The ICO Springs To Life: Penalty Notices and British Airways

23 November 2020 

Autumn 2020 has been a busy period on the enforcement front for the Information Commissioner’s Office (ICO), who appear to have awoken from a long slumber to suddenly start using their powers to fine UK businesses for data protection breaches. Prior to October 2020, there had only been one fine by the ICO under the powers granted to it under the GDPR and UK Data Protection Act 2018, a £275k penalty issued in December 2019 for a company failing to take appropriate security and disposal measures when handling identifiable medical records.

There had been rumblings of more to come, however – way back in the pre-pandemic world of July 2019, it was revealed that the Information Commissioner’s Office (ICO) had issued a Notice of Intent to fine British Airways £183.39m for a cybersecurity incident that took place during 2018, affecting the personal and financial information of around 400,000 customers. At the time, there were numerous headlines about the level of the “fine” and how it was a real gamechanger in terms of data protection enforcement. Many of these headlines and articles failed to distinguish that this was not yet a fine at all, but merely a Notice of Intent, which was just the beginning of a process allowing for British Airways to make further representations.

This was followed shortly after by a Notice of Intent to fine Marriott International £99.2m for another cybersecurity incident affecting millions of hotel guests’ personal data. There followed months of public silence from the ICO, during which the world (well, the data protection world, at least) waited eagerly to see how the process would play out and what the confirmed level of those fines would be (if they came to fruition at all).  

Fast forward to October 2020 and the ICO finally confirmed that the actual level of the fine to be levied against British Airways was £20m. Still a significant amount of money, but nowhere near the level set out in the Notice of Intent. And two weeks later, the Marriott fine was confirmed to be £18.4m. The ICO was initially meant to confirm the level of these fines in late 2019, but extensions were granted while discussions were clearly ongoing between the ICO and the two offenders’ legal teams. So why the huge reduction?

The British Airways Penalty Notice (the final judgment of the ICO examining the circumstances of the data breach and setting out the reasons for the fine) itself runs to 114 pages and contains a huge level of technical detail about the incident itself, and also descriptions of the various procedural issues involved. Without going into great detail about the incident itself, some of the causes were issues well known within the information security world and should have been avoidable. The Marriott Penalty Notice was a concise 91 pages in comparison, and explored the issues that originated from Marriott acquiring the Starwood hotel group in 2016 and the security of the Starwood IT systems Marriott inherited, but failed to address.

So, why the huge discrepancy between the figures in the Notices of Intent, and the final Penalty Notices? Some of the legal arguments put forward on behalf of British Airways and Marriott suggested there were some erroneous procedural issues in the way the ICO approached the enforcement, and how they decided upon the level of the initial “fine”. This included the ICO’s initial reliance on a draft internal document for “Setting and Issuing Monetary Penalties”. This document appeared to rely heavily on an assessment of an organisation’s turnover as key factor in assessing the level of fine, rather than the facts of the incident itself and its actual consequences. The ICO then abandoned their reliance on this document. The ICO’s stated position is that the fine reduction was due to further submissions on behalf of British Airways and Marriott following the Notices of Intent and not related to the draft document, but it is difficult to see that there was not a flaw of some sort in the initial calculation for a climbdown of this scale.

It is interesting to look at how the final amounts of the two fines were arrived at. In relation to British Airways, the initial “new” level of fine was £30m but, due to the various mitigating actions taken by British Airways, this was reduced to £24m. The ICO then considered the impact of Covid-19 on British Airways’ financial position and applied a further £4m reduction to give the final figure of £20m. Similar reductions were applied to Marriott’s fine, reducing an initial figure of £28m to the final figure of £18.4m. So, while some surmised the reason for the reduction was the pandemic, in reality, COVID-19 only accounted for around a £4m reduction of each total. Both organisations can appeal the Penalty Notices, and it remains to be seen if they will do so –  and, if so, whether any further reduction in the fines will be achieved

ICO also begins enforcement action against data-broker Experian

In between the British Airways and Marriott announcements, the ICO also took enforcement action against Experian, not for security issues but in relation to the transparency and lawfulness of their use of personal data. This followed the ICO’s lengthy investigations into the “data broking” sector, where personal data is bought or shared primarily for commercial gain, usually without the individuals concerned being aware it is happening. A primary issue was the use of personal data that had been collected for credit reference purposes, but was then additionally being used as part of Experian’s marketing services. Experian used (without informing the individuals concerned) the personal data to create individual profiles of named people, something which is of great value to businesses, political parties and charities. Two other credit reference agencies (Equifax and TransUnion) were also scrutinised during the investigation, but were deemed to have made sufficient changes to their use of personal data to avoid enforcement action.

This case is interesting as it shows the ICO is moving away from the focus on IT security issues and towards the basic principles of how people are informed about how their personal data is used, and whether any particular use of personal data is lawful. Transparency of data processing – individual data subject having knowledge that their personal data is being collected and used – is vital and goes beyond just having a legally sound privacy policy in place – privacy information should be provided in real time, be accessible and easy to understand, not hidden in an overly legal document someone has to click through to access or otherwise find. There was also an over-reliance in the data-broking industry on the “legitimate interests” lawful basis for data processing – this basis had been applied by the three companies in a less-than-objective manner that did not properly account for the risks posed to the individual data subjects.

Notably the ICO have not issued a Monetary Penalty Notice to Experian, but have instead used their other powers to require Experian to make changes to its collection and use of personal data within a specified period. While fines grab the headlines, the ICO’s other powers can be far more effective in actually protecting individuals’ rights in relation to their information. The ICO also has powers to impose a ban on certain activities, order an organisation to correct or delete personal data and suspend certain international transfers (particularly relevant following the Schrems 2 ruling over the summer).

The behemoth awakens?

Finally, if we add into the mix a recent £1.25m fine for Ticketmaster for a security breach that occurred via a website chatbot, and which affected up to 9 million customers’ payment card information, it looks as though the ICO may finally be emerging from its shell – indeed, one might say it’s about time, especially when looking across to other European regulators who have been far more active since the coming into force of the GDPR in 2018. So now may be a good time to review your data protection and information security measures to check they are fit for purpose – 2021 is likely to be challenging enough with having to worry about an ICO investigation into your data processing activities.

 

Other Insights