This summer's announcements by the Information Commissioner's Office (the "ICO") that it has issued notices of intention to fine both British Airways and Marriott International in respect of data breaches, have highlighted how sharp the ICO's new GDPR teeth are.
Given the much higher stakes, with the maximum penalty sitting at 17 million or 4% of global turnover, it is very possible that we will see more instances in which fines awarded by the ICO are appealed, than under the previous Data Protection Act 1998 when the 500,000 cap meant that fines were arguably small enough for many large businesses to simply take them on the chin.
The beleaguered BA and Marriott will no doubt be busy making representations to the ICO, in an attempt to reduce the amount of the penalties which the ICO eventually decides to set, and based on any mitigating factors or arguments against the aggravating factors which the ICO would have had to have set out in its notices of intent (the actual notices of intent have not been published by the ICO). They must be given at least 21 days in which to do this, and the ICO has 6 months from the date on which it submitted notice of each fine, to issue a final penalty notice (though it cannot do so within the period which it sets for making representations).
But what happens if, despite the chance to make representations, BA or Marriott still want to dispute the final penalty amounts, and they feel that they have further grounds on which to appeal? Appealing GDPR fines is new territory, and we consider in this article how a business which has been issued with a penalty notice in relation to a data breach can go about doing this, from both a procedural point of view and substantively. At this stage of GDPR implementation, and until the ICO gets round to fulfilling the requirement set by the Data Protection Act 2018 (the "DPA") to issue guidance on how it will exercise its enforcement functions (including how it will determine the amount of penalties), much in terms of possible grounds of appeal, is speculative, and we can only really go on what is set out in the GDPR and the DPA and any guidance produced by the former Article 29 Working Party (replaced by the European Data Protection Board), and draw analogies with similar regulatory regimes such as Competition.
The DPA provides rights of appeal against decisions made by the ICO, and it is the First-tier Tribunal (General Regulatory Chamber) which is the first port of call for handling such appeals. Whether the First-tier Tribunal, (to which jurisdiction to hear appeals from decisions of the Information Commissioner was transferred in 2010, when the previous Data Protection Act 1998 was in place), will be able to cope with the potential complexity and the number of appeals which GDPR might now generate, is something which only time will tell. However there is scope in the Tribunal Procedure Rules for cases to be transferred straight to the Upper Tribunal where this is considered appropriate.
Appellants have 28 days to appeal after the ICO has sent them its penalty notice, though there is scope to ask for more time (at the discretion of the Tribunal).
The Tribunal process is as follows:
- A form is completed in the initial instance;
- ICO has 28 days to respond;
- You can write back with further evidence/arguments within 14 days;
- You can ask to have the appeal decided based on the documents in the case or at a hearing where you can put your case in person;
- The hearing is attended by a judge and sometimes two other tribunal members, a representative from the ICO you and your representative;
- There is recourse to appeal a decision of the First-tier Tribunal to an Upper Tribunal, provided that you do so on a point of law, not fact.
The process appears to be a relatively straightforward one – see the box for further details.
Section 162 of the DPA permits a person who is given a penalty notice to appeal the fact that the penalty was issued, or simply appeal the amount of the fine. The DPA requires the Tribunal to allow the appeal or substitute it with another notice or decision, if it considers:
1. that the notice or decision against which the appeal is brought is not in accordance with the law; or
2. to the extent that the notice or decision involved an exercise of discretion by the ICO, that the ICO ought to have exercised its discretion differently.
The DPA also permits the Tribunal to review any determination of fact on which the penalty notice or decision against which the appeal is brought is based.
This is not dissimilar to the system of appeal in UK competition law cases; the Competition Appeals Tribunal can hear full merit appeals against decisions to fine issued by the Competition and Markets Authority, or appeals can be limited to issues relating to the amount of the fine and the way it is calculated (see box below for further details). The latter tends to be the typical basis on which you appeal, as often the infringement itself will be well established.
We anticipate that similar arguments to those set out in the box below could be used in appeals against ICO decisions. Article 83 also provides a good basis for some of the arguments that you might run in appeal. In the first place, this requires supervisory authorities to ensure, when imposing fines, that they are effective, proportionate and dissuasive. It might be the case, especially once further precedents are set, that it can be argued that the amount of a penalty (or its appropriateness as a "remedy") is disproportionate, and that there are examples of other penalties set in relation to similar circumstances which are much lower and yet judged to be effective and dissuasive.
In addition, Article 83 sets out a number of factors which supervisory authorities must have regard to when deciding whether to impose a fine, and the amount.
Factors set out in Article 83 such as the nature, gravity and duration of the infringing event, the number of data subjects affected and the level of damage suffered by them, together with any action taken by the data controller to mitigate such damage, the intentional or negligent character of the infringement, and the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them and their track record on infringements generally, not only involve considering questions of fact which might be challenged, but also, to a certain degree, require subjective judgements to be made which are then open to attack under the DPA, because they require the Information Commissioner to exercise discretion. At the moment, and given that the GDPR is still in its infancy, there is little precedence or clear guidelines directly linking aggravating factors to amounts within the fining parameters, which must, you would think, also help when it comes to challenge.
