Few will have been surprised that, when the ICO eventually published details of the BA and Marriott fines, the final penalties were very much lower than the £183+ million and £99+ million proposed in the original notices of intent. Many may nevertheless have been surprised at just how much lower, coming in at £20 million and £18 million, not much more than 10% and 18% respectively of the original proposals? £20 million and £18 million certainly feel much more proportionate to the shortcomings in both BA and Marriott’s security that their data breaches exposed but many of us will have been left wondering just what changed so much between the issuing of the notices of intent and imposition of the final penalties. The ICO is to be congratulated on publishing such detailed penalty notices, running to over 110 pages in the case of BA and over 90 pages in the case of Marriott, thus giving us a clear insight into the nature of the data breaches and the ICO’s reasons for rejecting most if not all of BA and Marriott’s arguments as to why they should not face fines at all, let alone fines at the eye watering levels originally proposed. It is easy to see why the ICO decided that the cases warranted substantial penalties but much less easy to see why the penalties were eventually set so much lower than the ICO’s original intentions.
It would be surprising if the facts of both the cases weren’t known substantially by the ICO as a result of its original investigations There is little in either of the penalty notices that suggests that the ICO now regards the breaches as significantly less serious than they originally did. Indeed, in both cases, the notices comprehensively reject the companies’ representations as to why their shortcomings were not as serious as the ICO judged them to be and why the risks to affected individuals were not as great as the ICO had suggested. Also there is nothing obviously new or surprising in the mitigating factors favouring either BA or Marriott which, in any case, only merited 20% reductions rather than, in BA’s case a near 90% reduction in the level of the fine and in Marriott’s case a reduction of over 80%.
With BA, one change highlighted was the ICO’s acceptance that the infringement should be regarded as running from 25 May 2018, when the GDPR entered into force, until 5 September 2018, rather than until 16 November 2018 as it had originally suggested. However, this alone can hardly justify the extent of the reduction in the BA penalty. Similarly, with Marriott the ICO accepted that Marriott did not breach the GDPR in relying on reports that multi-factor authentication had been implemented and that Marriott did not contravene the GDPR’s breach notification requirements. Again it is unclear how these factors alone would justify the scale of the reduction in Marriott’s penalty.
In both cases the primary reason behind the ICO’s change of heart appears to have been a recognition that although, in the ICO’s view, “the controller’s turnover is a relevant consideration” in setting any penalty, the controller’s turnover should no longer be the overriding consideration. BA’s original penalty of £183+ million appeared to have been set on the basis that it represented 1.5% of the business’s global turnover. With Marriott, the position is less clear as the ICO’s penalty notice mentions a mathematical error in the original notice of intent. Based on the information published in the final penalty notice, the original penalty would have been around 2% of Marriott’s turnover but this may not have been the level that the ICO’s intended to set it at. However, in neither case has the final penalty been calculated directly as a % of the business’s turnover. Indeed, little mention is made of turnover in the sections of the notices addressing the penalty calculation beyond a statement, in BA’s case, that “to apply an effective, proportionate and dissuasive fine in the context of a controller of BA’s scale and turnover, the Commissioner has determined that, in principle, a penalty of £30m would be appropriate, before adjustment”. Similar wording is used in the Marriott case. The question therefore remains as to how relevant a business’s turnover is likely to be in the calculation of any future fines?
How Relevant is Turnover?
It is clear that when proposing the original penalties the ICO had relied on a Draft Internal Procedure for calculating proposed penalties. This focussed on the turnover of the controller in question. Both BA and Marriott appear to have argued, amongst other things, that applying this unpublished procedure was unlawful. Their argument was likely to have been that relying on an unpublished, turnover based procedure meant that the likely level of fines was not reasonably foreseeable by those businesses liable to such fines and that the penalty setting process was therefore flawed. Although the ICO has not necessarily conceded this point, it nevertheless agreed that no reference would be made to the Draft Internal Procedure in the cases in question. The indications are that the ICO has recognised that there was more than just a procedural failing on its part in relying on an unpublished draft procedure. Rather, the draft procedure itself was flawed in placing undue weight on turnover. As the ICO now says, “Turnover is one key factor to be taken into account in the round, by reference to the particular facts of the case” and, “Ultimately, the Commissioner must – before imposing a penalty – consider all relevant factors, and ensure that the penalty is effective, proportionate and dissuasive”.
