‘MEGA-FINES’ AND COMPENSATION – HOW MIGHT COMPANIES BE AFFECTED? DEVELOPMENTS IN DATA PROTECTION LAW SEPTEMBER 2019

In this update, we provide you with a brief summary of two recent developments in relation to sanctions imposed under the General Data Protection Regulation (“GDPR”).

  • Firstly, the Berlin Data Protection Authority (“Berlin DPA”) recently announced its willingness to impose multimillion-euro fines for breaches of the GDPR. This shows that also in Germany significant fines can no longer be ruled out. It appears that Berlin DPA is following in the footsteps of the French Data Protection Authority (“CNIL”) and the UK Information Commissioner’s Office (“ICO”) which have both previously imposed fines in the millions.
  • Secondly, for the first time a court has awarded immaterial damages compensation for a GDPR breach in Austria.

We take a look at what this means for companies and the developments that have been made since the implementation of the GDPR.

Continue reading

ICO’s proposed largest ever fine of £183 million against BA prompts the question: can you insure penalties imposed for breach of GDPR?

The UK’s data protection authority, the ICO, has announced twice in two days this week that it proposes to levy significant fines on organisations for breaches of the General Data Protection Regulation (GDPR), which took effect in May 2018. First it announced that it intends to fine British Airways some £183 million for a data breach in 2018 that affected 500,000 customers (see our Data Blog here for more details). The following day it announced that it proposed to fine Marriott hotels group nearly £100 million, again for a data breach that affected customers (see our Data Blog here for more details). Both BA and Marriot may make representations to the ICO before final decisions are taken. These proposed fines dwarf previous fines issued by the ICO which were capped at £500,000 under the old privacy regime.

Until now the business world has been waiting to see how the ICO would use its powers under the new GDPR regime. Under the regime, the ICO can now impose a broader range of significant civil penalties for data protection breaches than was previously possible. This includes penalties of up to €20 million or 4% of a company’s global annual turnover, as well as potentially ordering companies to stop processing personal data altogether. The ICO is clearly now baring its teeth. Continue reading

British Airways Data Breach: ICO announces potential £183 million ‘mega fine’

  • The ICO has published a notice of its intent to fine British Airways £183.39 million for its 2018 data breach where the personal data of 500,000 customers was stolen by hackers;
  • This is the first ‘mega fine’ issued by a European data regulator since the implementation of the GDPR;
  • The ICO acted as lead supervisory authority and has confirmed that it has been liaising with other EU privacy regulators;
  • No details have yet been published by the ICO regarding the specific GDPR infringements involved;
  • British Airways now has the chance to respond to the notice of intent, after which a final decision will be made by the ICO.

Continue reading

Compliant or not: the GDPR is here

The GDPR came into force on 25 May 2018 and brought with it additional rights for individuals and additional obligations for organisations. It also extends its reach beyond European borders and applies not just to companies within the EEA but also to some organisations outside the EEA.

With the legislation now in force, all eyes will turn towards the regulators to see how this piece of legislation will be enforced. We have already heard from the Information Commissioner in the UK that high fines can and will be levied on those that persistently, deliberately or negligently flout the law. And the ICO’s specified areas of focus are reportedly cyber security, artificial intelligence and device tracking. How this will all play out in practice remains to be seen.

For those organisations still on the compliance journey, there is a wealth of information to assist. We have published a GDPR hub, accessible here, which includes a series of briefings and webinars that take a deeper dive into some of the key considerations in any compliance programme. Copies of the briefings are accessible by clicking on the links below:

  1. The GDPR: the “whole of business” issue at the top of your board agenda
  2. The rise of the intelligent business: spotlight on employers
  3. Extending the long arm of the law: Extra-territoriality and the GDPR
  4. Data use – protecting a critical resource
  5. Supply Chain Arrangements: The ABC to GDPR Compliance

Continue reading

UK Government Position Paper on International Transfers of Data – Key Points

The post below was first published on our Employment blog

Last week the UK Government released its negotiating position paper on international transfers of personal data within the EEA (The Exchange and Protection of Personal Data). Once the UK leaves the EEA it will no longer be subject to the General Data Protection Regulation (the “GDPR”) and would no longer form part of the EU “safe data” zone throughout which personal data may be freely transferred. The GDPR will however continue to apply to UK businesses who provide goods or services to individuals in the EEA.

In line with previous declarations, the position paper outlines the Government’s desire to maintain the “frictionless” movement of data to and from other countries within the EEA. It cites the economic benefits for the UK and EU as well as cooperation in respect of law enforcement matters (such as serious crime and terrorism).

The position paper sets out the Government’s preferred outcome in three key areas:

  • An EU adequacy decision in relation to the UK’s post-Brexit data protection legislation;
  • The continued input of the UK data regulator (the Information Commissioner’s Office (the “ICO”)) in the EU’s regulatory dialogue; and
  • Interim arrangements, from the point of Brexit to the time when more permanent measures  have been put in place, to maintain stability and consistency. Continue reading

House of Lords EU Committee Report on Brexit and the EU Data Protection Package

On 18 July 2017 the House of Lords European Union Committee (the “Committee“) published a report covering the impact of Brexit on four aspects of the EU Data Protection Package:

  • the General Data Protection Regulation (the “GDPR“) which will become directly applicable in all EU member states with effect from 25 May 2018. A Data Protection Bill is expected to be introduced by Parliament after the summer recess.
  • the Police and Criminal Justice Directive (the “PJC“) which EU member states must transpose into national law by 6 May 2018;
  • the EU-US Privacy Shield which enables personal data transfers from the EU to the US for commercial purposes and replaced the previous Safe Harbour international transfer mechanism to the US; and
  • the EU-US Umbrella Agreement which establishes a common framework for the protection of personal data transferred between the EU and the US for criminal law enforcement purposes.

Continue reading

GDPR Compliance: Just under a year to “get your house in order”

The European Commission published its first draft of the EU General Data Protection Regulation (“GDPR“) in January 2012, which set out a comprehensive reform of the current existing EU regime. The reform was designed to give citizens more control and protection over their personal data. In April 2016, the final text of the GDPR was formally approved.

The GDPR then entered into force on 25 May 2016 with a two year implementation period before it comes into effect. This period gives organisations until 25 May 2018 to prepare for the new rules to apply. Continue reading