For almost every business of any size operating in Europe, The General Data Protection Regulation (GDPR) has become an integral feature of corporate life. Designed to protect EU citizens, its primary impact has been felt on businesses large and small as EU regulators have sought to make it the global standard for privacy and data use.
Before GDPR came into effect in May 2018, law firms were heavily engaged across the EU as their corporate clients scrambled to put the highest standards of data privacy into place, not least for fear of being subject to the maximum potential fine: up to €20m, or 4% of annual global turnover, whichever is greater.
A year on, the FT reported on 1st July: ‘Evidence is mounting that the law has shortcomings and unintended consequences that are hurting businesses, consumers and innovation.’ It pointed to research which suggested that GDPR was the main obstacle to developing new technologies – down a third on the year before it was put in place – together with a sharp decline EU consumers’ trust in the Internet, and an even sharper drop in venture funding for EU tech companies.
The FT article added that nearly two-thirds of Europeans (63 per cent) either had not heard of GDPR or did not know exactly what it is while more than 1,000 US news sites had blocked European-based users as a consequence. ‘Instead of taking a victory lap,’ the FT concluded ‘EU policymakers should make targeted reforms to GDPR.’
At the time of its publication, only a handful of (mostly small) fines had been levied, making some observers question whether the new regulations had any real teeth. That was despite DLA Piper revealing in February that more than 59,000 data breaches had been reported over the previous 12 months.
Of the €56 million fines levied in the first year of GDPR being effective, €50 million was the result of just one fine, announced in January: by the French authorities against Google relating to the creation of personalised advertisements from its user data. Although significant, the figure represented just 0.04% of Google’s combined 2018 revenues.
But everything changed within a few days of the FT article being published. The UK Information Commissioner’s Office (ICO) used its powers under GDPR to levy heavy fines against both British Airways and the Marriott hotel chain. Combined, these totalled almost £300m.
British Airways was ‘surprised and disappointed’ at the proposed fine of £183.4m, according to its chairman and chief executive, Alex Cruz. For International Airlines Group, BA’s parent, the penalty is equivalent to 5% of current profits and 1.5% of turnover in 2017. It was imposed as result of the personal data of 500,000 BA customers being stolen by hackers in August 2018 from its website and mobile app.
BA’s surprise may be genuine since the company had cooperated fully with the ICO investigation and no evidence of fraud was found on any customer accounts which were accessed as a result of the hack. But in a damning statement, the ICO said that the breach was due to ‘poor security arrangements at the company’. Cruz said that BA would ‘take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.’
The Information Commissioner, Elizabeth Denham, said in a statement: ‘People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.’
Just 48 hours later, the ICO, whose fining powers were previously limited to £500,000, imposed another huge fine – this time, £99.2m – on the Marriott group after the personal data of 339 million guests was stolen by hackers in 2014. Last November, Marriott International, the parent company of hotel chains including Westin, Le Méridien and Sheraton, had admitted the colossal scale of the data hack on its guest records, involving credit card details, passport numbers and dates of birth.
‘We are disappointed with this notice of intent from the ICO, which we will contest,’ said Arne Sorenson, president and chief executive of Marriott International. ‘We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standards of excellence that our guests expect from Marriott.’
The Marriott hack was different from BA because it had occurred in 2014 in a company, the Starwood group, which was not acquired by the Marriott group until 2016. But the ICO investigation found that Marriott had not undertaken sufficient due diligence during the acquisition process, concluding that more should have been done in order to secure the systems and prevent any further compromise of customer data. Denham said in another statement:
‘The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected. Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.’
Companies are allowed to appeal against the scale of such fines and have 28 days to make representations. Despite announcements from BA and Marriott that they do intend to appeal, the message has hit home. For businesses of any size, it is a wake-up call: at a stroke, the full impact of GDPR is now plain to see for directors in boardrooms everywhere. These cautionary tales are likely to be followed by a further raft of heavy fines over the coming months, given the number of large-scale hacks which have been reported in recent years. Other European data protection regulators seem set to follow by ramping up fines for data breaches.
The BA and Marriott fines therefore serve as a warning for companies to focus on prevention rather than cure. Cyber security companies and law firms will undoubtedly benefit as a result with businesses that have thousands or millions of customers needing to revisit their existing provisions.
The potential consequences of a breach could prove devastating for some since GDPR applies to any company which handles customer data, not just multinationals. The message is clear: time, effort and resources need to be invested to ensure that every business is fully compliant and that security measures to protect customer data are more than sufficient.
In response to the FT’s article, Elizabeth Denham wrote a letter to the newspaper which was published on 3rd July under the heading: GDPR is showing clear promise as a modern law fit for the digital age. The UK Information Commissioner wrote:
‘It would be a mistake to condemn the General Data Protection Regulation for holding businesses back when it has been in existence little more than a year (‘A reality check for GDPR: it is holding EU business back’, July 1). Far from seeing a law that stands in the way of progress, the GDPR has so far appeared adaptable to digital innovation. The experience of my office has been businesses responding positively to the law change.’ She concluded: ‘The GDPR is still finding its feet. But it already shows clear promise as a modern law fit for a digital age.’
That may prove to be something of an understatement. In light of the BA and Marriott fines, which were announced just after the letter was published, businesses may have to respond very positively indeed to mitigate the potential risk of large fines being imposed should a breach occur.
Sometimes, the law really does have teeth.
Dominic Carman, journalist, writer and legal commentator. www.dominiccarman.com