ICO’s proposed largest ever fine of £183 million against BA prompts the question: can you insure penalties imposed for breach of GDPR?

The UK’s data protection authority, the ICO, has announced twice in two days this week that it proposes to levy significant fines on organisations for breaches of the General Data Protection Regulation (GDPR), which took effect in May 2018. First it announced that it intends to fine British Airways some £183 million for a data breach in 2018 that affected 500,000 customers (see our Data Blog here for more details). The following day it announced that it proposed to fine Marriott hotels group nearly £100 million, again for a data breach that affected customers (see our Data Blog here for more details). Both BA and Marriot may make representations to the ICO before final decisions are taken. These proposed fines dwarf previous fines issued by the ICO which were capped at £500,000 under the old privacy regime.

Until now the business world has been waiting to see how the ICO would use its powers under the new GDPR regime. Under the regime, the ICO can now impose a broader range of significant civil penalties for data protection breaches than was previously possible. This includes penalties of up to €20 million or 4% of a company’s global annual turnover, as well as potentially ordering companies to stop processing personal data altogether. The ICO is clearly now baring its teeth. Continue reading

Marriott/Starwood Data Breach: ICO intention to issue another big £99 million ‘mega fine’

  • Just one day after its notice of its intent to fine British Airways £183.39 million, the ICO has issued a further notice of intent to fine Marriott International £99.2 million for its own data breach;
  • The systems of the Starwood hotel group were originally compromised in 2014, prior to the acquisition of Starwood by Marriott in 2016 – the breach itself was not discovered until 2018 following completion of the corporate acquisition;
  • The fine shines a spotlight on the importance of data and cyber due diligence in corporate transactions;
  • No details have yet been published by the ICO regarding the specific GDPR infringements involved;
  • Marriott now has the chance to respond to the notice of intent, after which a final decision will be made by the ICO.

Continue reading

British Airways Data Breach: ICO announces potential £183 million ‘mega fine’

  • The ICO has published a notice of its intent to fine British Airways £183.39 million for its 2018 data breach where the personal data of 500,000 customers was stolen by hackers;
  • This is the first ‘mega fine’ issued by a European data regulator since the implementation of the GDPR;
  • The ICO acted as lead supervisory authority and has confirmed that it has been liaising with other EU privacy regulators;
  • No details have yet been published by the ICO regarding the specific GDPR infringements involved;
  • British Airways now has the chance to respond to the notice of intent, after which a final decision will be made by the ICO.

Continue reading

Cookie consent walls crumble: ICO publishes guidance on cookie consent

Following its recent admission that its own cookie consent mechanism was non-compliant (see previous blog post here), the UK privacy regulator (the ICO) updated its cookie notice last week (see our previous blog post here) and has now published guidance on cookies and similar technologies. Key messages are:

  • No implied consent for non-essential cookies allowed, including consent obtained via sliders/toggles which are defaulted to ‘on’
  • Analytics cookies are not ‘strictly necessary’ and so require consent
  • The position regarding the use of ‘cookie walls’ to restrict website access remains unclear, although is likely to be inappropriate in many circumstances

Continue reading

Cookie Update: The ICO way

Following on from the ICO’s recent admission around its cookie consent mechanism (for further details see our previous post here), the ICO website was down for a period of time at the end of last week. But now it is back and with a new and “improved” cookie consent mechanism (see here).

Continue reading

Happy GDPR-versary! Herbert Smith Freehills reflections on a year of GDPR regulation

The GDPR came into effect almost a year ago on the 25 May 2018. As the most significant reform of data protection law in Europe for over 20 years, the legislation raised expectations of a cultural shift in attitude to data privacy. A year on from the fanfare of implementation, this bulletin looks at key aspects of what we have seen and learnt since implementation, and what we can expect for the future.

Enforcement

Although we are still waiting for a ‘GDPR mega fine’, we have seen a EUR 50 million fine levied by the CNIL in France and there have also been some interesting enforcement decisions coming out of Europe in the first 12 months. There have been rumours of a fine matrix being developed by the regulators to help assess the level of fine to be imposed but, for now at least, it remains unclear how fines are calculated and when a ‘mega fine’ may be appropriate.

Interesting enforcement action to note so far includes:

UK: ICO finds HMRC to be in “significant” breach of data protection legislation but does not impose a fine

In May 2019, the ICO found HMRC in the UK to be in “significant” breach of the GDPR by processing special category biometric data (voice recognition data) without a lawful basis. However, instead of imposing a monetary penalty, the ICO issued an enforcement notice requiring HMRC to delete the relevant data by early June 2019. For more information on this enforcement action, see our blog post here.

