A new report reveals that the UK ranked second when it came to the total value of GDPR (General Data Protection Regulation) fines issued in Europe last year. Interestingly, if you look at the stats, while Italy topped the list with €58.16 million worth of fines, the UK’s €43.9 million in penalties came from just three data protection violations.
In 2020, British Airways, Marriott and Ticketmaster all received significant fines from the Information Commissioner’s Office (ICO). But these fines – while coming in at £20 million, £18.4 million, and £1.25 million respectively – were not as high as initially expected.
ICO data breach fines much lower than expected
In one of the most severe cyber-attacks in UK history, almost 400,000 British Airways customers had their personal details and bank cards stolen by hackers. In response, in July 2019 the ICO announced that it intended to fine British Airways a staggering £183 million for the GDPR infringement. Under data protection rules, the fine could have been as large as £488 million. British Airways appealed the fine, and the ICO said that it was willing to “consider carefully” the representations made by the airline, as well as by other concerned data protection authorities before making its final decision. And, in October 2020, the ICO reduced the penalty to £20 million. Of course, this is still a significant amount. It remains the biggest charge issued by the ICO to date, and it was the third-highest fine in Europe last year. But there is no doubt that there has been a considerable decrease.
Similarly, following a data breach that put 500 million Marriott customers at risk, in July 2019, the ICO announced that it planned to fine the US hotel group £99.2 million, stating that “we will not hesitate to take strong action when necessary to protect the rights of the public.” However, as with the British Airways fine, this was subsequently reduced and Marriott ended up with a penalty of ‘just’ £18.4 million.
In 2020, the ICO also fined Ticketmaster £1.25 million for a breach that affected up to 40,000 people. An earlier Notice of Intent by the ICO had set this penalty at £1.5 million.
Under GDPR, the regulator has the power to issue a maximum fine of €20 million (about £18 million) or 4% of annual global turnover (whichever is greater) for data infringements. And it seems that, rather than just looking at the previous year’s figures, the ICO also took the impact of Covid-19 and “affordability” into account when making its final decisions. So, has Covid-19 lessened the impact of GDPR fines?
The impact of Covid-19 on data breach penalties
Certainly, the ICO considered the economic impact of COVID-19. The British Airways fine was reduced on appeal due to mitigating factors put forward by the airline, and that included financial pressures due to coronavirus. But, when you look at the detail, only £4 million of the reduction was attributed to the pandemic. Likewise, the ICO reduced Marriott’s data breach fine to reflect cybersecurity improvements made by the hotel group, as well as the impact of coronavirus. Furthermore, while there is no question that the ICO took the impact of COVID-19 into account when setting the Ticketmaster fine, the regulator only reduced the penalty from £1.5 million to £1.25 million.
So what does that tell us?
There is no doubt that the three companies involved in these breaches operate in industries that have been extremely hard hit by the global pandemic. Indeed, it is difficult to think of sectors that have suffered more financially. So how organisations in other industries facing huge data protection fines would be able to put forward compelling arguments to ensure significant reductions for similar reasons is difficult to see. As such organisations should not think about relying on the pandemic to appeal for reduced fines and greater leniency.
This article was written by Matthew Evans. Matthew is a senior data breach solicitor at Keller Lenkner UK. He brings extensive data breach and commercial expertise to the practice and advises clients in current multi-party actions including against Ticketmaster, British Airways and Marriott International.