EDPB and ICO respond to the Brexit data transfer window

As most in the data community are aware, the EU-UK Trade and Cooperation Agreement (the “Brexit Deal”) was agreed on Christmas Eve and provides for an interim period (up to a maximum of six months ending on 30 June 2021) whereby data transfers from Europe to the UK will not be treated as transfers to a third country subject to Chapter V of the GDPR following the end of the transition period on 1 January 2021, provided the UK complies with certain conditions during the interim period (discussed in our blog here).

Following this, both the European Data Protection Board (“EDPB”) and the UK’s supervisory authority (the Information Commissioner’s Office (“ICO”)) have issued either updated or new responses which provide some more clarity on areas of focus and what to expect over the coming year.

The EDPB’s Response

Prior to the Brexit Deal being agreed, in mid-December the EDPB adopted its ‘Statement on the end of the Brexit transition period’ (here) (the “Statement”) and an ‘Information note on data transfers under the GDPR to the United Kingdom after the transition period’ (here) (the “Information Note”) which highlighted some key considerations of the EDPB.

Following the agreement and implementation of the Brexit Deal from the beginning of 2021, the EDPB has now updated the Statement and Information Note.

  • The interim data transfer window

In line with Article FINPROV.10A of the Brexit Deal, the update to the Statement and Information Note emphasises that data transfers to the UK can continue to take place without the requirement of a transfer tool under Article 46, or relying on the derogations list under Article 49, until 30 June 2021 (at the latest) provided that the UK’s current data protection regime stays in place.

  • Preparing for an adequacy decision (or lack of one)

The EDPB provides no further view on the adequacy of the UK’s data protection regime other than that the timeline for a favourable decision has now been pushed to the end of June. If a favourable adequacy decision is not taken by 30 June 2021, the EDPB emphasises in the Statement and Information Note that transfers between entities regulated by the GDPR to the UK will become subject to Chapter V of the GDPR. This will mean that transfers to the UK will require adequate safeguards such as standard data protection clauses, binding corporate rules, intra-group agreements, codes of conduct etc. to be put in place along with ensuring enforceable data subject rights and effective legal remedies for data subjects as required by Article 46.

The Information Note further reminds controllers and processors that, absent an adequacy decision, from the end of the interim period compliance with other GDPR obligations will come into sharper focus, including:

    • updating privacy notices and records of processing to account for data transfers to the UK;
    • taking caution if intending to rely on grounds under Article 49 in the absence of safeguards under Article 46, as such grounds are to be interpreted restrictively, only being fit for occasional and non-repetitive transfers; and
    • considering whether any supplementary tools may need to be put in place, a relatively complex and time-consuming consideration discussed further here (albeit the fact that the UK’s data law is the application of the GDPR then such consideration should theoretically be straightforward).
  • One-Stop-Shop mechanism

While not affected by the EDPB’s updates, it is worth noting that the Statement and Information Note also clarify the applicability of the One-Stop-Shop (“OSS”) mechanism envisioned by the GDPR within the UK.

The OSS mechanism provides that the supervisory authority in the jurisdiction of an entity’s main establishment will act as the lead supervisory authority and carry out compliance and regulatory functions on behalf of supervisory authorities in each EU jurisdiction in relation to that entity.

From 1 January 2021, the OSS will not apply in the UK so that the ICO will not be able to act as a lead supervisory authority (i.e. the Brexit Deal did not extend this mechanism). The EDPB notes that it has engaged with supervisory authorities and the ICO to ensure a smooth transition of existing cross-border cases.

The Statement and Information Note goes on to remind controllers and processors that they remain free to establish a main establishment in an EU jurisdiction under Article 4(16) to utilise the OSS mechanism (although the feasibility of this for many entities may well be impracticable). If this is not in place, entities will need to designate a representative under Article 27 as long as their activities are subject to the GDPR under Article 3(2).

The ICO’s Response

In a blog posted on 22nd January (here), the ICO’s Information Commission Elizabeth Denham responded to the Brexit Deal (the “ICO Response”) by welcoming the long-term commitments made by the EU and UK, most notably, to promoting high international standards of data protection, developing a regulatory relationship, and co-operating on enforcement activity.

The ICO Response considered the interim period allowing data transfers between Europe and the UK as the “best possible outcome for UK organisations” in light of the risks and impacts to digital trade if this had not been put in place. However, given this interim period will end in either four or six months under the Brexit Deal, the importance of a positive adequacy decision for UK data flows is clear in the ICO Response, emphasised by the reference to the EU’s commitment to considering the UK’s adequacy position “promptly” in a declaration accompanying the Brexit Deal. Although the ICO Response also sounds the warning that adequacy is not guaranteed and so organisations should be putting in place appropriate safeguards during this window.

Finally, as well as some specific commentary regarding data sharing in the context of law enforcement  and noting that the UK must also notify the EU-UK Partnership Council, as far as reasonably possible, of any new international transfers of personal data between public authorities for international transfers of personal data, the ICO Response also highlights that the process for any decisions in a range of areas (including UK adequacy decisions, approving international transfer mechanisms, or standard contractual clauses) must be put before the EU-UK Partnership Council. Given this requirement, it may be that material departure from the current UK data protection position is unlikely in the imminent future.

Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

Claire Wiseman

Claire Wiseman
Professional Support Lawyer, London
+44 20 7466 2267

Alasdair McMaster

Alasdair McMaster
Associate, London
+44 20 7466 2194

Asmita Singhvi

Asmita Singhvi
Trainee, London
+44 20 7466 3697

ICO fines Marriott £18.4 million in relation to Starwood Hotel’s 2014 data breach

Summary

  • The ICO has fined Marriott Inc (“Marriott”) £18.4 million in relation to a 2014 cyber-attack on Starwood Hotels.
  • The ICO had previously issued a notice of its intention to fine Marriott £99.2 million. The Penalty Notice does not explain the reasons why the final fine is considerably lower than this amount.
  • Following the ICO’s consideration of three rounds of representations made by Marriott, Marriott has been fined for failing to process personal data in a manner that ensures appropriate security of the personal data.
  • The ICO has made clear that its decision relates solely to Marriott’s failures after 25 May 2018 (i.e. post-GDPR) despite the historic, pre-2018 nature of the cyber-attack.
  • The ICO identified four principal security failures which may be useful for organisations looking to understand the level of security measures that the regulator expects to be in place.
  • In its Penalty Notice, the ICO has unfortunately avoided giving any real guidance as to what it expects from the data protection and cyber security due diligence process in corporate transactions (such as the Marriott acquisition of the Starwood Group).
  • This decision follows the recent announcement of the ICO’s decision to fine British Airways a significantly reduced fine of £20 million (rather than its original proposed fine of £183 million).

Background

As we detailed in our blog post back in July 2019 (https://hsfnotes.com/data/2019/07/10/marriott-starwood-data-breach-ico-intention-to-issue-another-big-99-million-mega-fine/), the guest reservation system of the Starwood group of hotels was compromised in 2014, exposing the personal data of approximately 339 million guest records globally, of which around 30 million related to residents of 31 countries (at the time) in the European Economic Area. Seven million of those related to UK residents. However, this data breach was not discovered until 2018, following the acquisition of the Starwood group by Marriott in 2016.

In July 2019, the Information Commissioner’s Office (“ICO”) issued a notice of intent to fine Marriott £99.2 million for this data breach. It was announced one day after the notice of the ICO’s intent to fine British Airways £183.39 million.

The ICO investigated this case as the lead supervisory authority on behalf of other EU Member State data protection authorities.

The ICO’s decision

The ICO has issued a monetary penalty notice (“Penalty Notice”) to Marriott, fining Marriott £18.4 million for failing to process personal data in a manner that ensures appropriate security of the personal data, as required by Article 5(1)(f) and Article 32 of the GDPR, representing a significant reduction of £80.8 million from the original figure of £99.2 million.

In a similar way to the British Airways penalty notice, the Penalty Notice does not explain the reasons why the final fine has been reduced by such a substantial amount, although it is to be noted that Marriott made three rounds of representations to the ICO, with the third round of representations being specifically in respect of the financial impact on its business caused by the Covid-19 pandemic.

It appears that Marriott’s representations led to the following:

  • the ICO clarifying certain factual findings made in its notice of intent in light of Marriott’s new submissions;
  • the removal of the provisional finding by the ICO of a breach by Marriott of Article 33 of the GDPR (notification of a personal data breach to the supervisory authority) proposed in the ICO’s notice of intent; and
  • no finding in the Penalty Notice in relation to a breach by Marriott of Article 34 of the GDPR (communication of a personal data breach to the data subject) despite a provisional finding of the same proposed in the ICO’s notice of intent.

According to the Penalty Notice, the ICO has taken into account the following factors in calculating the fine, in accordance with Article 83 of the GDPR and the ICO’s Regulatory Action Policy:

  • Financial Gain: Marriott did not gain any financial benefit or avoid any losses directly or indirectly as a result of the breach. The ICO, therefore, did not add an initial element at this stage.
  • Nature and Gravity: The ICO considered the nature of the failures to be of significant concern, affecting an extremely large number of individuals although the mitigating steps taken by Marriott were taken into account.
  • Duration: Although the cyber-attack spanned a four-year period, the Penalty Notice relates to infringements occurring between 25 May 2018 to 17 September 2018. Regardless of this, the ICO considered this to be a significant period of time over which unauthorised access to personal data went undetected and/or unremedied.
  • Culpability: The breach was a not an intentional or deliberate act on the part of Marriott. The ICO rather found Marriott to be negligent. In coming to this conclusion, the ICO took into account Marriott’s size and profile.
  • Responsibility: The ICO found Marriott to be wholly responsible for the breaches of Article 5(1)(f) and Article 32 of the GDPR.
  • Previous Actions: Marriott had no relevant previous infringements or failures to comply with past notices.
  • Cooperation: Marriott fully cooperated with the ICO’s investigation.
  • Categories of Personal Data: The affected data included unencrypted passport details, credit card data and various other categories of personal information.
  • Notification: Marriott is considered to have complied with its notification obligations.

Taking into account the factors above, the ICO considered that a penalty of £28 million (before any adjustments) would be an appropriate starting point to reflect the seriousness of the breach, and the need for the penalty to be effective, proportionate and dissuasive in the context of Marriott’s scale and turnover. There is nothing in the Penalty Notice which indicates how the ICO reached the amount of £99.2 million in its original notice of intent.

The ICO did not consider there to be any aggravating factors to apply in order to increase the penalty and further did not consider it necessary to increase the penalty in order for it to be ‘dissuasive’.

Turning to any potential downwards adjustment, the ICO considered a 20% downwards adjustment (£5.6 million) to be appropriate, taking into account various mitigating factors, including:

  • Marriott’s continual and increasing investment in security;
  • the immediate steps to (i) mitigate and minimise the effects of the cyber-attack and (ii) protect the interests of data subjects through the implementation of remedial measures;
  • Marriott’s full cooperation with the ICO’s investigation including its prompt responses to requests for information;
  • the broad press coverage as a result of the cyber-attack will have likely raised awareness with other controllers of potential risks; and
  • the adverse effect on Marriott’s brand and reputation.

Finally, having regard to the impact of the Covid-19 pandemic on Marriott, the ICO applied a further reduction of £4 million to the fine, taking it to a final amount of £18.4 million. It should be noted that although the ICO acknowledged the significant impact of the Covid-19 pandemic on Marriott’s revenues, it did not consider that the imposition of a penalty in the range being proposed would cause financial hardship to Marriott, or that Marriott would be unable to pay such a penalty.

