The U.K. Information Commissioner’s Office (ICO) has only issued three fines under the General Data Protection Regulation (GDPR), with the last two going a long way to promote the appeal process of the EU privacy law.

A £20 million (U.S. $26 million) penalty against British Airways on Oct. 16 is the ICO’s largest to date but pales in comparison to the £183.4 million figure the regulator originally touted last year for the airline’s failure to protect the personal and financial details of more than 400,000 customers. Two weeks later, a fine against Marriott was set at £18.4 million (U.S. $23.8 million) after initially being proposed at £99.2 million regarding a breach of approximately seven million U.K. guest records.

Experts had hoped the colossal fines initially proposed in each case would clarify the link between the size of the harm caused and the size of the penalty imposed—an issue that seems to have dogged other data protection authorities (DPAs) when handing out fines. Unfortunately, such hopes may have been dashed.

The ICO maintains the penalties remain “effective, proportionate, and dissuasive,” and given both penalties were approved by other EU DPAs through the GDPR’s cooperation process, it (presumably) means they understood the ICO’s rationale behind the original fines and their reductions, too (even if few others do).

“It is obvious there needs to be a more transparent process around how penalties are calculated in the intention-to-fine notices and much more information as to how they are subsequently reduced. At the moment, it looks like the figures are plucked out of thin air.”

Camilla Winlo, Director of Consultancy Services, DQM GRC

National data authorities have the right to reduce fines from the figures they originally set, but they do not necessarily need to make those reasons public. Understandably, this has led to criticisms that DPAs are regulating on their own terms, rather than in harmony, and that the process is not as transparent as it should be.

For example, while the ICO’s regulatory action policy spells out the factors that help determine whether a penalty should be imposed—as well as what size it should be—it is less descriptive about how fines are reduced from the figures originally conceived in the intent-to-fine notices. Nor does either penalty notice (BA or Marriott) provide details as to why the original and eventual figures are so far apart.

In draft guidance published Oct. 1, the ICO said it wants to cap fines at €20 million, even though it has the power to issue far larger penalties based on an organization’s turnover. It would have been “problematic,” says Gareth Oldale, partner and head of data privacy and cyber-security at law firm TLT, for the ICO “to finalize fines for BA and Marriott that were dramatically inconsistent with its own proposed statutory guidance.”

Fine reduction fallout

In the wake of the ICO’s recent decisions, experts generally believe that if a company has the resources, it is worth challenging any suggested GDPR fine. They also believe greater clarity around how fines are calculated—and reduced—would encourage companies to adopt best practice and put compliance at the heart of data protection.

“The BA and Marriott fines are going to make it very difficult for any EU data protection authority to make any nine-figure fine stick in future,” says Camilla Winlo, director of consultancy services at data protection and privacy consultancy DQM GRC.

“It is obvious there needs to be a more transparent process around how penalties are calculated in the intention-to-fine notices and much more information as to how they are subsequently reduced. At the moment, it looks like the figures are plucked out of thin air,” she adds.

Instead of imposing “arbitrary fines,” Winlo believes regulators forcing changes to behavior and rooting out bad practices “will ultimately have more influence than any penalty could ever have.”

More widely, experts are unsure just what impact the BA and Marriott decisions will have on the way other EU DPAs decide penalties. While the GDPR is supposed to harmonize the approach to enforcement, even data regulators admit so far this has not been the case.

In the decision notice to BA, Information Commissioner Elizabeth Denham said while “equivalent” GDPR breaches should attract “equivalent” penalties, “in practice, each case must turn on its own particular facts.” She added it would be “premature” and “not necessarily helpful” to “rely heavily … on a survey of the action taken by other supervisory authorities, given the relatively few decisions that have been taken under the new regime.”

In its decision notice to Marriott, the ICO said the lack of publicly available information about how various DPAs arrived at the decisions they did also made such analysis difficult.

Sacha Wilson, partner in the technology team at law firm Harbottle & Lewis, says “regulatory transparency is a key aspect to the robustness of any enforcement regime.” But while he believes the ICO (and other DPAs) should be mindful of other action taken by other data regulators, he agrees with Denham in that “there have been relatively few decisions about breaches of these magnitudes” upon which to draw useful conclusions.

The ICO says the way to ensure consistency is not by comparing penalties but through the Article 60 process—which concerns inter-DPA cooperation—and the Article 63 consistency mechanism that allows supervisory authorities to provide feedback and objections.

Of note, the impact of the ICO’s recent decisions could be limited following Brexit at the end of the year. If the United Kingdom leaves without a deal—or an adequacy decision on data protection, at least—the ICO will not be bound by the bloc’s consistency mechanism. As such, the U.K.’s GDPR enforcement record could be rendered meaningless.

“Whatever influence the ICO’s action could have had on other EU data protection authorities, this is likely to be significantly reduced—almost to the point of irrelevance—following the U.K.’s full withdrawal from the EU on 31 December,” says Oldale.