Belgium: Court of Appeal asks CJEU for GDPR guidance on the ‘one stop shop’

In May 2019, the Belgian Court of Appeal asked the European Court of Justice for help interpreting the application of the GDPR’s ‘one stop shop’ and whether the designation by companies of a lead supervisory authority in Europe precludes any other European supervisory authority from taking enforcement action against that company. The results of the case will either open or close the doors for regulators across Europe to cast aside the one stop shop when looking to enforce GDPR compliance in their home jurisdiction. For more information on this enforcement action, see our blog post here.

Poland: When is it a disproportionate effort to provide a privacy notice?

In April 2019, the Personal Data Protection Office in Poland issued a €220,000 fine to a digital marketing company for breaching its obligations under Article 14 of the GDPR (i.e. to provide a privacy notice to individuals). The decision has some important practical implications for organisations, including that: (i) the collection of publicly-available information from the internet does not relieve you of your obligations under the GDPR; (ii) a significant cost (in this case €8 million) involved with providing privacy notices to individuals is not sufficient to be able to rely on the ‘disproportionate effort’ exemption under Article 14; and (iii) the GDPR is not prescriptive about how individuals must be provided with privacy information but the ‘passive’ posting of a notice on a website is unlikely to be sufficient where the individuals are unaware of the collection of their data. For more information on this enforcement action, see our blog post here.

Germany: German competition regulator takes enforcement action against Facebook for data issues

In a slight move away from privacy regulation, the German competition authority, the Federal Cartel Office, announced the results of its investigation into Facebook in February 2019. The decision highlights the ever increasing tension between competition and privacy regulation. The FCO found that Facebook had a dominant position in the German market for social networks, and abused this with its data collection policy. The FCO did not impose a fine on Facebook, but has instead required Facebook in the future to only use data from non-Facebook sources where it has users’ voluntary consent, the withholding of which cannot be used to deny access to Facebook. For more information on this enforcement action, please see our blog post here.

UK: First extra-territorial enforcement action commenced by the ICO

In October 2018, the UK data protection regulator, the ICO, issued its first enforcement notice under the GDPR. The notice was particularly noteworthy because it was issued against a company located in Canada, which does not have any presence within the EU. Despite the breaches being alleged, the enforcement notice was the first issued by the ICO relying on the extra-territorial provisions of the GDPR under Article 3. For more information on this enforcement action, please see our blog post here.

Guidance

For many companies, a frustrating aspect of GDPR compliance over the last year has been the uncertainty. One year on from GDPR implementation and many questions remain unanswered. But we have now started to see signs that fundamental questions may eventually be answered and new regulatory guidance is starting to drip feed through the process.

Interesting regulatory guidance published over the last year includes:

A global regulation? EDPB guidelines on GDPR’s extra-territoriality provisions

The expansive nature of the GDPR’s extra-territoriality provisions has resulted in many organisations outside of Europe questioning whether or not they are subject to the GDPR regime. The market has eagerly awaited any guidance in respect of how Article 3 of the GDPR should be interpreted, and so the draft EDPB guidance published late last year was welcomed by the data community and the market as whole. However, whilst the draft guidance answered certain questions about the application of the GDPR, it also left a number of gaps and so we are still awaiting the final version of the guidance in the hope that some of those gaps will be closed. For more information on this guidance, see our blog post here.

EDPB guidance on when processing is “necessary for the performance of a contract”

In April 2019, the EDPB published guidance on the ability of online service providers to rely on the fact that processing is necessary for the performance of a contract in order to legitimise their processing of personal data. Although aimed specifically at online services, the guidance will nonetheless be useful for all controller organisations looking to rely on this processing condition. The guidance adopts a fairly narrow approach to interpretation with an objective assessment of “necessity” being required as opposed to relying on what is permitted under or required by the terms of a contract. For more information on this guidance, please see our blog post here.

EDPB opinion on the interplay between GDPR and ePrivacy

With companies having completed their GDPR compliance programmes, thoughts are now turning to the next major piece of European regulation in the data privacy sphere, the proposed ePrivacy Regulation, and how ePrivacy interacts with the GDPR, particularly with respect to cookie consent and email marketing. In March 2019, the EDPB published an opinion on the interplay between GDPR and ePrivacy which, whilst interesting, also confirmed that the whole ePrivacy regime is currently being renegotiated at a European level and the new ePrivacy Regulation could further change the position outlined in the opinion. As such, the opinion itself appears to be of minimal use for companies. For more information on this guidance, please see our blog post here.

What’s still to come?

One year on from GDPR implementation and we’ve seen limited enforcement action and even less regulatory guidance, meaning that companies are still having to try and find their way through compliance without direction. Much remains unknown and unanswered but what can we expect (or hope) from the next 12 months?

Brexit

The Brexit issue rumbles on without much/any clarity or certainty. We know that an adequacy decision for the UK is extremely unlikely in the short term but whether or not an interim transition deal is achievable (including with respect to data protection and data transfers) remains unknown at this stage.