If this is indeed the ICO’s approach going forward it will be most welcome. Whilst the ICO has not discounted turnover as a relevant factor in calculating fines, the real test has become whether any proposed fine seems right when viewed in terms effectiveness, proportionality and dissuasiveness rather simply where the infringement in question sits on a turnover based scale. The BA fine may still be subject to appeal but viewed in the light of the ICO’s revised approach a £20 million fine would seem to be much closer to the mark that the £183+ million originally proposed. The same is true with the Marriott fine of £18 million when set against the original £99 million.
Understandably, particularly given the turnover related provisions of the GDPR, the ICO has not abandoned turnover as a relevant factor in calculating fines, merely reduced its significance. If fines are to be effective and to have a deterrent effect it is not unreasonable to argue that they must cause some pain to those on whom they are imposed. The amount of that pain will inevitably depend, even if only partially, on the relationship of the level of the fine to the organisation’s ability to pay which will, in turn, have some relationship to its turnover. As the ICO says in its penalty notice, “It is self-evident that imposing the same penalty on an undertaking with a turnover of billions of pounds as would be imposed on a small or medium sized business would not be effective, proportionate or dissuasive.” It is important though for the ICO to keep sight of the proportionality element here. Would it, for example, have been proportionate to fine Marriott perhaps hundreds of times as much as say an online retailer selling a much cheaper product but suffering a comparable breach both in terms of seriousness and size, simply because Marriott is selling a much higher value commodity and hence has a higher turnover. Even though Marriott’s turnover might be higher that doesn’t necessarily mean either that it is generating any more profit than the online retailer or that its business involves any greater degree of processing of personal data.
The ICO also needs to be careful not to draw too much on comparisons with regulatory regimes under competition law. It is true that these may take turnover into account in setting penalties and that their approach was a driver behind basing the GDPR’s penalties on turnover. However, much of the reasoning here is that turnover based penalties are needed to act as a disincentive to businesses that can generate substantial, ill–gotten gains through ignoring their competition or data protection law obligations. Of course there may be some cases where businesses can profit as a result of GDPR breaches, perhaps through obtaining a marketing advantage by ignoring consent obligations, but this is unlikely to be the case with security breaches. As the ICO says in the BA penalty notice, “BA did not gain any financial benefit, or avoid any losses, directly or indirectly, as a result of the breach.”
The ICO’s Draft Statutory Guidance
In this context it is notable that the ICO has been consulting on its draft “Statutory guidance on our regulatory action”. This updated guidance is intended to come into effect after the end of the Brexit transition period and has been drafted accordingly. However, the main driver for updating this guidance, published just two weeks before the BA penalty notice appeared, may well have been the thinking that went into this notice and into addressing the representations made by both BA and Marriott in response to their original notices of intent. The ICO’s draft guidance is more explicit than its predecessor about how penalties will be calculated. It now sets out a nine step approach with determination of turnover coming in at Step 3 following an assessments both of seriousness and of the degree of culpability of the organisation concerned. Step 4 then involves calculation of an appropriate starting point for the penalty using a matrix based on the results of the preceding three steps.
It is informative to use the BA case as an example of how this matrix might be applied. In doing so it is necessary to make some assumptions. The first is that the breach of law was of “medium” seriousness rather than low, high or very high which are the other categories used in the matrix. This may err on the side of favouring BA but the ICO’s penalty notice simply describes the nature of BA’s failures as “of serious concern” and, in some circumstances of being “especially serious”. The second assumption is that the degree of culpability of BA was, as is stated in the penalty notice “negligent” rather than “low/no” or “deliberate”. The remaining assumption is that higher maximum amount (i.e. 4% rather than 2% of turnover is applicable) in line with the ICO’s reasoning in its penalty notice. Applying these assumptions within the matrix at Step 4 would lead to a starting point for BA’s fine of 1% of the business’s turnover. This would be of the order of £120 million.
