The decision of the ICO to issue notices of ‘intent to fine’ to British Airways and Marriott International is a much needed reality check for organisations that may have been lulled into a false sense of security by minimal GDPR enforcement activity since the regulations came into force on May 25 2018. Here, legal and technology experts reflect on what this development means for business
Jon Baines, Data Protection Advisor, Mischon de Reya:
News that the ICO is intending to fine BA £183m and Marriott International £99m is remarkable for a number of reasons.
Firstly, and crucially, these are merely ‘notices of intent’ – recent figures obtained by this Firm under the Freedom of Information Act indicate that nearly one in three ICO notices of intent ultimately either get cancelled or result in a lower final penalty.
Secondly, the legality and fairness of ICO’s investigative procedure has come under serious – and extraordinary – challenge in the recent case involving Facebook, in which the latter is alleging bias, pre-determination and procedural irregularity. It is quite possible that similar arguments will be aired in any challenge to the notices of intent.
Thirdly, the notices of intent were announced initially not by the ICO but by the recipients, under their market notification obligations. To this extent, ICO’s hand has been forced; it will definitely be hoping it has got its factual and legal analyses right, because the challenges coming its way are likely to be robust and costly.
Fourthly, these sums are huge, market influencing ones. Up until now, people were certainly concerned about GDPR, but this news makes it very clear that fines arising from alleged non-compliance have become a major corporate risk factor.
No one should over-react to this news. But everyone should pay very close attention to developments.
Michael Mittel, CEO, Rapidfire Tools:
This is just like HIPAA in the USA, where it took several years, but eventually fines did become a regular occurrence. In the US, half of organisations with HIPAA violations end up closing down and the same will happen with GDPR. If you aren’t a big company and you don’t have the money to go through an expensive appeal process like BA is doing, a fine may literally shut you down.
Tony Pepper, CEO, Egress:
It’s really interesting that the ICO
sued a second intention to fine under GDPR just one day after the BA news broke. By barely drawing breath between the two announcements targeting two household names, they have achieved maximum impact in showing the potential of their extended powers under GDPR. The scale of both fines can leave no doubt in anyone’s mind that we are now operating under very different standards than when the Data Protection Act was enforced.
Divya Gupta, Partner, Dorsey & Whitney:
The huge fines facing Marriott for a GDPR breach are a signal to other companies that the regulatory bodies are strictly enforcing the law to protect consumer personal data from loss, damage or theft. When entrusted with personal data, it’s a company’s job diligently to look after it, and for many years businesses have gotten away with not doing so. With further fines like this on the horizon, companies doing business in the EU should look to their American operations too.
Several states are imposing privacy laws in the United States – California leading the pack with the California Consumer Privacy Act – and this means possible future penalties for noncompliance now. Thirty million Europeans were impacted in the Marriott breach; if just 10% of that number were California residents, Marriott would be looking at $300,000,000 in domestic statutory penalties as a minimum for failure to enact reasonable security practices and procedures. The lesson here: this GDPR penalty is a paltry sum compared to what is looming.