Details of the GDPR infringements

The ICO concluded that, between 25 May 2018 and 17 September 2018, Marriott failed to comply with its obligations under Article 5(1)(f) of the GDPR – the integrity and confidentiality principle – and Article 32 of the GDPR – security of processing. According to the ICO, Marriott failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures. The ICO identified four principal security failures:

  • Insufficient monitoring of privileged accounts that would have detected the breach

The ICO was concerned that Marriott did not have appropriate and adequate measures in place to allow for the identification of the breach and to prevent further unauthorised activity, particularly once the attacker had found its way into the cardholder data environment (CDE). This included a failure to have ongoing monitoring of user activity, particularly activity by privileged accounts.

  • Insufficient monitoring of databases

Marriott was found to have failed to adequately monitor the databases within the cardholder data environment. The ICO was concerned with three failures in particular: (a) deficiencies in Marriott’s setup of security alerts on databases in the cardholder data environment; (b) the failure to aggregate logs; and (c) the failure to log actions taken on the cardholder data environment systems, such as the creation of files and the exporting of entire database tables. Whilst Marriott did have a system in place to log activity and issue alerts, the ICO deemed this to be unsatisfactory given that Marriott did not ensure the logging of key activities taking place on the databases. Marriott also did not engage in server logging of the creation of files which allowed the attacker to export entire databases undetected. In addition, alerts were only placed on tables that contained payment card information or specific queries and the actions of the attacker did not meet the conditions for the triggering of an alert. While Marriott had a security incident event management system (SIEM) and a security operations centre (SOC) these were rendered ineffective by the lack of monitoring at source.

  • Control of critical systems (failure to implement server hardening as a preventative measure)

The ICO stated that it would have been appropriate for Marriott to implement a form of server hardening as a preventative measure, which could have prevented the attacker from gaining access to administrator accounts and preventing them from traversing across the network. In particular, the ICO considered that whitelisting (for example, in relation to IP addresses or permitted software) should have been deployed where appropriate on critical systems and systems which have access to large amounts of personal data.

  • Encryption

Whilst some information was encrypted by Marriott (for example where required for PCI-DSS compliance), encryption was not applied to other categories of non-payment related personal data. The ICO were particularly concerned that not all passport numbers were encrypted. The ICO did not accept Marriott’s suggestion that it would be impractical to implement more encryption than it had. In particular, the ICO suggested that encrypted personal data could have been accessed and decrypted in almost real-time by using unique identifiers to cross reference to the encrypted content.

It is interesting that both Marriott and British Airways submitted, due to similar reasons, that the ICO had applied the wrong fining tier (i.e. 4% for a contravention of Article 5(1)(f) as opposed to 2% under Article 32) although the ICO rejected these submissions and provided near identical reasoning for its rejection, which we have set out in our blog post analysing the British Airways fine (https://hsfnotes.com/data/2020/10/21/the-not-so-mega-mega-fine-ico-fines-british-airways-20-million-for-its-2018-data-breach/).

A note on due diligence

As widely noted, this case has highlighted the importance of data and cyber security due diligence in corporate transactions. The ICO has now shed some further light on what it expects from corporate transactions and the due diligence process, although not necessarily in a way in which we might have expected.

During its representations, Marriott raised that it was only able to carry out limited due diligence on Starwood’s data processing systems and databases as part of the acquisition process. Marriott also submitted that it is “not tenable to proceed on the basis that acquisition due diligence is a “seemingly endless” process”. Interestingly, the ICO acknowledges this in the Penalty Notice, particularly that there may be circumstances in which in-depth due diligence of a competitor is not possible during a takeover. However, it ultimately avoids the need to address this since it was not making any finding of infringement in respect of the period between Marriott’s acquisition of Starwood and the entry into force of the GDPR in May 2018. Instead, the Penalty Notice concerns the extent to which Marriott adequately managed the Starwood systems to protect personal data after the GDPR came into effect.

In any event, organisations should be aware that it is not possible to point to the limited due diligence process available to acquirers in a corporate transaction as an explanation for missing any hidden data vulnerabilities or breaches pre-acquisition. Instead, the ICO confirms that the “need for a controller to conduct due diligence in respect of its data operations is not time-limited or a ‘one-off’ requirement” and, given this ongoing duty, it is “no answer to claim that certain due diligence steps were, or only needed to be, taken in the period immediately after acquisition”. Significantly, the ICO is of the opinion that even if adequate due diligence had been undertaken at the point of acquisition, that would not have removed Marriott’s obligation to ensure, on a continuing basis, that it complied with the GDPR (once it came into force).

While actually performing low level technical due diligence on systems as part of an acquisition (i.e. of the sort that might detect such intrusions) is likely to be challenging for the above reasons, there are plenty of things that prospective purchasers can do to manage their risk. Due diligence questionnaires afford the opportunity to ask questions about the compliance, IT, security and other systems and controls that the target company has in place, and to tie warranties to those questions. Secure infrastructure would ordinarily be accompanied by a suite of design documentation, policies, security personnel, audit reports and the like, that evidence security best practices being in place. Where asking the right questions during due diligence, and following the chain of enquiry that results, exposes issues, often provision can be made for part of the purchase price to be held in escrow pending resolution.

What is next

Although significantly below the level set out in its notice of intent, this fine, along with the £20 million fine on British Airways, indicates that the ICO is taking GDPR penalties seriously and may be sign of things to come (probably at the 8 figure, rather than the 9 figure, range).

Marriott has stated that it does not intend to appeal the ICO’s decision, but makes no admission of liability in relation to the decision or the underlying allegations.

Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

Andrew Moir

Andrew Moir
Partner
+44 20 7466 2773

Angela Chow

Angela Chow
Associate, Digital TMT, Sourcing and Data, London
+44 20 7466 2853

Elena Hogg

Elena Hogg
Associate, London
+44 20 7466 2590

The not so mega ‘mega fine’: ICO fines British Airways £20 million for its 2018 data breach

  • The ICO has fined British Airways £20 million for breach of the GDPR in relation to its 2018 data breach.
  • This is a significant reduction in the original proposed fine of £183 million.
  • In the monetary penalty notice issued to British Airways, the ICO has confirmed that the reduction of almost 90% was only partially influenced by the effects of COVID-19 on the financial position of British Airways.
  • In contrast, the vast majority of the reduction appears to come as a result of the ICO having taken into account BA’s representations following its notice of intent, combined with a change of approach by the ICO which meant less of a focus on turnover as the driving factor in calculating fines.
  • The ICO has also published details of the specific GDPR infringements committed by British Airways which have been limited to breach of the integrity and confidentiality principle in Article 5 and the security obligations in Article 32 GDPR.
  • The moral of the story appears to be that it can be commercially worthwhile for controllers to push back robustly against any notice of intent.

Background

As we reported here, in July 2019 the Information Commissioner’s Office (“ICO”) published a notice of its intent to fine British Airways a staggering £183 million for infringement of the General Data Protection Regulation (GDPR) as a result of its 2018 data breach where the personal data of around 500,000 British Airways customers was stolen by hackers.

Importantly, this was a notice of intent and not a final concluded fine. The Data Protection Act 2018 sets a strict deadline of six months for the ICO to convert this into a fine, although this period may be extended if the ICO and the proposed recipient of the fine agree to an extension. Multiple times the ICO and British Airways took advantage of this extension mechanism so that the final Penalty Notice was only published on 16 October 2020, more than a year after the initial notice of intent.

At the time, no reasons for any of the extensions were offered by either side, although it was understood from International Airline Group’s (IAG, British Airway’s parent company) Annual Report and Accounts 2019, and has now been confirmed by the final Penalty Notice, that British Airways made extensive representations to the ICO regarding the proposed fine and that there were multiple further information requests. The impact of COVID-19 also likely had its part to play in the extension.

At the time of the initial notice of intent, the proposed British Airways fine was touted as the first ‘mega fine’ to be issued by a European data regulator since the implementation of the GDPR. The biggest data protection fine previously issued by the ICO was £500,000, the maximum possible under the old legislation.

The first GDPR ‘mega’ fine: not so ‘mega’: a reduction of almost 90%

The ICO finally issued its Penalty Notice to British Airways on 16 October 2020, fining British Airways £20 million. While still the largest ICO fine to date, this is a significant reduction of almost 90% from the original figure of £183.39 million.

Although the Penalty Notice refers in a couple of places to the original intended fine of £183.39 million, very little is said in the notice regarding why exactly, the final fine has been reduced by such a significant amount. Instead, the notice effectively appears to start from scratch in calculating the final level of fine, taking into account the following factors in accordance with Article 83 GDPR and the ICO’s Regulatory Action Policy:

  • Financial Gain: BA did not gain any financial benefit or avoid any losses directly or indirectly as a result of the breach.
  • Nature and Gravity: The ICO considered the nature of the failures to be serious, affecting a significant number of individuals for a significant period of time (103 days).
  • Culpability: Although the breach was a not an intentional or deliberate act on the part of BA, the ICO found BA to be negligent.
  • Responsibility: The ICO found BA to be wholly responsible for the breaches of Articles 5 and 32 GDPR.
  • Previous Actions: BA had no relevant previous infringements or failures to comply with past notices.
  • Cooperation: BA fully cooperated with the ICO’s investigation.
  • Categories of Personal Data: Although no special category data was affected, the nature of the data, in particular payment card data, was nonetheless sensitive.
  • Notification: BA acted promptly in notifying the ICO of the attack.

Taking into account all of these factors above, the ICO considered that a penalty of £30 million would be appropriate starting point to reflect the seriousness of the breach, and the need for the penalty to be effective, proportionate and dissuasive in the context of BA’s scale and turnover. So far, there is no obvious reason why the fine is so much lower than the notice of intent.

The ICO did not consider there to be any aggravating factors to apply in order to increase the penalty and further did not consider it necessary to increase the penalty in order for it to be ‘dissuasive’.

Turning to any potential downwards adjustment, the ICO considered a 20% downwards adjustment (£6 million) to be appropriate, taking into account various mitigating factors, including:

  • The immediate steps to mitigate and minimise any damage to data subjects;
  • BA’s prompt notification of the breach to data subjects and relevant regulatory authorities;
  • The broad press coverage as a result of the attached will have likely raised awareness with other controllers of potential risks; and
  • The adverse effect on BA’s brand and reputation.

Finally, the ICO also explicitly acknowledged that the impact of COVID-19 on British Airways was taken into account when determining the level of the final fine, although this only accounted for a further £4 million downwards adjustment and does not therefore account for the vast majority of the reduction.

Details of the GDPR infringements

In its final Penalty Notice, the ICO focussed on BA’s breach of Article 5(1)(f) GDPR – the integrity and confidentiality principle – and Article 32 GDPR – security of processing. The previous notice of intent, had also found BA to be in breach of Article 25 GDPR – data protection by design and by default – but this was dropped in the final Penalty Notice.

From a penalty perspective, it is also interesting that the ICO rejected BA’s claims that the maximum fine should be 2% because of the conflict between breach of Article 5 (attracting a maximum 4% fine) and breach of Article 32 (attracting a maximum 2% fine) meaning that the principal of lex specialis should apply with the specific provision of Article 32 overriding the general provision of Article 5. The ICO instead found that the two provisions were distinct even if they did overlap, although it is fair to note that it made no difference in the context of the level of fine imposed in the end (which was significantly less than both 4% and 2% of annual worldwide turnover).

With respect to its security obligations, the ICO found that British Airways had “weaknesses in its security” that could have been prevented with security systems, procedures and software that were available at the time. None of the measures would have entailed excessive cost or technical barriers for British Airways, with some available through the Microsoft Operating System used by British Airways. Some of the numerous measures British Airways could have used to mitigate or prevent the risk of the attack include:

  • limiting access to applications, data and tools to only that which are required to fulfil a user’s role;
  • undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems; and
  • protecting employee and third party accounts with multi-factor authentication, external public IP address whitelisting, and IPSec VPN.

