Like many others in the data protection world I was initially taken aback by the size of latest fines proposed by the ICO. The idea of fining British Airways in excess of £183m and Marriott International nearly £100m for data breaches that in pre-GDPR days would have attracted fines of no more than £500,000, and probably substantially less, seemed extraordinary. Of course these are only proposed fines. They could be reduced significantly or even cancelled altogether following representations from BA and Marriott as well as, under the GDPR’s cooperation mechanism, from the other concerned data protection authorities. Nevertheless the proposals clearly demonstrate both a step change in the ICO’s approach to sanctions arising from data breaches and its intention to make use of the full ranges of administrative fines available to it under the GDPR.
Should we be surprised? Perhaps less so now that the ICO’s proposed fines have been put into perspective on a global scale by the US Federal Trade Commission’s record $5 billion settlement with Facebook. We need to bear in mind though that the Facebook settlement took place under a very different legal and regulatory system from that operating in the EU and for very different privacy shortcomings from those that are the focus of the proposed BA and Marriott fines.
Were the markets surprised? Perhaps surprised but apparently not shocked. We often hear about how major privacy failings can affect a business’s share price and there is some evidence that this has happened in the past, such as with the US retailer Target. In line with financial market reporting obligations both BA and Marriott had to inform their respective stock markets about the ICO’s proposed fines. We might therefore have expected a fall in share price as a result but this didn’t happen. Although there were small falls initially both sets of shares quickly recovered in value. And Facebook’s share price actually rose after its settlement with the FTC was announced, although this may have been because the settlement was extensively trailed in advance and so any adjustment in share price had already taken place with the market simply expressing relief that the final settlement was no more onerous than expected. Perhaps all this only serves to confirm the view that it is the loss of consumer trust and confidence resulting from privacy failures that is the real driver of share price and hence change in business practice rather than regulatory penalties, however high these might be. As even Elizabeth Denham herself has said recently, ”Fines are not what will change business models.”
So should we still be surprised despite the Facebook settlement and the market reaction? Yes, but on considered reflection perhaps not quite as surprised as we were initially. Although we are unlikely to get a full understanding of the ICO’s reasoning in these cases, at least until we see the final penalty notices and perhaps not until any appeals are heard, there could be some sound reasons why the ICO is taking such an apparently punitive approach.
Does the Statutory Guidance Give us any Clues?
Section 160 of the Data Protection Act 2018 obliges the Commissioner to publish guidance on how she proposes to exercise her functions in connection with penalty notices, including how she will determine the amount of any penalties. This statutory guidance forms part of the ICO’s Regulatory Action Policy. It sets out the mechanism through which penalties will be set as:
|Step 1. An ‘initial element’ removing any financial gain from the breach.
Step 2. Adding in an element to censure the breach based on its scale and severity, taking into account the considerations identified at section 155(2)-(4) of the DPA.
Step 3. Adding in an element to reflect any aggravating factors.
Step 4. Adding in an amount for deterrent effect to others.
Step 5. Reducing the amount (save that in the initial element) to reflect any mitigating factors, including ability to pay (financial hardship).
The guidance also says that, generally, the amount of any penalty will be higher where:
• vulnerable individuals or critical national infrastructure are affected;
• there has been deliberate action for financial or personal gain;
• advice, guidance, recommendations or warnings (including those from a data protection officer or the ICO) have been ignored or not acted upon;
• there has been a high degree of intrusion into the privacy of a data subject;
• there has been a failure to cooperate with an ICO investigation or enforcement notice; and
• there is a pattern of poor regulatory history by the target of the investigation.
On the face of it there is little clue in the Guidance as to why the proposed fines are so high. It is hard, for example, to see how there can have been any financial gain for either BA or Marriott from the breaches. It also seems unlikely that the factors which might generate a higher penalty would be applicable, with one possible exception as we don’t yet know for certain whether the ICO is suggesting that there might be any advice, guidance, recommendations or warnings that were ignored or not acted upon. Nor do we know how the ICO has assessed the considerations referred to in Step 2 above, which largely mirror those set out in Art 83 of the GDPR, including, for example, the degree of responsibility of the controller, taking into account the technical and organisational measures they have implemented.
All that we can reasonably conclude at this stage is that the ICO is satisfied that, even though both BA and Marriott were the victims of criminal activity, the nature, gravity and duration of their underlying security shortcomings and the degree of their responsibility as data controllers means that the fines have to be set at the high levels proposed in order to meet the overriding requirement of being effective, proportionate and dissuasive.
What Might be The ICO’s Thinking?
