Two very large fines from the UK’s Information Commissioner’s Office (ICO) have again focussed minds on GDPR and data protection in general. British Airways parent company International Airlines Group (IAG) has been notified by ICO of its intention to fine it £183M (€200M) for the data breach relating to its web based booking system. The details of this breach were discussed in the previous issue of OH Magazine. (GDPR: First Days, OHM 42, p31-33, 2018.3). This fine amounts to 1.5% of IAG’s annual revenue; it could have been up to 4%. IAG is appealing the fine and we must wait for the final outcome.
ICO have also fined Marriott Inc. the international hotels group a total of £99M (€115M), for a data breach in its Starwood chain of hotels. In fact the breach pre-dates GDPR and before Marriott completed their takeover of Starwood but it was not reported until GDPR was in force. Marriott have co-operated with ICO throughout and are now appealing the decision. Although Marriott have major business interests in Europe they are an American corporate.
Previous to these two major cases the largest fine so far made was Google’s $50M fine by France’s data protection authority CNIL. Essentially it was due to a complaint by Austrian and French activist groups that Google’s Android phone setup process included the creation of a Google account, that customers were not made sufficiently aware of and lacked any consents for opt-in.
Throughout Europe there have been several other interesting cases.
- One of the more incredible cases involves Spain’s top football association and league, La Liga. They have been fined €250,000 because their mobile app secretly accessed the phone’s microphone once a minute to sample background sound. If football broadcasts were detected in the background then the location was checked. This was ostensibly to reduce unauthorised showings of football matches in bars and clubs. Users of the app were unaware of the practice and were not given any opportunity to give consent.
- In Germany, Knuddels.de the social media platform was fined just €20,000 after a hack in July 2018 resulted in the loss of personal data from 330,000 users, including names and email addresses. The relatively low fine has been attributed to the subsequent reaction and improvement plan put in place by the company.
- A second case from Germany was against a private individual who sent a number of emails to a group of recipients, leaving the email addresses visible to the whole group, i.e. not using the BC option. Up to 153 personal email addresses were identifiable and the man was fined €2000 by the Data Protection Authority of Sachsen-Anhalt.
- In Denmark, IDesign were fined €200,850 following an inspection that found they had processed data of 385,000 individuals for a longer period than was necessary. Additionally, the company had not established and documented deadlines for deletion of personal data in their new CRM system. This is a classic mis-use of personal data. Incidentally Denmark is unique within the EU that GDPR fines are handed down by the criminal courts. There are many similar cases reported around Europe.
- In Cyprus a hospital has been fined €5000 for not being able to locate or identify the records of one of their patients, when challenged for the information.
More information is available at www.enforcementtracker.com. These cases show that data protection authorities are not just concentrating on the high profile breaches but also the many day to day data breaches of personal information.
In total in the first 9 months since the GDPR came into operation 206,326 cases were reported under the new law from the supervisory authorities in the 31 countries in the European Economic Area. About 65,000 were initiated on the basis of a data breach report by a data controller, while about 95,000 were complaints.
Some 52 per cent of the overall cases have already been closed, with 1 per cent facing a challenge in national courts. Total fines came to €55.96m, of which €50M related to the Google case in France. In comparison in the UK, the ICO issued fines totalling £3M in the year preceeding GDPR - which included a £500,000 fine for Facebook. The ICO have indicated that the equivalent Facebook fine under the GDPR could have been over £1 billion, and now the company faces a $5B fine from regulators in the USA. (https://www.theregister.co.uk/2019/03/14/more_than_200000_gdpr_cases_in_the_first_year_55m_in_fines/)
To recap, under the GDPR, (https://gdpr.eu/fines/) fines are administered by the data protection regulator in each EU country. They will determine whether an infringement has occurred and the severity of the penalty. Ten criteria are used to determine whether a fine will be assessed and in what amount:
Gravity and nature — The overall picture of the infringement. What happened, how it happened, why it happened, the number of people affected, the damage they suffered, and how long it took to resolve.
- Intention — Whether the infringement was intentional or the result of negligence.
- Mitigation — Whether the firm took any actions to mitigate the damage suffered by people affected by the infringement.
- Precautionary measures — The amount of technical and organisational preparation the firm had previously implemented to be in compliance with the GDPR.
- History — Any relevant previous infringements, including infringements under the Data Protection Directive (not just the GDPR), as well as compliance with past administrative corrective actions under the GDPR.
- Cooperation — Whether the firm cooperated with the supervisory authority to discover and remedy the infringement.
- Data category — What type of personal data the infringement affects.
- Notification — Whether the firm, or a designated third party, proactively reported the infringement to the supervisory authority.
- Certification — Whether the firm followed approved codes of conduct or was previously certified.
- Aggravating/mitigating factors — Any other issues arising from circumstances of the case, including financial benefits gained or losses avoided as a result of the infringement.
GDPR is now up and running. This article has concentrated on the penalties being issued as a result of investigations undertaken by the national data protection authorities. Many cases revolve around improper company policies on data handling or simply not knowing where your data (paper or stored on computer) is located. Data requires management! Some of these fines could potentially put the companies out of business, although this is not the intention of the authorities.
The higher profile cases are mainly malicious data breaches or caused by inadequate testing of software. Make sure your systems are fully patched and tested, including against hacker threats.
This article was first published in OH Magazine, Issue 44, 2019.2, p30-31.