The attack path that the hackers used in the ICO’s view exposed a number of failings on the part of British Airways. The hackers were able to gain access to an internal British Airways application through the use of compromised credentials for a Citrix remote access gateway. The hackers were then able to break out of the Citrix environment and could then gain broader access to the wider British Airways network. Once there, the attacker was able to move laterally across the network, culminating in the editing of a Javascript file on British Airway’s website. This allowed the attacker to intercept and exfiltrate cardholder data from British Airway’s website to an external third-party domain which was controlled by the attacker.

One particular area of focus for the ICO was British Airway’s practice of storing credentials within batch scripts. The ICO did not accept British Airway’s submissions that this “aided functionality” or was “standard practice” and stuck to its position that this was not acceptable and there were other secure ways to achieve the same objectives.

As a result, the ICO was “satisfied that BA failed to put in place appropriate technical or organisational measures to protect the personal data being processed on its systems, as required by the GDPR“.

What is next?

British Airways must pay the fine to the ICO or exercise its right to appeal to the First-tier Tribunal in the General Regulatory Chamber within 28 days of the Penalty Notice. Interestingly, the Penalty Notice does not refer to the availability of any further discount for prompt payment, with such discount usually being lost if the fine is appealed. This may normally suggest that BA has agreed to settle with the ICO, although the Penalty Notice is clear that BA does not admit liability for breach of the GDPR.

There is also the potential that British Airways could face a fine or reprimand under the Payment Card Industry Data Security Standard (PCI-DSS) in relation to its collection and processing of payment card data. PCI-DSS compliance is required by all organisations which accept, process, store and/or transmit debit and credit cards. However, fines under PCI-DSS are not publicly available so it is unlikely it will be public knowledge if a PCI-DSS fine is levied against British Airways.

In conclusion, this is perhaps not the first ‘mega fine’ or tough GDPR enforcement from the ICO that commentators were expecting, but it is still a step in that direction and with some interesting guidance regarding the way in which the ICO may approach the calculation of fines (and enforcement more generally) in the future.

Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

Andrew Moir

Andrew Moir
Partner
+44 20 7466 2773

Chloe Kite

Chloe Kite
Associate, Digital TMT, Sourcing and Data, London
+44 20 7466 2540

Elena Hogg

Elena Hogg
Associate, London
+44 20 7466 2590

HOW TO CALCULATE A GDPR FINE – THE PROPOSED ICO WAY

The Information Commissioner’s Office in the UK (the “ICO”) has published for consultation its draft statutory guidance setting out how it will regulate and enforce data protection legislation in the UK.

The document explains all of the ICO’s key powers (including information notices, assessment notices, enforcement notices and penalty notices). Perhaps most interestingly for organisations, it also sets out for the first time, the ICO’s approach to how it calculates fines under the GDPR, giving organisations a better sense of the level of fine to which they could be subject for GDPR non-compliance.

However, although the ICO has provided a table setting out it’s ‘starting point’ for the calculation of fines, there is nonetheless a large amount of discretion that the regulator can apply to adjust the fine both upwards and downwards, meaning that the process is not as transparent as it may at first seem.

Although the fine calculator is only in draft form at this stage, it is the first time that the process adopted by the ICO has been made public. Responses to the consultation are required by 5pm on Thursday 12 November 2020.

GDPR fine calculator

The ICO’s draft guidance sets out nine steps which will factor into the calculation of a fine for non-compliance with the GDPR, including seriousness, culpability, aggravating and mitigating factors, economic impact and dissuasiveness.

These steps will be applied to all GDPR fines, regardless of whether the so-called ‘standard maximum amount’ or ‘higher maximum amount’ applies. As per the GDPR, the higher maximum amount is €20 million or 4% of annual worldwide turnover (whichever is greater). The standard maximum amount is €10 million or 2% of annual worldwide turnover (whichever is greater).

The following three steps will be considered initially in order to enable the ICO to identify its ‘starting point’:

Seriousness

The factors to consider when assessing the seriousness of any infringement reflect those set out in the GDPR, including the nature, gravity, and duration of the failure; any action taken by the data controller or processor to mitigate the damage suffered by data subjects; the degree of cooperation with the ICO; and the way the breach became known to the ICO, including whether the data controller or processor notified the ICO of the failure.

Culpability

When assessing culpability, the ICO will take into account the intentional or negligent character of the failure; specifically whether the organisation was intentional or negligent about its responsibility for the breach.

Turnover

The ICO will review relevant accounts and obtain expert financial, or accountancy advice if required, to determine the amount of turnover (or equivalent for non-profit organisations such as the annual revenue budget and the financial means of individuals).

In circumstances where turnover or equivalent is minimal, the ICO will give greater weight to other factors such as dissuasiveness, particularly where there is a serious breach. Where there is a lack of cooperation in providing all relevant financial information, the panel will rely on the information available or otherwise give greater weight to factors such as aggravating features.

Starting point

Once the factors above have been assessed, the helpful table below sets out the ‘starting point’ for the fine, stated as a percentage of annual worldwide turnover, against which various other factors will be applied:

Once the appropriate starting point has been identified, the ICO will then apply the following other factors in order to adjust the starting point and reach the final level of the fine:

Aggravating and mitigating factors

The ICO will consider any aggravating and mitigating factors applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the breach.

When determining the amount of any proposed administrative fine, the ICO will then adjust the starting point figure for each band accordingly, upwards or downwards, to reflect its assessment of applicable aggravating or mitigating circumstances. It will clearly record which aggravating and mitigating features it has taken into account and why and how it considers that these influence the proposed administrative penalty.

