The amount of data created each day is growing at an increasing rate. Forget about gigabytes and terabytes, it’s reported that the digital universe currently sits at around 4.4 zetabytes. This is expected to reach 44 zetabytes by 2020. While this presents a number of opportunities for entities, it also carries several risks, most notably in relation to privacy.
Globally, regulators are flexing their muscles and imposing higher fines for privacy breaches than ever before. While these fines send a strong message to the market, it remains to be seen whether alone, they will be sufficient to compel entities to make any meaningful change to their data practices. In this article, we cover some of the most recent enforcement actions by the US, UK and Australian privacy regulators.
On 12 July, the US Federal Trade Commission (FTC) announced that Facebook Inc. (Facebook) would be required to pay US$5 billion to settle charges that Facebook violated a 2012 FTC order in which Facebook agreed to obtain the consent of users before sharing their data beyond their privacy settings. This penalty represents the largest of its kind ever imposed and is more than 21 times that imposed earlier this month by the Information Commissioner’s Office (ICO) on British Airways.
The settlement also requires Facebook to (among other actions) create a privacy committee and submit to additional restrictions, including a modified corporate structure that is intended to keep the company accountable for decisions that it makes about the privacy of its users.
On the same day, the FTC filed an administrative complaint against Cambridge Analytica, LLC for “deceptive acts and practices to harvest information from Facebook users for political and commercial target advertising purposes”, as well as settlements for public comment with Alexander Nix, their former chief executive and Aleksandr Kogan, an app developer that worked with the company.
On 8 July, the ICO announced its intention to fine British Airways £183.39 million over last year’s data breach which affected approximately 500,000 of its customers. The following day, the ICO served a ‘Notice of Intent’ to fine Marriott Hotels £99,200,396 for a data breach affecting the Starwood hotel chain (which Marriott Hotels acquired in 2016).
The fine on British Airways represents 1.5% of the airline’s 2017 worldwide turnover and is the largest fine ever imposed by the ICO for a data breach and the first since the introduction of the General Data Protection Regulation (GDPR). The largest fine imposed by the ICO pre-GDPR was £500,000 on Facebook for its role in the Cambridge Analytica data-harvesting scandal.
Between June and September last year, British Airways’ customers were diverted from British Airways’ website to a fraudulent website, where their names, email addresses, credit card information, travel booking details and logins were harvested. British Airways responded quickly to the breach, cooperated with the ICO and implemented security improvements.
The Information Commissioner, Elizabeth Denham emphasised the importance of data protection, noting that “People’s personal data is just that – personal”. British Airways now have 28 days to appeal the ruling before it is made final. British Airways has made clear that it intends to appeal.
The Marriott Hotels security breach arose in 2014 when Starwood’s reservation database was hacked releasing 5 million unencrypted passport numbers and 8 million credit card records. The breach affected approximately 30 million EU residents. Marriott Hotels have said that they intend to appeal the fine. The ICO’s statement in response to the breach indicates that this fine is likely not the last that we will see of this significance:
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
The Office of the Australian Information Commissioner’s (OAIC) Notifiable Data Breaches Scheme 12-month Insight Report released in May of this year revealed that 964 notifications were made to the OAIC under the mandatory notifiable data breach scheme between April 2018 and March 2019. Despite this high volume, the OAIC is yet to impose a fine for a breach of the scheme.
The Commissioner stated in its report that the OAIC would be taking a proportionate and evidence-based regulatory approach in relation to the scheme, including in relation to exercising its enforcement powers where necessary. Combined with the recent announcement by the Australian government of its intention to increase the penalty under the scheme from $2.1 million to the greater of:
- $10 million;
- three times the value of any benefit obtained through the misuse of information; and
- 10 percent of a company’s annual domestic turnover,
we could soon be seeing penalties closer to that issued by the ICO and the FTC. We discuss these changes in greater detail in our article 'Australia's privacy and consumer laws to be strengthened'.
There can be no doubt that penalties for privacy related offences are increasing around the world and given the amount of data created each day (and the fact that this amount is set to increase tenfold in the next year), this trend is likely to continue. Having said that, it remains to be seen whether these penalties will be of sufficient magnitude to compel entities to change their practices in any meaningful way or whether they will be factored into the ‘cost of doing business’.