The UK ICO is flexing its muscles and considering record fines under GDPR – but why?
July 2019 has seen the UK Information Commissioner’s Office (“ICO”) announce its intention to fine both British Airways and Marriott Hotels. Given that the previous record fine issued by the ICO against Equifax and Facebook totalled the maximum of £500,000 permitted under the old Data Protection Act 1998, the fact that these fines total millions of pounds has made them headline news. In order for the European General Data Protection Regulation (“GDPR”) to be in anyway effective, the “big stick” of massive fines as permitted under the regulation would always need to be used in order to set an example to other organisations of the need to demonstrate compliance with GDPR. This was brought home to me during a panel discussion at the CDR magazine life sciences conference earlier this year when the panel chair asked me if in future it might be possible for the regulation of information security generally to be in the form of guidance from governments and regulators rather than more rigid regulation. My answer was that while guidance might be cheaper to comply with and allow for greater innovation, the lack of compliance by organisations with the old Data Protection Act which meant it was still being enforced by monetary penalty notices for comparatively small sums of money some 20 years after it came into force indicated that regrettably many organisations only take heed under the threat of massive regulatory enforcement.
Hence the news this month that British Airways faces a fine of £183 million while Marriott is on the receiving end of a likely fine of £99 million. The fines are so high because of the sensitive nature of the personal data involved in the data protection breaches. It is estimated that around half a million British Airways customers were misdirected to a fraudulent website where personal data including flight information, payment data and passport details were compromised. Meanwhile the Marriott breach affected an estimated 339 million users of the Starwood hotels group which had been purchased by Marriott. This in turn affected 30 million EU citizens, 7 million of whom were in the UK. Both of these breaches were taking place prior to the 25th of May 2018 when GDPR became law across the entirety of the European Economic Area. Indeed, the Marriott breach appears to have been underway since 2014. However, both organisations only became aware of the breaches after GDPR had taken affect and hence were investigated by the regulator and dealt with under GDPR’s regulatory enforcement matrix.
It is important to stand back and look at this enforcement action by the ICO in the light of the wider enforcement of GDPR to date. Google may have faced its fine of 50 million euros by French data protection regulator CNIL earlier this year but it has already indicated that it is appealing this decision. The Google fine was the result of complaints filled with European data protection regulators by privacy campaigners who were convinced that the measures taken by Google to demonstrate compliance with GDPR were insufficient and hence did not stem from a data protection breach or other defined incident. Meanwhile the pursuit of Aggregate IQ in Canada by the ICO was in order to secure the deletion of personal data rather than for a monetary penalty. Marriott and British Airways therefore constitute the first substantive examples of regulatory investigations following data protection breaches resulting in fines of the magnitude that GDPR now permits. British Airways has confirmed its intention to appeal any fine given as it complied in full with the ICO’s investigation. However, it should be remembered that the £183 million fine actually represents less than 1.5% of the airline’s turnover in 2016/17. Furthermore, the regulator could have used the turnover of British Airways parent company IAG upon which to calculate the fine so BA could quite conceivably had found itself facing a significantly larger fine if the ICO were so minded.
It is interesting that it is the UK ICO carrying out this potential enforcement. Viewed through the prism of the UK’s departure from the European Union this could be a demonstration by the UK regulator that not only is it enforcing GDPR as enacted in the UK Data Protection Act 2018 in a reasonable and effective manner, it is putting down a marker that it intends to apply GDPR in a similarly rigorous manner in future. Once it has left the EU the UK will likely find itself as a “third country” outside the EU single market and will be looking to secure a speedy adequacy decision from the European Commission to ensure the continuing free flow of personal data between the UK and the EU and vice versa. The ICO is likely hoping that such high-profile enforcement against two large corporations sends out a strong signal in the UK’s favour for a positive adequacy decision. However, the spectre of the UK Investigatory Powers Act 2016 and the wide-ranging powers of state surveillance and bulk data collection that it introduced may serve to predicate against any potential adequacy decision in the UK’s favour. The European Commission will likely be looking earnestly at the progress of the judicial review that HM government is currently defending against its use of the powers contained in the investigatory powers act. The outcome of that litigation could potentially have a significant bearing of the willingness of the Commission to confer an adequacy decision in the UK’s favour. Consequently, this becomes another factor for HM government to take into account in negotiating its departure from the European Union.