AdobeStock 291849717 1

GDPR fines may be susceptible to significant reductions upon appeal

The General Data Protection Regulation (GDPR) substantially increased the amount that data protection authorities (DPAs) are empowered to fine organisations, to €20m or 4% of worldwide annual turnover. The UK Information Commissioner’s Office (ICO) has issued a limited number of fines for data protection breaches in the first 5 years of the UK GDPR. It has substantively revised the majority of the provisional amounts in respect of these fines by up to an average of 77%, in response to the organisations subject to those fines pleading mitigation. In this article, we consider the factors and consequences of such significant reductions.

ICO enforcement powers

The ICO may issue information notices (INs) under section 142, enforcement notices (ENs) under section 149 and monetary penalty notices (MPNs) under section 155 respectively, of the UK Data Protection Act 2018. Organisations  have 28 days to appeal to the First-tier Tribunal (General Regulatory Chamber) (Tribunal). The ICO has published its  Regulatory Action Policy in order to enable organisations to understand how and when it will use its enforcement powers.

Doorstep Dispensaree Limited

In July 2018, the Medicines and Healthcare Products Regulatory Agency (MHRA) executed a search warrant at the premises of Doorstep Dispensaree Limited (DDL), a supplier of medicines for care homes. The MHRA subsequently notified the ICO that it had discovered unlocked containers of approximately 500,000 documents in a courtyard accessible from residential flats via a fire escape. The MHRA found some documents dated back to January 2016, included personal (for example, names and addresses) and special category (for example, prescriptions) data, were not marked as confidential waste and were partially water damaged; it could not estimate the number of data subjects.

Initial ICO intended fine – £400,000 (June 2019)

ICO reduced fine – £275,000 (December 2019)

Tribunal reduced fine – £92,000 (an approximate reduction of 67%) due to:

  • DDL financial hardship
  • audit findings that in fact only 66,638 documents containing personal data were recovered

British Airways

Between 22 June and 5 September 2018, an unidentified cyber attacker utilised the compromised credentials of a user within British Airways’ (BA’s) third party supplier to access BA’s network and remain undetected. They were able to access the personal data (including names, addresses, payment card numbers and / or CVV numbers) of approximately 430,000 customers and staff, and copy and redirect customer payment card data to their own website.

Initial ICO intended fine – £183.39m (July 2019)

ICO reduced fine – £20m fine (October 2020) due to:

  • the mitigating factors raised by BA
  • the impact of the COVID-19 pandemic

Marriot International Inc

During July 2014, an unidentified cyber attacker installed a piece of code known as a “web shell” onto a device within the Starwood Hotels and Resorts Worldwide Inc network to enable remote access as a privileged user. It is estimated that 339m guest records (including 7m in the UK) worldwide were affected. Personal data may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival / departure information, guests’ VIP status and loyalty programme membership numbers. Marriott International Inc (Marriott) acquired Starwood on 31 December 2016 or 1 January 2017, but the attack remained undetected until September 2018.

Initial ICO intended fine – £99.2m (July 2019)

ICO Reduced fine – £18.4m fine, (an approximate reduction of 74%) (October 2020), due to:

  • mitigating factors raised by Marriott and
  • the impact of the COVID-19 pandemic.

Ticketmaster UK Limited

On 19 February 2018, an unknown cyber attacker injected malicious code into an Inbenta Technologies hosted chatbot. The code extracted copies of any data submitted on Ticketmaster UK Limited’s (Ticketmaster’s) online payment page. The cyberattack potentially affected 9.4 million customers in the European Economic Area (including 1.5m in the UK) between February 2018 and 23 June 2018. The personal data included names, contact details, usernames, passwords, bank details and credit card, debit card and CVV numbers. Barclays Bank advised that approximately 60,000 individual card details were compromised and Monzo Bank that it was necessary to replace approximately 6,000 cards.

Initial ICO fine: £1.5m (Feb 2020)

Reduced ICO fine: £1.25m (November 2020)

Tribunal decision: pending…

In summary, four of the five fines issued by the ICO until and including 2021 have been significantly reduced upon pleading mitigation to the ICO and / or Tribunal. In addition, while some of these reductions specifically mention COVID-19 as a mitigating factor, it will be interesting to monitor how the impact of external factors like COVID continue to impact the fines finally imposed.

Recommendations

In light of the above, organisations should ensure that they:

  • raise internal awareness of regulatory fines and the right to claim compensation, in particular to obtain buy-in from senior management for data protection compliance;
  • fully establish the details of personal data breaches in order to raise appropriate mitigation with the relevant DPA where necessary;
  • take heed of the factors under Article 83(2) of the GDPR and the relevant DPA’s regulatory action or equivalent policy in regard to such breaches; and
  • account for the risk of claims for compensation, in addition to regulatory fines, within their insurance cover.

Trilateral’s Data Protection and Cyber-Risk Team has significant experience advising organisations in regard to personal data breaches. For more information please feel free to contact our advisers, who would be more than happy to help.

Sanjay Patel

Sanjay Patel is Data Protection Advisor at Trilateral Research.

Rachel Finn

Rachel Finn is Senior Practice Manager at Trilateral Research.

Sign up for our newsletter

Join our mailing lists to receive updates about our latest research and to hear about our free public events and exhibitions.  If you would like to find out more about how we manage your personal information please see our privacy policy.