So why might the ICO believe that fines of £100m and more are required to be effective, proportionate and dissuasive in addressing the security infringements behind large data breaches? Perhaps the starting point is to take a step back and look at what the GDPR was intended to achieve. Elizabeth Denham is amongst those, including the European Commission, who have described the coming of the GDPR as heralding a new era for data protection and used terms such as “game changer”. Maybe the ICO wants to send a message that we are indeed in a new era and that the game has now changed. Data protection authorities, including the ICO, have been given the power to impose fines of up to 4% of global annual turnover and they are likely to argue that the architects of the GDPR had a clear intention that they would deploy the full range of these powers.
The approach could even be as simple as an infringement that would have attracted a fine of X% of the way up the old scale of £0- £500,000 will now attract a fine of X% of the way up the new scales of either 0% – 2% or 0% – 4% of annual turnover, depending on the nature of the infringement. Assuming that in the current cases the infringement in question is simply a breach of the security requirements of Art 32 of the GDPR, the maximum fine would be 2% of turnover. This would put the BA fine of 1.5% of global annual turnover three quarters of the way up the scale and the Marriott fine, which appears to be 0.5% of turnover, a quarter of the way up the scale. Under the previous regime this would have meant a fine for BA fine of £375,000 and a fine for Marriott of £125,000. From what little we know of the facts these figures don’t seem unreasonable but if this is indeed the ICO’s approach it might ring some alarm bells for businesses given how many of the fines imposed by the ICO in recent years were well up the old scale.
The ICO might also be sending a message about security breaches based on the deterrent effect to others covered in Step 4 above. Successful cyber attacks that put personal data at risk have become all too common but must not be accepted as the norm. The ICO might well argue that businesses need to be ever more vigilant and invest even more in protecting against such attacks. They could be trying to send an even clearer message than before that, given the extent of the threat, businesses generally need to have state of the art security measures in place and those that do not run a real risk of multi-million pound fines. The message could even be that simply relying on the current state of the art to protect against cyber attacks is no longer sufficient to secure personal data appropriately and that substantial investment in upping the state of the art is required. How far this is a realistic objective must, though, be open to doubt, and would appear to go beyond what is contemplated by Recital 83 of the GDPR which, consistent with the previous legislation, seems to allow a balancing of state of the art/costs of implementation and consideration of the risks.
Then there might simply be a desire to build the reputation and ensure the continuing relevance of a regulator whose mission is to protect the information rights of individuals. For the ICO it is almost certainly more comfortable to be seen to be proposing high penalties for serious infringements, albeit that these might attract criticism from the business community, than to be seen proposing lower penalties that might attract criticism from those representing the public and their interests, particularly given the clear public messages on effective enforcement associated with the introduction of the GDPR. Better from the ICO’s point of view to be perceived by the public as a tough regulator than a weak one and easier for the ICO to come down from high fines to lower ones if forced to do so through the appeals process than to try to move upwards from a low base in response to public criticism.
Some Unanswered Questions
The Article 29 Working Party said in its Guidelines on Administrative Fines (subsequently endorsed by the EDPB) that implementation of the GDPR across the EU should lead to the imposition of equivalent sanctions. Whilst it is hard to disagree with this statement it remains unclear just what is meant by an “equivalent” sanction. Should similar infringements by different businesses and in different countries attract similar levels of fines in absolute terms or should the levels of the fines be calculated to have a similar impact on the businesses even though their monetary values might vary widely? Basing fines on a percentage of turnover would suggest a move towards the latter but even so a fine of say 1.5% of annual turnover might have a very different impact on one type of businesses than on another. What amounts to an “equivalent” sanction in this context? So far there have only been a handful of fines imposed by European data protection authorities for infringements of the security requirements of the GDPR but the highest, imposed by the CNIL, was for EUR400,000 and the remainder all came in at less than half this figure. Given the drive for equivalence, what might be the justification for the ICO’s proposed fines being in such a different league? To what extent could this be because of the cross border nature of the processing in question?
Regardless of the picture across Europe, the ICO still has to ensure consistency in its treatment of data controllers in the UK, or at least be able to justify any inconsistency in such treatment. Will other businesses that report data breaches of a similar nature to those at BA and Marriott, even if on a smaller scale, all face “equivalent” fines? If so, given the number of data breaches being reported to the ICO, the resource implications are likely to be considerable particularly if, as seems likely, higher fines lead to significantly more appeals. Or is the ICO focussing on what it sees as the big players and using these to set an example? If so can it justify this approach if put to the test in any appeals? And what about public sector data controllers? Will they face equivalent levels of fines given that, in the past, some of the most serious failures to secure personal data have been the responsibility of public sector bodies? Even if public sector fines are based on the maxima of 10m or 20m EUR rather than on their annual turnover a breach, equivalent to that at BA, could, using the methodology above, result in public sector fines approaching £7m or even £14m. How far is this sustainable?
