GDPR Regulatory Action
The UK’s data protection regulator has made its first hefty announcements since GDPR became law in 2018. With news British Airways and Marriott could face massive fines for data breaches, what else has the Information Commissioner’s Office (ICO) been up to? And what of their counterpart authorities across Europe?
The ICO has issued a ‘Notice of Intention’ (NOI) to fine British Airways a staggering £183.39 million for GDPR infringements. Ouch. The breach took place last September, in which personal data of approximately 500,000 BA customers was compromised.
The Regulator has also issued a NOI to fine Marriott £99 million. Ouch again. This relates to a cyber incident in which approximately 339 million records were exposed, of which 7 million related to UK residents.
What happens next? The companies both have twenty-one calendar days, from the date of the NOI, to make representations to the Regulator. The ICO has confirmed it will also consider representations made by other data protection authorities before it makes a final decision on penalties. This will then be confirmed in a ‘Monetary Penalty Notice’ (MPN), which will include any aggravating and mitigating factors the ICO has taken into account. British Airways & Marriott will then have to pay up within a specified period (28 days maximum), or they may exercise their right to appeal within 28 days. British Airways, for one, has said it will vigorously defend its position.
An interesting month or so ahead in what could be two landmark cases … We’ll be closely following developments.
Other ICO actions in the UK (a non-exhaustive list!)
- In June, the ICO reported it has been working with the Metropolitan Police Service (MPS) to address its substantial SARs backlog. The MPS has indicated it has more than 1,100 open requests – with nearly 680 over three months old, leading to two enforcement notices by the Regulator ordering the Met to respond to all requests by September.
- In May HMRC was in the spotlight, after being found to have failed to provide customer’s sufficient information about its voice ID service, and a failure to give people the chance to give or withhold consent for processing biometric data. The ICO’s enforcement notice compelled HMRC to delete all biometric data held under the system for which it doesn’t have consent.
- The Regulator is regularly issuing Information Notices, asking companies to respond to complaints. It’s also continuing to take action under the ePrivacy PECR rules. For example, EE Limited was fined £100,000 for sending 2.5 million direct marketing messages without consent. The telecoms company judged these to be ‘service’ messages, but the ICO disagreed.
Meanwhile, elsewhere in the EU…
We’ve all heard of the whopping €50 million fine the French Regulator (CNIL) issued against Google in January. While other fines and action may not have grabbed the headlines, it’s worth noting what infringements of GPDR are attracting regulatory action.
The requirement to implement appropriate Technical and Organisational Measures (TOMs) is not new, but GDPR stipulates organisations must:
“implement appropriate technical and organisational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.”
And GDPR does go further than the legislation it replaced, suggesting the kinds of security measures that might be considered “appropriate to the risk,” including:
- Pseudonymisation and encryption of personal data
- The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing and evaluating the effectiveness of TOMs
There have been a number of TOMs-related fines. In June the Romanian Data Protection Authority (DPA) fined Unicredit Bank €130k for failing to implement appropriate TOMs, leading to the online disclosure of IDs and addresses of more than 300,000 people. In Norway, the Bergen Municipality was issued with a €170k fine, due to insufficient security measures which lead to files with usernames and passwords on computer systems being openly accessible. The Czech and Maltese DPAs have also issued fines for failure to have appropriate measures to protect personal data.
Keeping data too long
One of the biggest challenges for many organisations is upholding Article 5.1(e) – one of the core principles, ‘storage limitation’. Implementing a robust data retention schedule is difficult both on an organisational and technical level.
In June, Danish company IDdesign was fined over €200k for processing nearly 400,000 customers’ data for longer than was necessary. The company was found not to have established and documented deadlines for deletion of personal data in their new CRM system.
In May the CNIL fined Sergic (a company specialising in real estate development and property management) €400k on two grounds, lack of basic security and excessive data storage.