It is though difficult to see how the ICO would then get down to the £20 million that was actually imposed on BA. The steps that follow the starting point, which include consideration of aggravating and mitigating features as well as financial means and economic impact could lead to a significant reduction in the starting point but in the BA case this would need to be a reduction from £120 million to £20 million, i.e. a reduction of over 80 %. It is unclear just what the ICO’s intention is here. It seems unlikely that the ICO is intending that such substantial reductions from the starting point will be the norm in cases that are in any way comparable to the BA and Marriott ones. If this is indeed the ICO’s intention there must be a question as to whether using a turnover based starting point is actually the right approach to setting fines, or, at the very least, whether the percentages of turnover on which the starting point is based are unrealistically high.
On the other hand it could be that the ICO is attempting to reset the clock with its updated statutory guidance in that if the BA case were to come before it once the updated guidance is in place BA would, on the same facts, be in line to receive a fine much closer to £120 million than £20 million. If so, it is hard to see how this could be justified. A similar analysis can also be applied in the Marriott case and the same question arises.
The ICO has recently announced a fine of £1.25 million for Ticketmaster as well as publishing both the BA and Marriott penalty notices. Businesses will reasonably treat these, and the only other GDPR penalty notice, that against Doorstep Dispensaree Ltd for £275K, as establishing precedents for GDPR fines arising from data breaches. Their expectations of what they might be in line for themselves will rightly be framed by the penalties that other businesses have received. Perhaps the ICO has made a calculation that the £20 million and £18 million pound fines are the most that it could impose on BA and Marriott without risking costly and perhaps embarrassing appeals. There is though nothing in the notices to suggest that this is the case or that the penalties imposed in these cases should be viewed as in any way as one offs or as, in any other way, exceptional. Indeed, the ICO strongly defends its approach to penalty setting in both its notices thereby underlining that these and the accompanying fines set precedents which, given the obligation on any regulator to act consistently, it will be hard for the ICO to depart significantly from.
Maybe the answer could lie in a single paragraph in the ICO’s draft updated statutory guidance. Here the ICO is saying that,
“Where a fine based on turnover exceeds the 10 or 20 million Euros limit, we will cap the fine at the relevant limit. We may impose a fine up to the relevant limit, if a fine based on turnover would not result in a proportionate fine because, for example, a company has a very low or no turnover (but has committed a serious breach of data protection law). “
This paragraph, set in context, may be capable of more than one interpretation but on the face of it the ICO appears to be indicating that, despite the turnover based starting point, the maximum fine that any organisation could face would be 20 million Euro (or 10 million Euro if the nature of the breach attracts the lower maximum). Nevertheless It is hard to believe that it is really the ICO’s intention to limit fines in this way. This may therefore come down simply to a lack of precision in the ICO’s drafting of its guidance. However, if it is indeed the ICO’s intention to limit fines to a maximum of 20 million Euro this will undoubtedly be welcomed by businesses as both providing them with some certainty about the penalty setting regime and in limiting their risks. It would though be difficult to reconcile these caps on fines with the BA and Marriott penalties, which have already exceeded or come very close to 20 million Euro. The ICO would also be left with very little scope for imposing higher penalties in what could well be more serious cases than the BA and Marriott ones.
Perhaps what the ICO is meaning to say in its draft guidance is that if, for example, the turnover based starting point for a fine is 3% of turnover at Step 4 of the nine step approach application of the remaining steps will not lead to an increase in the fine that takes it beyond the overall 4% maximum. This might be less surprising, indeed it hardly needs saying, but is still difficult to reconcile with the reasoning in the BA and Marriott penalty notices and their ultimate fines. The ICO’s draft statutory guidance is welcome in casting some further light on the penalty setting process but further clarification of this approach, in particular as to how turnover will be weighed in the balance in the light of the BA and Marriott cases, is still required. Businesses have not yet been given the foreseeability that they are entitled to expect when faced with the possibility of fines running into hundreds of millions of pounds. As the Commissioner has said, turnover is always going to be a relevant factor in setting penalties but, after being downplayed in the BA and Marriott penalties, the fear must be that it is now being given undue prominence once again in the penalty setting process set out in the ICO’s latest draft guidance.
What Does The Fine Tell US About Security?
