The General Data Protection Regulation (GDPR) came into force last year and was the biggest shake-up to data privacy in 20 years. Upon its implementation, the maximum fines increased from £500K to £17.2m or 4% of global turnover, which ever is the higher. This increased threat was enough to make us all sit up and take notice. We wondered how long it would be before the Information Commissioner increased her fines and whilst they have slowly been increasing over the year, we were yet to see anything drastic. Until last week.
Just days apart, the ICO last week issued its decision to levy record fines against British Airways and Marriott International.
The UK’s data privacy regulator has said it plans to fine the US hotel group Marriott International £99.2m. The penalty relates to a data breach that resulted in about 339 million guests having their personal details exposed back in 2014 but the breach was only discovered in 2018. Around 30 million of these guests were Europeans protected by the GDPR. Marriott, whilst not directly responsible for the breach, had acquired a rival hotel group called Starwood, and it was Starwood’s data breach that Marriott subsequently inherited. A new system has been introduced to replace the compromised guest reservation system and Marriott International’s president, Arne Sorenson, said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”
This case demonstrates clearly the importance of appropriate data protection due diligence pre-acquisition – those GDPR enquiries must be taken seriously – and the potential liability for a new purchaser (who assumes the role of data controller) post acquisition. After a period of 4 years, during which the breach remained un-noticed, any warranty claim against Starwood might (depending on the legal drafting) have expired.
The Marriott penalty announcement comes a day after the ICO said it planned to fine British Airways £183m over a separate breach. The size of both penalties reflects the fact that the Commissioner has greater powers as a result of the EU’s General Data Protection Regulation (GDPR) and she isn’t afraid to use them!
British Airways were also the victims of a “sophisticated, malicious criminal attack” on its website. It was reported that the incident took place after users of British Airways’ website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers. The incident was first disclosed on 6 September 2018 and BA had initially said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details.
The BA fine amounts to 1.5% of its worldwide turnover in 2017, less than the possible maximum 4%. Until now, the biggest penalty issued by the Information Commissioner was £500,000, imposed on Facebook for its role in the Cambridge Analytica data scandal. That was the maximum allowed under the old data protection rules that applied before GDPR. We anticipate that had the Commissioner been able to issue a penalty under the GDPR, the figure would have been significantly higher.
Although perhaps, we do not know, not quite as high as in the US, where US regulators have approved a record $5bn (£4bn) fine on Facebook to settle an investigation into data privacy violations, reports in US media say.
Investigations into Facebook’s practices began in March 2018 following reports that Cambridge Analytica had accessed the data of tens of millions of its users. The investigation focused on whether Facebook had violated a US 2011 agreement under which it was required notify users clearly and gain “express consent” to share their data. Facebook had been expecting this $5bn file and had put aside most of the money, however, we anticipate that additional measures may be placed on the company, such as increased privacy oversight, or there may even be any personal repercussions for the company’s chief executive, Mark Zuckerberg. The settlement, which amounts to around one quarter of the company’s yearly profit, will reignite criticism from those who say this amounts to little more than a slap on the wrist. Nonetheless, it is a significant increase in the level of fines from those that were issued previously and again reinforces the position that we must take data protection seriously.