Financial means

The ICO will consider the likelihood of the organisation or individual being able to pay the proposed penalty and whether it may cause undue financial hardship.

Economic impact

The ICO will, where appropriate, consider any economic impact on the wider sector, or related regulatory impact of the proposed penalty beyond the organisation or individuals it is serving the penalty on.

Effectiveness, proportionality and dissuasiveness

The ICO will ensure that the amount of the fine proposed is effective, proportionate, and dissuasive and will adjust it accordingly.

Early payment discount

The ICO will reduce the monetary penalty by 20%, if it receives full payment of the monetary penalty within 28 calendar days of sending its final penalty notice. However, this early payment discount is not available if the controller decides to exercise its right of appeal to the First-tier Tribunal.

Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

COVID-19: ICO OPINES ON APPLE AND GOOGLE’S CONTACT TRACING TECHNOLOGY (UK)

On 17 April 2020, the ICO published an opinion by the Information Commissioner (the “Commissioner”) on Apple and Google’s joint initiative to develop COVID-19 contact tracing technology (the “Opinion”, available here).

Summary

  • The Commissioner found the CTF to be aligned with principles of data protection by design and by default.
  • Controllers designing contact tracing apps that use the CTF should ensure alignment with data protection law and regulation, especially if they process personal data (which the CTF does not require).
  • The Commissioner raised concerns regarding individuals assuming that the CTF’s compliance with data protection principles will extend to all aspects of the contact tracing app – which is not necessarily the case.
  • Therefore, it should be made clear to any app users who is responsible for data processing, especially if the app processes data outside of the CTF’s limited scope.
  • Data controllers designing CTF-enabled contact tracing apps must be transparent with potential and actual app users on the type of information they will be processing.
  • Finally, when it comes to a user’s ability to disable Bluetooth, the Commissioner observed that with regard to contact tracing apps in general: “a user should not have to take action to prevent tracking”.

As set out in our previous blogpost (available here), contact tracing is one of the measures being contemplated or implemented by European governments (including in the UK and Germany) in order to be able to put an end to lockdowns while containing the spread of the virus.

The scope of the Opinion was limited to the design of the contact tracing framework which enables the development of COVID-19 contact tracing apps by public health authorities through the use of Bluetooth technology (the “CTF”).

It is also worth noting that this Opinion has been published in the midst of a heated debate on contact tracing technology and fears that it may be used for mass surveillance – in an open letter published on 20 April 2020, around 300 international academics cautioned against creating a tool which will enable large scale data collection on populations.

How does the CTF work?

The CTF is composed of “application programming interfaces“ as well as “operating system level technology to assist contact tracing”. The collaboration between Apple and Google will result in interoperability between Android and iOS devices of apps developed by public health authorities using the CTF.

When two devices with contact tracing apps come into proximity, each device will exchange cryptographic tokens (which change frequently) via Bluetooth technology. Each token received will be stored in a ‘catalogue’ on the user’s device, effectively creating a record of all other devices a user has come into contact with. Once a user is diagnosed with COVID-19, and after they have given their consent, the app will upload the stored ‘catalogue’ of tokens to a server. Other users’ devices will periodically download a list of broadcast tokens of users who have tested positive to COVID-19. If a match is found between the broadcast tokens and the ‘catalogue’ of tokens stored on each user’s device, the app will notify the user that he/she has come into contact with a person who has tested positive and will suggest appropriate measures to be taken.

How does the CTF comply with data protection laws?

The Opinion finds that, based on the information released by Google and Apple on 10 April 2020, the CTF is compliant with principles of data protection by design and by default because:

  1. The data collected by the CTF is minimal: The information contained in the tokens exchanged does not include any personal data (such as account information or usernames) or any location data. Furthermore the ‘matching process’ between tokens of users who have tested positive for COVID-19 and tokens stored on each user’s phone happens on the device and therefore does not involve the app developer or any third party.
  2. The CTF incorporates sufficient security measures: The cryptographic nature of the token which is generated on the device (outside the control of the contact tracing app) means that the information broadcast to other nearby devices cannot be related to an identifiable individual. In addition, the fact that the tokens generated by one device are frequently changed (to avoid ultimate tracing back to individual users) minimises the risk of identifying a user from an interaction between two devices.
  3. The user maintains sufficient control over contact tracing apps which use the CTF: Users will voluntarily download and install the contact tracing app on their phone (although this may change in ‘Phase 2’ of the CTF as discussed below). Users also have the ability to remove and disable the app. In addition, the process of uploading the collected tokens of a user to the app once he/she has tested positive by the developer requires a separate consent process.
  4. The CTF’s purpose is limited: Although the CTF is built for the limited purpose of notifying users who came into contact with patients who have tested positive for COVID-19, the Commissioner stresses that any expansion of the use of CTF-enabled apps beyond this limited purpose will require an assessment of compliance with data protection principles.

What clarifications are required?

The Commissioner raises a number of questions on the practical functioning of the CTF, especially in respect of collection and withdrawal of user consent post-diagnosis. It is unclear how the CTF will facilitate the uploading of stored tokens to the app. Although consent will be required from the user, clarity is needed on: (i) management of the consent signal by a CTF-enabled app and (ii) what control will be given to users in this respect. In addition, the Commissioner lacks information on how consent withdrawal will impact the effectiveness of the contact tracing solutions and the notifications sent to other users once an individual has been diagnosed.

Issues for developers

The Commission will pay close attention to the implementation of the CTF in contact tracing apps. In particular, the CTF does not prevent app developers from collecting other types of data such as location. Although reasons for collecting other types of user information may be “legitimate and permissible” in order to pursue the public health objective of these apps (for example to ensure the system is not flooded with false diagnoses or to assess compliance with isolation), the Commissioner warns that data protection considerations will need to be assessed by the controller – this includes the public health organisations which develop (or commission the development of) contact tracing apps.

