Following swiftly on from its decision to fine British Airways (BA) £20m, the UK’s Information Commissioner’s Office (ICO) has now announced that it will fine Marriott International Inc. (Marriot) £18.4m for its breaches of GDPR. Whilst this is still a substantial fine, in common with the BA decision, it is significantly lower than the amount the ICO had originally proposed to fine Marriott.
With respect to BA, the ICO proposed a fine of £189.39m in July 2019, representing just under 1.5% of BA’s global turnover. For Marriott, the ICO’s proposed fine also in July 2019 was £99.2m, around 3.5% of the group’s turnover. The final £20m fine for BA represented a reduction of around 90% and is less than 0.2% of BA’s global revenues, and for Marriott it was a reduction of around 80% representing approximately 0.6% of Marriott’s global revenues.
Both fines fall well below the maximum amount the ICO could impose under GDPR and there has been some speculation Covid-19 may have been a reason for this. Whilst some element of reduction can be attributed to the economic impact of Covid-19, this is not the only factor which contributed to the reductions.
It will be of great interest to other organisations which have suffered data breaches, to understand whether the ICO simply miscalculated or made a mistake in its initial proposed fines, or whether there were other factors and lessons which can be learned about the ICO’s likely approach to the calculation of future fines. It is also likely to be of interest to investors considering valuations for businesses which have already suffered, or are at risk of, cyber attacks.
The basis for calculation of fines
The ICO issued the fines for infringement of GDPR using its powers under the Data Protection Act 2018 (DPA) and acted as lead supervisory authority on behalf of other EU Member State data protection authorities. Article 60 GDPR requires the lead supervisory authority to cooperate with other supervisory authorities in an endeavour to reach consensus.
Under the GDPR, an organisation can be fined up to 20m euros or 4% of its global turnover for the previous year, whichever is the higher. In considering whether to impose a penalty, and in calculating the amount of the penalty, the ICO has regard to the matters listed in Articles 83(1) and (2) GDPR and applies the five-step approach set out in the ICO’s Regulatory Action Policy (RAP). More recently the ICO has also published its regulatory approach to the Covid-19 pandemic.
According to the RAP, the ICO’s aim in issuing penalties is that they should be both an appropriate sanction for a breach of the legislation and an effective deterrent to others. Penalties are reserved for the most serious cases which will typically involve wilful, deliberate or negligent acts, or repeated breaches. It is more likely that the ICO will impose a penalty where (a) a number of individuals are affected; (b) there has been a degree of damage or harm (which may include distress and/or embarrassment); and/or (c) there has been a failure to apply reasonable measures (including relating to privacy by design) to mitigate any breach or the possibility of it. Each of these features was clearly present in the BA and Marriott cases.
5 Step Test
Where the ICO has discretion to set the amount of any penalty, it will do so by applying a 5-step mechanism which is described in the RAP. Details of how the ICO applied the 5 Step Test in connection with the BA and Marriott breaches are set out below.
Regulatory approach to Covid-19 pandemic impact
In response to the economic impact of Covid-19, the ICO has explained that, whilst organisations are still expected to comply with their legal obligations, before issuing fines it will take into account the economic impact and affordability of the fines for the organisation and in the current circumstances, this is likely to continue to mean that the level of fines will be reduced. The ICO applies the Covid-19 impact assessment after it has completed its 5-step assessment.
Representations made to ICO
As part of the lengthy process to investigate each of the breaches and arrive at the final penalties, the ICO considered extensive representations made by each of BA and Marriott.
Unlawful application of ICO’s Draft Internal Procedure
Both BA and Marriott alleged that the ICO had misapplied its powers under the GDPR and had unlawfully applied its RAP, including by reference to an unpublished draft internal procedure for calculating proposed penalties using turnover bands as a supplement to the RAP.
The ICO conceded that the draft internal procedure, which had been developed as a tool to assist decision-makers in applying Article 83 GDPR and the RAP, should not be applied as a “reference point” for the penalties and that it would apply only Article 83 GDPR, Section 155 DPA and the RAP.
The organisations also contested that turnover should not be used as a core metric in cases where the organisation had not benefited from the breach. However, the ICO remained firmly of the view that an organisation’s turnover remained a relevant consideration and that this was consistent with the approach taken to penalties in the GDPR. The ICO explained that, whilst not the sole factor in determining the penalty, an organisation’s financial position remained one of several core quantification metrics to be applied in order to ensure that the penalty was effective, proportionate and dissuasive. The ICO drew a comparison with the competition law regime which also emphasises deterrence and takes turnover into account in penalties.
Comparison to other EU fines under GDPR
BA and Marriott both challenged the amount of the proposed fine by reference to various fines imposed by other EU supervisory authorities under GDPR. The organisations both argued that the difference in the higher level of fine imposed by the ICO was inconsistent with the stated aim of the GDPR to create a harmonised regime. The ICO dismissed this argument on the basis that each case must turn on its own particular facts, that the ICO is obliged to impose a penalty in its own judgement having regard to all matters listed in Article 83, and accordingly that simple comparisons of penalties imposed in different cases are not relevant. The ICO further explained that given the relatively new regime, and where there is limited public information available about the reasons for the decisions taken by the other authorities, it would be premature and unhelpful to rely on a survey of action taken by other supervisory authorities.
ICO’s calculation of the fines for BA and Marriott
5 Step Test
When GDPR came into force.
Whilst the impact of the ICO’s regulatory policy relating to the economic impact of Covid-19 has had an impact, this is much less than might have been anticipated, particularly given it is harder to imagine many industries more heavily affected than the airline and hospitality sectors. The fact that BA and Marriott both co-operated fully with the ICO and took prompt action to alert data subjects and mitigate the loss suffered had a larger overall impact on the scale of reduction.
However, it also seems clear that by far the largest reduction was achieved through the representations and challenges made by BA and Marriott, in particular their successful challenges to the ICO’s use of its draft internal procedure and the turnover bandings. Whilst the ICO did not acknowledge it to be the case, we might also speculate that it also took into account the substantially lower scale of fines imposed by other supervisory authorities and, whilst there was undoubtedly a large element of negligence by both organisations, there was no wilful intent nor any benefit gained by either organisation.
In summary there are some useful lessons we can take away from this.
- The ICO has confirmed that it will not apply the turnover bands set out in its draft internal procedure but will apply each penalty on the applicable facts and the particular circumstances of the controller/processor.
- An organisation’s turnover and financial status remain a key factor in determining the level of a fine but are not the only factor; the ICO will also take into account other metrics including the size, scale and impact of the breach and the need for penalties to be effective, proportionate and dissuasive.
- Promptly notifying the ICO, cooperating fully with it, taking all reasonable steps to mitigate the losses of data subjects and committing to a continuing programme of IT security improvements are likely to lead to reductions in the level of fines.
- The impact of Covid-19 will be a consideration for the amount of the fine, but this will be case-specific. At less than 15% of the baseline amount in the case of both BA and Marriott, this amounts to a fairly small reduction overall. Organisations less badly impacted by the pandemic are unlikely to gain substantial reductions in penalties and the ICO still expects all organisations to continue to invest in good cyber security and data protection practice.
- Finally, mounting a robust challenge to an ICO enforcement notice or notice of intent seems to be very worthwhile, especially when there is the risk of a substantial fine.