International transfers

Although the results of the EU-US Privacy Shield annual review in 2018 seem to confirm that the Privacy Shield remains intact for the short term, there remain significant uncertainties around the future of other compliant international data transfer mechanisms. In particular, the validity of the so-called Standard Contractual Clauses (“SCCs”) continues to be challenged through the courts which could result in the SCCs being struck down by the CJEU in the same way that the US Safe Harbor was in 2015.

Continuing on the theme of international transfers, we are also still awaiting the publication of updated versions of the SCCs. The current versions still refer to the 1995 Directive instead of the GDPR but cannot be amended for sense without the risk of invalidating them. There are rumours that the EU Commission has started to consider an update, including potentially updating the controller to processor SCCs to include Article 28 obligations. However, we have yet to see anything concrete coming out of Europe.

ePrivacy Regulation

As mentioned above, the ePrivacy Directive is currently being renegotiated and was originally intended to be ready in time for the GDPR implementation. However, the failure of the European institutions to agree on a number of issues has resulted in multiple delays and it now does not look likely that a draft will be agreed before the end of 2019/early 2020, meaning that the situation regarding cookie consent and email marketing is likely to remain uncertain for a considerable period of time.

Enforcement

As noted above, we are still awaiting a GDPR ‘mega fine’ but we also haven’t yet seen much in the way of significant volumes of enforcement action in order to be able to gain any meaningful insights into enforcement. There are rumours of significant enforcement actions in the pipeline from the ICO and the Irish Data Protection Commissioner, and we also know that there have been a number of material personal data breaches since implementation of the GDPR, but we will have to wait and see what happens in year two of GDPR.

Individual rights and data disputes

Although the GDPR provided for enhanced data subject rights for individuals, we have also started to see it being used innovatively as a mechanism by individuals to assert other rights, including human rights and the right to privacy. We have seen Prince Harry assert that a news company’s photograph of him at home was in breach of GDPR, and a claim against the Police for their use of facial recognition technology has recently started in Wales. Going forward, we are therefore likely to see GDPR used as a tool in disputes. For more information about this, please see our blog post here.

Data breach compensation

Perhaps the elephant in the room sits with data breach compensation. In April 2019 the Supreme Court granted Morissons permission to appeal against the Court of Appeal ruling that it was vicariously liable for its employee’s misuse of data, in the first successful UK class action for a data breach. Whilst the date for the Supreme Court’s hearing is still to be confirmed, the appeal is likely to take place during the course of 2020. For more information on the case, please see our blog post here.

New emerging technologies

The age-old issue of technological innovation outpacing the ability of legislation to keep up has reared its head only one year into the GDPR’s lifecycle. Organisations are having to apply the text of the GDPR to scenarios including blockchain technology, connected and autonomous vehicles and AI techniques that simply weren’t envisaged at the time of writing. In this rapidly evolving technological landscape, the need for regularly updated, up-to-the-minute official guidance in respect of these types of scenarios has never been greater but this will be an extremely challenging demand for the regulators to satisfy.

To keep up to date with the latest legal developments as they happen, please subscribe to our data blog here.

Contacts

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Claire Wiseman
Claire Wiseman
Senior Associate and Professional Support Lawyer, Digital TMT & Data, London
+44 20 7466 2267
Lauren Hudson
Lauren Hudson
Associate, Digital TMT & Data, London
+44 20 7466 2483

The Importance of Adequate Consent under the GDPR: HMRC Forced to Delete Five Million Records

The UK privacy regulator, the Information Commissioner’s Office (“ICO“) has recently found Her Majesty’s Revenue and Customs (“HMRC“) liable for a “significant” breach of the GDPR relating to the collection of consents with respect to biometric data. The enforcement action is a timely reminder that a higher standard of (explicit) consent is required with respect to so-called special category data (including biometric data). However, the enforcement action is also interesting because the ICO chose not to fine HMRC but to instead require certain action to be taken (namely the deletion of records), demonstrating that GDPR enforcement is not necessarily all about big monetary penalties.

Continue reading

ICO framework for AI proposed to help support innovative use of this emerging technology

At the end of March the Information Commissioner’s Office (ICO) published an outline of the proposed structure for its auditing framework for the use of personal data in an Artificial Intelligence (AI) context. Once finalised the framework has potential to help catalyse the use of this new emerging technology within the restrictions of data protection regulation. In particular, it is intended to support the ICO in assessing data controller compliance, as well as providing data protection and risk management guidance, in relation to AI. Continue reading

Clarification on the status of the EU-US Privacy Shield on a no deal Brexit

The UK Government has published a new data-related Brexit statutory instrument clarifying the position with respect to transfers of personal data to the US in reliance on the EU-US Privacy Shield (the “Privacy Shield“) and in a no-deal Brexit scenario.

Transfers to the US under the Privacy Shield are currently made pursuant to a special category of adequacy decision based on a specific arrangement put in place between the US and EU authorities. However, advice and guidance on how such arrangements could continue to work in a no-deal Brexit scenario had differed. Continue reading