A Danish taxi firm was also issued with a €160k fine. The company was found to have deleted the names of its passengers from all its records after two years, however this did not include the rest of the ride records which meant individuals’ telephone numbers were unnecessarily retained.
Failing to uphold individual rights
There have been fines in Bulgaria and Hungary for failing to respond to SARs within a calendar month, plus other fines for failure to rectify personal data and fulfil erasure requests. A Hungarian debt collector initially refused an erasure request because they said they couldn’t identify the individual. Further information such as place of birth and mother’s maiden name was requested. But even once the individual was identified, the debt collector refused the request citing a requirement to retain back-up copies under the Accountancy Act. The Hungarian DPA judged that the debt collector hadn’t breached the right to have data erased but had in fact breached the principle of transparency.
The Polish DPA has fined a company for failing to fulfil the right to be informed under Article 14. Personal information was sourced from publicly available sources, but individuals were unaware this was being processed. See Prospects, leads, bought-in lists – don’t forget the right to be informed
Failure to disclose data breach
In April a Hungarian political party was fined more than €34k for failing to notify its DPA and affected individuals about a data breach. The incident was the result of an anonymous hacker who managed to access and disclose information on the vulnerability of the organisation’s website. It was judged that the hacker’s publicising of vulnerability meant people with low level IT skills would be able to retrieve information from a database of 6,000 individuals. The party was also found to have failed to document the breach.
Processor not Controller fined
In an interesting case, an Italian processor running websites for the political party Movimento 5 Stella, bore the fine. The Italian DPA found the Rousseau platform not to have implemented appropriate TOMs and issued a fine of €50k. The DPA did not consider the data controller liable, but instead judged there could be a liability of a data processor, without liability of the data controller.
Unlawful tracking & listening
A person who rented a car from a Czech car rental company was not informed that the car was tracked via GPS. The Czech DPA found that no information was provided in terms of Article 13 and that legitimate interests could not be the lawful basis for processing in the circumstances. The rental firm received a nominal (€1,165) fine.
A much bigger fine of €250k was issued in Spain against the national Football League (LaLiga). It was found that, via an app, once a minute the microphones of users’ mobile phones were accessed in order to try and establish pubs and bars screening football matches without paying the required fee. The Spanish DPA said users had not be adequately informed and the app didn’t meet the requirements to enable users to withdraw their consent.
Unlawful video/voice recordings
In June, CNIL fined a French employer €20k for filming employees at their workstations. CNIL had previously received complaints and alerted the company of the rules around workplace surveillance, in particular that individuals shouldn’t be continually filmed and should be informed. However, in a further audit in October 2018 the CNIL established the employer was still breaching data protection law. In deciding the fine the French DPA took into consideration the size (only 9 employees) and the financial situation of the company.
As for ‘This call may be recorded for training purposes’? Well, not according to the Danish DPA, without consent. In April they ruled that a company cease recording phone calls for training purposes until a technical solution was implemented making it possible to obtain caller consent.
And finally, it’s not just businesses that are falling foul of the rules…
In Austrian a private individual was fined €2,200 for the use of CCTV at his home. The video surveillance was found to cover areas which were intended for the general use of residents in a multi-party residential complex. It covered areas such a sidewalks, courtyard and gardens. The Austrian DPA deemed the use not to be proportionate, to be intrusive into individual privacy and conducted without consent or being informed.
To get regular updates on the latest GDPR ruling use this handy enforcement tracker.
The aim of GDPR was to harmonise data protection laws across the EU and for DPAs to take a joined-up approach to enforcement. Will this work in practice? It’s still early days, more action will be forthcoming and no doubt appeals.
The ICO has also issued an update report on Adtech and Real-Time-Bidding – read our 10-takeaways from this report. Furthermore, following criticism their own approach to cookies was non-compliant, the ICO swiftly updated their cookie pop-up and issued robust new Guidance on Cookies and Similar Technologies. Read How the cookie rules will impact on website analytics
Philippa Donn, July 2019
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.