAs before making its final decision.
It will be fascinating to see how the one-stop-shop mechanism will work across the EU. Interestingly, if the UK was outside the EU, BA and Marriott would be dealing with the UK’s ICO and a lead supervisory authority for the EU.
Where does the money go?
Whatever sum the ICO arrives at, the penalty will be split among the EU DPAs, with the ICO’s share going directly to the UK Treasury. Individuals who are affected by the data breach and seeking compensation will need to claim money from BA or Marriott direct – the ICO does not have the power to award compensation directly to individuals.
As yet, the ICO has not released any further details about the reasoning behind its intentions to fine BA and Marriott, so we will comment further when more information comes to light.
At Pritchetts Law, we can help you with all aspects of data protection compliance, including preparing for or handling personal data breaches when they happen as well as taking preventative steps such as carrying out audits and implementing policies and procedures. Please get in touch to find out more.