Article 29 Working Party Guidance
This is the case, even in the most comprehensive official guidance to date on administering fines under the GDPR, which is the Article 29 Working Party Guidelines 2017 (since endorsed by the European Data Protection Board) on the application and setting of administrative fines under GDPR. This simply states that once a supervisory authority decides that a fine is an appropriate 'corrective' measure to take, the factors set out in Article 83, provide a tiering system in order to identify the maximum fine that can be imposed according to the nature of the infringement in question. The guidelines do however provide some useful insights into how a supervisory authority should view and broadly weight such factors and these again, might help in arguing that the Article 83 factors were not assessed or applied correctly.
Appropriate Technical and Organisational Measures
Whilst taking appropriate technical and organisational measures can, as implied by Article 83, certainly contribute towards mitigating a decision to award a penalty together with the amount, another line of attack, in cases where a penalty is set in direct response to an infringement of the Article 32 obligation to implement appropriate technical and organisational measures, is around whether there was in fact an infringement, which in turn will depend on what exactly is meant by 'appropriate technical and organisational measures', and whether the ICO applied the test correctly.
Again, the development of case law on this point will be key to understanding how this is interpreted in any given sector, however, for now, factors such as whether a business followed for example, industry specific guidance such as FCA guidance on data security (in the case of a financial services business), obtained the ISO 27001 information security standard, or followed the National Cyber Security Centre Cyber Assessment Guidance, will no doubt come into play – as again confirmed in the Article 29 Working Party Guidelines which advise that supervisory authorities take due account of any best practice procedures, industry standards and codes of conduct in the respective field or profession.
It is of note in this regard that to date, and in the enforcement notices which it has issued in respect of data breaches under the previous Data Protection Act, the ICO appears to have steered clear of offering an opinion as to what it actually considers as appropriate in any given situation, instead, setting out those aspects of an organisation's conduct that it considered inappropriate. However we predict that in future far more will turn on expert opinions as to what the baseline should be in the first place, and enforcement notices do nevertheless provide useful guidance as to the failures, in particular basic failures such as outdated software, inadequate patching measures or the absence of anti virus measures which it is likely the ICO – and any tribunal or court – would take a rather dim view of.
Yet another ground for appeal might be in relation to the different levels of fines which GDPR applies for different breaches. Breach of some articles, such as the basic principles for processing, transparency obligations, and infringing the rights of data subjects, attract the higher maximum penalty of 4% of turnover or 20 million Euros (Article 83 (5)); whereas failure to comply with the obligations which are placed on controllers and processors in relation to the way they run their internal systems and processes, attracts the lower penalty of up to 10 million Euros or 2% of turnover. In some circumstances where the ICO awards a fine under the higher penalty scale, it might be argued that the ICO incorrectly determined the nature of the breach, and in turn should have applied the lower penalty scale.
In cases of appeal against a CMA decision involving a fine, we typically consider the following grounds of appeal for our clients:
- Has the evidence been understood and characterised properly?
- Does the evidence support the findings? Was there an infringement?
- Was the infringement proved to the required standard of proof?
- Has the CMA adequately explained its approach/fining methodology so as to give the appellant a proper right of defence?
- Was the correct approach followed to imposition and calculation of fines?
- Does the fining methodology result in a figure which is disproportionate and discriminatory?
- How was turnover arrived at? Was it calculated correctly? Did it take into consideration the correct entities when calculating turnover?
Are there other avenues for appeal?
The Court of Appeal is the forum for appealing decisions of the Upper Tribunal, and again, appeals can only be brought on questions of law.
There is also the possibility of judicial review, however this is only really appropriate in limited cases namely, those where a challenge can be made to the way in which the ICO reached a decision; and it can be a costly and cumbersome exercise. Judicial review is not a solution to challenging the ICO's actual decision to award a fine or the amount of that fine.
Tying it all together
There is an established process for appealing ICO fines, however only time will tell whether that process can cope in the new GDPR world when those on the receiving end of large ICO penalties will be keen to fight them in any way they can. We look forward to further clarification in the shape of enforcement guidance from the ICO as to how it will calculate penalties, but in the meantime, the lack of precedence, at least in the initial stages of GDPR implementation, might seem advantageous to those bringing appeals.
Travers Smith is well placed to help any business which wants to look at its options in this regard: our team of highly regarded Competition and Disputes lawyers have together amassed a wealth of experience in successfully appealing regulatory fines, and our cutting edge data protection specialists provide pragmatic, commercial interpretation of data protection law. Between them we can offer you a formidable team to help steer you through the as yet unchartered waters of data protection litigation which we foresee.