What we can learn from the biggest GDPR fines so far

That wait came to an end in early July, when the U.K.’s Information Commissioner’s Office (ICO) fined British Airways £183.4 million (U.S. $230 million) and Marriott £99.2 million (U.S. $124 million) on back-to-back days for data breach-related violations. The penalties were the two largest issued under the EU’s data protection regulation so far.

The British Airways penalty resulted from a data breach that saw around 500,000 customers’ details—including log-in, payment card, and travel booking information—being diverted to and harvested by a fake Website between June and September last year. Marriott’s cyber-breach originated in another hotel chain that Marriott subsequently bought. It appears that IT security vulnerabilities may have been present as far back as 2014 when the Starwood hotels group’s IT systems were first compromised—some two years before Marriott acquired the company. Around 339 million guests’ personal details were leaked.

And in an unfortunate double whammy, because the breach was reported to the ICO in November 2018—once the GDPR regime was up and running—Marriott’s coffers were hit much harder for what the data regulator regards as the company’s failure to carry out appropriate due diligence post-acquisition. Under the previous Data Protection Act, which was superseded by the GDPR last May, the maximum penalty was just £500,000 (U.S. $627,000). Marriott was therefore handed a fine nearly 200 times larger for reporting a 4-year-old breach 6 months late.

Takeaways from the ICO’s fines

Michael Hughes, a partner at accountancy firm Haines Watts and non-executive director at cyber-security firm CyberQ Group, says the Marriott case is a stark warning to companies to check not only their own data protection protocols and controls, but also those of third parties.

“Organizations are finding it a challenge to ensure GDPR compliance internally, and there is a significantly greater challenge to obtain assurance that their full supply chain is GDPR compliant,” says Hughes.

Both British Airways and Marriott have said they intend to contest the penalties and have 28 days to submit their complaints. During that time, the ICO says—as part of the GDPR cooperation mechanism—it will take views from other EU data protection authorities to see whether its judgment and penalty are in line with EU guidelines. To overrule its decision, two-thirds of data regulators represented by the European Data Protection Board (EDPB), the body that reviews and provides guidance about how the GDPR should be applied across the European Union, need to agree that the original penalty or finding was incorrect. The process can take up to 16 weeks to complete.

Nicola Howell, senior compliance and EU privacy attorney at Dun & Bradstreet, believes both companies have a reasonable justification to feel like they got a raw deal.

“BA was externally hacked, and no customer suffered any financial loss, yet it has received the biggest GDPR fine to date—four times more than Google’s,” she said. “Marriott, on the other hand, has been fined massively for IT security failings that were present before it even bought the company. It’s hard not to feel some sympathy for either of them.”

Howell is also unsure whether the penalties issued against either company will be reduced on appeal. “It’s a tough call,” she says. “If the fines are reduced—especially by a significant margin—then there is a question mark about the regulator’s credibility. The main problem, however, is that there is no detail within the penalty notice as to how the figures were arrived at, which makes it difficult to assess how a penalty is commensurate with the level of neglect or control failures and the harm caused.”

“BA was externally hacked, and no customer suffered any financial loss, yet it has received the biggest GDPR fine to date—four times more than Google’s. Marriott, on the other hand, has been fined massively for IT security failings that were present before it even bought the company. It’s hard not to feel some sympathy for either of them.”

Nicola Howell, Senior Compliance and EU Privacy Attorney, Dun & Bradstreet

Other lawyers have reacted to the ICO’s fines in different ways. Emma Roe, partner and head of commercial at law firm Shulmans, says while the ICO “is not going to let an organization off the hook for the breach being the work of an external party or because that organization is the victim of a criminal hack,” she believes British Airways’ fine has been set lower than the maximum of 4 percent of turnover (it was 1.5 percent of turnover based on 2017 revenues) because it was a result of an external hack rather than an internal leak.

“Clearly, the ICO has left itself room to issue bigger fines when it finds culprits with even less of a handle on their data use and security,” she says.

Karl Foster, legal director at U.K. law firm Blake Morgan, says that “the fines are no longer just about security breaches, but failures of transparency and failures to follow procedures.”

“It is notable that the headline fines have been levied at multinationals with deep pockets and recognizable brands,” says Foster, who adds that such fines “will not be the norm for most businesses.” Last year, the ICO handed out a total of £3m (U.S. $3.76M) in fines. This July alone, it has handed out more than £280m (U.S. $351M) worth.

Some have expressed surprise that it is a “traditional” company that has been the most severely penalized first, rather than a data firm. “By announcing its intention to issue a record fine to a company outside the technology sector, the ICO is putting businesses on notice that GDPR enforcement is coming for all manner of organizations in all sectors,” says Tim Hickman, data protection lawyer and partner at global law firm White & Case.

Yet, there is an expectation that a big technology firm will be hit soon. While the ICO has “greatly surpassed” all other European supervisory authorities in levying fines under the GDPR, Robert Lands, a partner at the law firm Howard Kennedy, says the regulator’s new-found reputation as Europe’s highest fining enforcer could be short-lived.

“In future it is likely that record-breaking fines toward the maximum end of the range will go to severe breaches by companies whose business models rely on the exploitation of personal data, such as some of the well-known tech giants,” says Lands. “It’s quite likely that the record set by BA this summer will be dwarfed before long.”

Lawyers generally expect an uptick in the number of GDPR penalties from now on, pointing out it has taken regulators probably more time than they realized to process GDPR complaints, particularly those involving large companies. The British Airways case, for example, took almost 14 months to complete and provide notice of a fine. According to Foster, as of April this year, data regulatory authorities had resolved only 52 percent of the backlog of cases under the GDPR.