Of course a key question is whether the proposed fines are proportionate. Although we don’t know enough of the facts yet to make a judgement and, even when we do, there are likely to be different opinions, there must be at least some doubt over proportionality. Consistent with the ICO Regulatory Action Policy objectives, Elizabeth Denham has said previously that hefty fines will be reserved for those who persistently, deliberately or negligently flout the law. How far is this the case here and does it justify the level of fines proposed particularly given that, for the businesses concerned, the processing of personal data is only a secondary activity? Is it fair and proportionate that fines for failing to properly protect personal data should be based on a turnover that, in the case of BA, derives primarily from flying passengers and goods around the world and, in the case of Marriott, from renting out hotel rooms? Shouldn’t fines based on turnover take some account of the extent to which the turnover in question is derived from processing personal data and in particular from processing personal data improperly.
Here it is worth bearing in mind some of the thinking behind the high levels of penalties available under the GDPR and especially those based on annual turnover. When the GDPR was under development a parallel was drawn with the application of competition law with the need for GDPR penalties to be sufficiently high to address businesses that profit from the unlawful processing of personal data and enable such businesses to be deprived of their ill-gotten gains. This suggests that fines based on a percentage of turnover rather than the alternative scales with fixed maxima of 10m and 20m Euro were intended for use primarily against data centric businesses with business models relying on processing personal data improperly rather than the likes of BA and Marriott for whom processing of personal data is a secondary activity and who are unlikely to have profited from their supposed shortcomings.
The final question is simply, “Do these proposed fines feel right?”. When I was at the ICO, with responsibility for signing off our fines, we had a systematic approach to determining the level of any proposed fine. Nevertheless, at the end of this process, we always asked ourselves a simple question as to whether the level of fine felt right to us, taking into account everything that we knew about the nature of the breach, the circumstances of the data controller, the range of other fines imposed and the surrounding regulatory climate. Sometimes the proposed penalty was increased, sometimes it was decreased although usually it remained unchanged. The ICO’s penalty setting processes may well be more sophisticated these days and now appears to involve a panel of non-executive advisers, at least in setting the highest penalties, but it would be surprising if the ICO has not asked itself the same “feel right” question about the proposed fines for BA and Marriott. Despite this, and recognising that we are not yet aware of the full facts, there will doubtless be many who will take some persuading before they feel able to share the ICO’s view that, for the infringements at issue, the levels of the fines proposed feel about right.
What Comes Next?
We know that there are more GDPR fines in the pipeline. Elizabeth Denham has said recently that as well as the proposed fines for BA and Marriott there will be. “… around another dozen over the summer period.” Of course we don’t know yet whether these will be in anything like the same league as the BA and Marriott fines but once details start to emerge they should help us develop a fuller understanding of how the ICO intends to use its enhanced, GDPR fining powers and, in particular, whether multi-million pound fines will be the exception or become the norm.
We should also gain a deeper understanding when we learn more about the ICO’s thinking behind the proposed fines for BA and Marriott. Once the ICO has made its final decisions we can expect that the penalty notices will be published, unless, in either case, the ICO decides not to proceed with a fine following the representations received. Assuming that substantial fines are, in the end, imposed the signs are that they will be followed by appeals to the First Tier Tribunal (General Regulatory Chamber) and possibly beyond. From bitter experience I know that ICO witnesses are likely to be put under pressure at the Tribunal to justify the ICO’s reasoning and its decision making to a much greater degree than that required for the published penalty notice. As the Tribunal’s proceeding take place in public we may well learn more at this stage. Furthermore, whether or not the Tribunal upholds the ICO fines we can expect that the Tribunal’s own reasoning, as outlined in its published judgment, will both influence the ICO going forward and add further to our own understanding.
Meanwhile the Swedish data protection authority has announced that, along with its Dutch and UK counterparts, it will chair an EDPB working group seeking to produce a set of common EU guidelines on the harmonisation of penalties for similar breaches of the GDPR across the EU. The guidelines are supposed be completed and adopted next year, following which national guidelines will be revisited. On the face of it the creation of this working group can only be seen as a welcome step towards the desired goal of harmonisation in the treatment of businesses by the various EU data protection authorities. However any such welcome might be prove to be short-lived if the result of the working group’s endeavours is that the multi-million pound fines proposed by the ICO in the BA and Marriott cases become the norm throughout the EU. Of course it remains to be seen to what extent, if at all, the ICO will be permitted to continue to contribute to the activities of this working group after 31st October.