Another issue raised by the Commissioner is the potential user assumption that the compliance by the CTF with data protection laws will radiate to all other functionalities which may be built into contact tracing apps. In this regard, the Commissioner reminds app developers that, in addition to assessing data protection compliance in relation to other categories of data processed by the app, they will need to clearly specify to users who is responsible for data processing – in order to comply with transparency and accountability principles.

Finally, the Commissioner stressed that data controllers, such as app developers, must assess the data protection implications of both (i) the data being processed through the app and (ii) data undertaken by way of the CTF in order to ensure that both layers of processing are fair and lawful.

What has the ICO said about ‘Phase 2’ of the CTF?

‘Phase 2’ of development of the CTF aims to integrate the CTF in the operating system of each device. The Commissioner notes that users’ control, their ability to disable contact tracing or to withdraw their consent to contact tracing should be considered when developing the next phase of the CTF.

With regard to user’s ability to disable Bluetooth on their device, the Commissioner observes in respect of ‘Phase 2’ of the CTF, and contact tracing apps in general, that “a user should not have to take action to prevent tracking”.

How does this Opinion affect the development of Decentralized Privacy-Preserving Proximity Tracing protocol?

The Opinion can be applied to Decentralized Privacy-Preserving Proximity Tracing (or DP-3T) protocol in so far as it is similar to the CTF. The Commissioner states that the similarities between the two projects gives her comfort that “these approaches to contact tracing app solutions are generally aligned with the principles of data protection by design and by default”.

Insight

This Opinion is an important step in the development and roll out of contact tracing apps in the UK. As mentioned above, contact tracing is one of the tools necessary for the UK Government to lift the lockdown measures while minimising the impact of a potential second wave of infections. This has an indirect impact on the private sector as it will affect how and when employees will be able to go back to work.

The fact that the principles on which the CTF is based are compliant with data protection laws is crucial to the successful roll out of contact tracing apps. In order for these apps to be effective, they must be voluntarily downloaded by a large number of mobile users. Given the concerns around letting governments accumulate data on the population under the guise of putting an end to the pandemic, trust is a determining factor in this equation. The fact that the Commissioner is approving the foundation for these contact tracing apps will certainly play a role in gaining the public’s trust and its acceptance to give up some privacy rights in order to put an end to the current public health crisis.

Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

Hannah Brown

Hannah Brown
Associate, Digital TMT, Sourcing and Data, London
+44 20 7466 2677

Ghislaine Nobileau

Ghislaine Nobileau
Trainee Solicitor, London
+44 20 7466 7503

COVID-19: ICO publishes details of its regulatory approach during COVID-19 (UK)

The ICO has published details of its regulatory approach during the ongoing COVID-19 emergency; this is an approach which should reassure entities who are adapting to the economic and practical realities of operating in the current climate, as well as balancing their data protection obligations.  The UK regulator has continued to be reasonable and pragmatic, as outlined in our previous post in relation to response times to DSARs, and has stated that they are “committed to an empathetic…approach”.  Overall, the key takeaways from this guidance are that: Continue reading

ICO TELLS PEOPLE TO EXPECT DELAYS TO DSARS DURING COVID-19

Given the COVID-19 crisis, it is likely that data protection may no longer at the forefront of every controller’s mind, and rather, that business continuity has taken precedence. Acknowledging this shift and the need for companies to divert business as usual resources to their response to the crisis, the ICO has published two articles on its website, which are aimed at both controllers and data subjects more widely. Continue reading

The ICO publishes its Age–Appropriate Design Code of Practice for online services

Following a public consultation on its draft code of practice with parents, children, schools, children’s campaign groups, developers, tech and gaming companies and online service providers which closed on 31 May 2019, the Information Commissioner’s Office (ICO) submitted its Age-appropriate design Code of Practice on 12 November 2019 but due to restrictions in the pre-election period it was not permitted to be published until 23 January 2020. Continue reading

International Data Privacy Day: Our predictions for 2020

What better day than today, International Data Privacy Day, to explore what 2020 is likely to have in store for data and privacy? Almost two years ago the EU General Data Protection Regulation (GDPR) thrust data and privacy issues firmly in the spotlight, where they remain. With attention having shifted from guidance to enforcement, this article sets out some predictions for further developments in the year to come.

