Dentons White Paper: Key lessons from the first major GDPR fines for cyber breaches

The first headlines on the future threat of “mega fines” under the EU General Data Protection Regulation (GDPR) appeared as far back as 2016, when the text of the GDPR was first adopted by the European Parliament. Back then, major cyber and data security breaches were mentioned as prime candidates for mega fines approaching the 4% maximum.

This era seemed to have finally arrived when, in 2019, the UK Information Commissioner’s Office (ICO) signalled its intention to levy fines against British Airways plc (BA) and Marriott International, Inc. (Marriott) of £183.39 million and £99.2 million, respectively. These would have been by far the highest data protection fines ever imposed in the UK and EU.

However, in October 2020 the ICO published the final Monetary Penalty Notices (MPN) in relation to each of these two matters.¹ The fines have been reduced massively – in BA’s case, to £20 million and, in Marriott’s case, to £18.4 million. Nevertheless, they remain the highest data protection fines imposed in Europe for cybersecurity breaches.² This was followed in short succession in November 2020 by the (seemingly low) fine of £1.25 million imposed on Ticketmaster UK Limited (Ticketmaster)³.

The decisions are lengthy but, as the first GDPR fines for cybersecurity breaches, they are seminal. They provide clear pointers concerning the ICO’s approach to investigating and enforcing against perceived cybersecurity compliance failures, including how the regulator calculates the amount of fines; the regulator’s expectations concerning cybersecurity measures that organisations should have in place; the risks that ICO is prioritising when assessing risk of harm to data subjects; the importance of swift and efficient incident response and breach action; the importance of cooperative but, at the same time, robust liaison with the regulator; and a reminder that the risk of enforcement action is just one of the key adverse consequences of a serious cyber or data security breach. Litigation is likely in these situations and regulatory findings in MPNs may provide ammunition to claimants.

These first fines are likely to form the ICO’s “baseline” for cybersecurity and other personal data breach enforcement over the years to come. Despite Brexit, it is likely that EU regulators will be considering ICO’s approach and may follow similar approaches when dealing with cybersecurity breaches.

The key takeaways from these MPNs are:

• The dramatic reduction of the fine in the BA and Marriott MPNs from the fine originally proposed by the ICO in each Notice of Intent (NoI). The crucial factor in the reduction of the fine was not the impact of COVID-19 or the good incident response behaviours displayed by the controllers. It was the successful attack, by the controllers (and their legal counsel), on the application of a draft policy on fines which pegged the level of fines to turnover, and from which the ICO was eventually pushed to depart following robust representations and legal arguments.
• The Regulatory Action Policy (RAP) seen in action and ICO’s approach to fines and the calculation of quantum. The ICO worked through the “five-step procedure” in its RAP in a manner which provides a useful template for analysing and assessing future decisions and could help with rough estimates of the possible quantum of fines.
• The ICO’s expectations concerning technical and organisational cybersecurity measures, which tell us “what good looks like” in the regulator’s view. The ICO was both granular and specific in terms of the standards expected under GDPR Articles 32 and 5(1)(f) to meet the threshold of “appropriateness”. Furthermore, this is a useful reminder that cyber incident response is a multidisciplinary effort, in which cyber and Info Sec professionals are the main subject matter experts. It is also clear that, moving forwards, cyber and data protection lawyers will need to ensure that they maintain their technical understanding to be able to advise on compliance and, when things go wrong, on the likelihood of adverse regulatory findings, the risk of enforcement action and the possible size of a fine.
• The willingness of the ICO to make findings of negligence. When assessing the intentional or negligent character of the infringement (i.e. findings under GDPR Article 83(2)(b)), the ICO was open to making, on the face of the decision, findings that the controllers were negligent in their failings to comply with the GDPR. Whilst there is no detailed legal analysis contained within the MPNs themselves, and the MPNs are not binding on the courts, statements to that effect in MPNs can be used by claimants in their claims (whether in court proceedings or in settlement discussions) and will likely have persuasive force in the context of litigation proceedings (noting that group litigation proceedings are currently pending against BA and Marriott). Weighing the likelihood of this sort of finding is going to be crucial in determining the overall cyber breach response strategy, including dealing with data breach litigation.
• Unsurprisingly, in all three cases, the main mitigating factor recognised by the ICO was the controllers’ swift and efficient incident response and remedial action. This is a useful reminder that incident preparedness, written and rehearsed incident response plans, awareness and training around incident response are the most essential risk mitigation steps that organisations can take prior to an actual incident.

Contents

• Key background facts – BA
• Key background facts – Marriott
• Key background facts – Ticketmaster
• Security measures and cyber learnings: what does the ICO expect?
• Incident response
• ICO’s approach to calculating the quantum
• The law: substantive and procedural points
• Key takeaways for dealing with breaches that may result in a mega fine

1. The BA MPN is available here. The Marriott MPN is available here.
2. Not the highest fine imposed for a breach of the GDPR – see, for example, the French CNIL fine of €50 million on Google in January 2019 for not having a valid legal basis to process the personal data of the users of its services (particularly for ads personalisation), and the French CNIL fines on Google and Amazon of €100 million and €35 million, respectively, for their use of web cookies to track user activities without seeking proper consent.
3. A link to the Ticketmaster decision is available here.