IT professionals will undoubtedly find the ICO’s take on the shortcomings in BA and Marriott’s security practices to be informative. The penalty notices include a welcome and detailed analysis of these shortcomings, albeit that some elements have been redacted so as not to further compromise security. Businesses will be well advised to ensure that their own systems do not suffer from similar deficiencies. The ICO is unlikely to have much sympathy for others that now fall into the same or similar traps, particularly if they are large, well-resourced organisations. Apart from the detailed lessons, one overriding messages stands out -that the ICO continues to expect high standards of security surrounding personal data and will punish those that fail to live up to their obligations. In particular, the ICO has no time for what it sees as large, well-resourced and technically savvy businesses that may:
- have ineffective access controls,
- fail to deploy encryption to protect higher risk personal data,
- do not have in place measures to detect unauthorised penetration or use of their systems,
- neglect to keep their security measures and underlying systems up to date,
- do not deploy sufficient testing.
The ICO may take account of financial means and economic impact when it comes to setting the level of any penalty but that does not mean that it will accept financial hardship as an excuse for failing to properly apply security measures such as the above.
There are a couple of other messages that are worth drawing out. These are that:
- Businesses must be assiduous in not collecting or retaining excessive or out of date personal data. In the BA case the attacker was able to access log files containing payment card details (including, in most cases CVV numbers). The logging and storing of these card details (in plain text) was not an intended design feature of BA’s systems and was not required for any particular business purpose.
- Businesses must not just apply due diligence to security arrangements when involved in mergers and acquisitions but must also follow up effectively on any shortcomings identified in such due diligence. When Marriott acquired Starwood there may have been limits to the due diligence that Marriott was able to carry out prior to the acquisition taking place but following acquisition Marriott failed to identify and address any shortcomings in what the ICO considered would have been a timely manner.
What Else Might We Learn?
It appears that the extent to which the ICO is prepared to reduce fines as a result of financial hardship, including that arising from the Coronavirus pandemic, is relatively modest. In its updated regulatory approach in response to the pandemic the ICO says that, “…before issuing fines we will consider the economic impact and affordability. In current circumstances, this is likely to continue to mean that the level of fines will be reduced.” It hard to imagine that there are many businesses more severely hit by the pandemic than BA and yet the ICO only reduced BA’s fine from £24 million to £20 million as a result. Marriott will also have been severely hit by the pandemic, even if to a lesser extent than BA, but similarly was only given a reduction of £4 million, in their case taking the fine down from £22.4 million to £18.4 million.
It is also notable that the ICO’s penalties make no allowance for the potential costs of litigation by data subjects. Both BA and Marriott are reported as facing group actions for compensation on behalf of individuals adversely affected by their data breaches. If successful both BA and Marriott face having to pay out substantial sums in compensation on top of their ICO fines. Even if unsuccessful they are likely to face substantial legal costs. Many might have expected the ICO to take these potential costs into account in setting its fines but arguably it would have been difficult for the ICO to do so. The ICO would not know whether these actions are likely to be successful and it could be some years before the eventual outcomes are known. It would be unreasonable and arguably counterproductive to expect the ICO to hang on before imposing its fines, particularly given that the BA and Marriott penalties had already been delayed by more than a year. The message must be that whilst the proactive and voluntary payment of compensation to affected individuals may gain the data controller some modest credit as a mitigating factor the fact that it is facing legal claims for compensation will carry little, if any, weight with the ICO.
Finally, these cases make clear that it can be worth challenging the ICO. BA has saved more than £160 million and Marriott more than £80 million by doing so. No doubt there will be substantial legal fees to be deducted from these savings but the message is clear that if you think that the ICO is on shaky legal ground in imposing a fine or that the level of the fine is disproportionately high it is worth challenging them. We are in very different times now than in the pre-GDPR days when the maximum fine was set at £½ million. In those days, not all businesses would necessarily have agreed that the fines imposed were justified or fair but, by and large, those businesses paid up, particularly given the availability of a 20% early payment discount, which appears not to have been offered to either BA or Marriott. The businesses simply calculated that, apart from making representations on receipt of their notice of intent, the legal costs and risks of adverse attention meant it was preferable to pay up rather than appeal against the ICO’s decision. The calculations may though be very different now. It remains to be seen whether BA and Marriott will appeal against their fines. Nevertheless it will be interesting to see what the Tribunal makes of the ICO’s approach to GDPR fines when a case eventually comes before it, whether this be from BA, Marriott, Ticketmaster or from some other business that might be in line for a multi-million pound penalty.