  • Data ethics: The discussion is moving from “what can we do” to “what should we do” with data. Organisations are coming under increased pressure, not just from consumers who are now demanding greater transparency around how their data is collected, used and handled, but also other stakeholders such as government, regulators, industry bodies and shareholders. 2020 is likely to be the year in which we will see an increased focus in the boardroom on how to incorporate ‘ethical practices’ into data strategies, to leverage consumer trust and drive long-term profitability.
  • GDPR fines: In 2020 we expect to see the final enforcement notices for the British Airways and Marriott data breaches issued by the UK’s data protection authority, the Information Commissioner’s Office (ICO). These had originally been expected in early January, but an extension was agreed and final enforcement notices are now expected in March 2020 to finalise the penalties imposed on both organisations, both which were the result of high-profile data breaches and subsequent ICO investigations.
  • GDPR enforcement activity: Is 2020 also the year in which we see other big data breaches, investigations and fines? 2020 will also likely see a shift in enforcement activity – going beyond data breaches to other areas of non-compliance with the GDPR. For example, the Berlin data protection authority issued a €14.5 million fine on a real estate company for the over retention of personal data. Elsewhere in Europe, 2020 should be the year when we see the results of the Irish Data Protection Commissioner’s investigations into some of the biggest tech companies, including WhatsApp and Twitter.
  • Adtech focus:We also expect the GDPR to start becoming real for the adtech sector in 2020. In June 2019, the ICO released its Adtech Update Report, with a clear message to the real-time bidding industry that they had six months to act; the ICO expressed significant concerns about the lawfulness of the processing of special category data and the lack of explicit consent for that processing. That six-month period is now up, and while – to the dismay of privacy advocates – the ICO has announced that the proposals of the leaders of the industry, the Internet Advertising Bureau (IAB) and Google, will result in real improvements to the handling of personal data, in the same statement, it has stated that “[t]hose who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilise its wider powers.” So, will 2020 be the year in which we see meaningful enforcement action from the ICO in this area?
  • Adequacy decision for the UK: Yes, a Brexit-related prediction had to feature somewhere on this list. At the time of writing, it looks set that the United Kingdom will leave the European Union on 31 January 2020, with an 11-month transition period in place. The pertinent question now is what will Brexit look like at the end of this transition period, and in particular with respect to how international data transfers will be treated. It may be that 2020 is the year in which the European Commission makes an adequacy decision in favour of the United Kingdom, but concerns remain over the processing of personal data for law enforcement purposes in the UK – and the EU’s data protection supervisor has essentially said that the United Kingdom is at the back of the queue for any such decision. So, will 2020 be the year of a United Kingdom adequacy decision, or will it be the year in which organisations undertake a review of their UK data transfer flow agreements in a scramble to be compliant?
  • Lead supervisory authority no more: From 31 January 2020, the ICO will no longer be a supervisory authority for GDPR purposes and will not participate in the one stop shop mechanism or the consistency and cooperation procedure. The ICO will also lose its power to be the lead supervisory authority for approving binding corporate rules. It is possible that any future deal may change that position, but in the meantime multinational organisations whose activities are caught by the GDPR should ensure that they have an appropriate lead supervisory authority based in an EU Member State.
  • Schrems II and the SCCs: While in the case of Schrems II, the Advocate General (AG) of the Court of Justice of the European Union (CJEU) issued an opinion that upheld the validity of the European Commission standard contractual clauses (SCCs), the AG also raised concerns about the practical use of the SCCs in jurisdictions where national security laws would breach the SCCs, and suggests moving the responsibility for using the SCCs away from the data importer to the individual company exporting data. If the CJEU follows this opinion, which is expected in the first quarter of 2020, it could result in substantial additional burdens before using SCCs. It could also have ramifications for the United Kingdom after Brexit.
  • Fall of the US Privacy Shield: In Schrems II, the AG opinion also expressed concerns over the EU/US Privacy Shield. If the CJEU follows the AG’s opinion then it could influence the case of La Quadrature du Net v Commission – a case concerning the French advocacy group, La Quadrature du Net, which is seeking to invalidate the Privacy Shield on the basis that it fails to uphold fundamental EU rights because of US government mass surveillance practices. Will 2020 be the year we see the Privacy Shield suffer the same fate as its predecessor, the Safe Harbour?
  • Artificial Intelligence regulation: The European Commission’s incoming president, Ursula von der Leyen, has stated that she will put forward legislation to regulate the use of artificial intelligence and only this month a draft Commission white paper was leaked, which floated a number of options on how to achieve this. This ranged from imposing mandatory risk-based requirements on developers, to sector-specific requirements, to voluntary labelling. Although it would not be a reality for a number of years, 2020 looks likely to be the year that we see a firmer picture emerge about the direction that the European Commission wishes to take AI regulation.
  • Data class actions: In November 2019, the Supreme Court heard Morrisons’ appeal of the finding that it was vicariously liable under the Data Protection Act 1998 for a data breach committed by a disgruntled employee, even though Morrisons themselves were data protection compliant. While this case involves the law as it stood before the GDPR, given the increase in the rights of data subjects under the GDPR, should the Supreme Court decision find in favour of the claimants, this could open the door in 2020 to a wave of class actions from employees, customers, and others whose personal data has been compromised in a data breach.
  • Data-focused commercial disputes: And it is not just collective actions from data subjects that may rise – in 2020 we could also see increased data protection-focused litigation and commercial disputes in the business to business sphere, as the spotlight continues to remain on data. For example, disputes over the allocation of liability where a controller has been fined and is seeking to claim this back from a third party processor. Which leads us on to…
  • Third party risks: Focus in 2020 will also be firmly directed at third party risk management and demands on suppliers and vendors to demonstrate compliance. Gartner research reveals that “compliance programs are focused on third-party risk more than ever before, with more than twice the number of compliance leaders considering it a top risk in 2019 than three years ago.” As the nature of third party relationships continues to evolve, and the amount of data that third parties host and process for organisations on the rise, processes and procedures also need to evolve to address this risk.
  • Data is a global issue: In the wake of the GDPR and the California Consumer Privacy Act, we are seeing a global trend in other jurisdictions to introducing or seeking to introduce more robust data protection laws. For example, 2020 will see both the Brazilian General Data Protection Law (which is largely based on the GDPR) and Thailand’s Personal Data Protection Act come into force. Other data protection legislation initiatives are also going through approval stages – for example, the New Zealand Privacy Bill and India’s first major data protection bill.
  • ePrivacy: But will 2020 be the year that finally sees agreement on the new ePrivacy proposals in Europe? The update to the European legislation which regulates cookies and electronic marketing has been plagued by delays and disagreements. Even if 2020 is the year that ePrivacy is finally agreed in Europe, considerations will then move to the UK’s own approach to ePrivacy in a post-Brexit world.

For more information, or if you have any queries, please contact Miriam Everett.

Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

Chloe Kite

Chloe Kite
Associate, London
+44 20 7466 2540

ICO OPENS CONSULTATION ON DATA SUBJECT ACCESS RIGHTS

The ICO (the UK privacy regulator) has published draft guidance on the right of individuals under the GDPR to access their data. Key takeaways include:

  • An acknowledgement that subject access requests can be burdensome, with a requirement to ‘make extensive efforts’ to locate and retrieve information and confirmation that a significant burden does not make a request ‘excessive’;
  • A warning against companies asking for proof of identity as a matter of course when there is no reason to doubt the requestor’s identity; and
  • Confirmation that it is possible to consider the intention or motive behind a subject access request when assessing whether or not it is possible to refuse to comply.

Continue reading