Lessons learned from BA, Marriott and Ticketmaster fines

Kolvin Stone
Kolvin Stone (partner)
Ben Nolan
Ben Nolan

The Information Commissioner’s Office (ICO) recently fined British Airways (BA), Marriott International (Marriott), Ticketmaster £20 million, £18.4 million and £1.25m respectively for failures to keep their customers’ personal data secure.  These companies suffered separate data breaches in 2018 which resulted in a large number of their customers having their personal data, including credit card details, compromised.

Whilst all these fines are significant (a record fine in the case of BA), what is interesting is the huge change of approach by the ICO which had originally issued notices of intention (“NOIs”) to fine BA an incredible £183.4 million and Marriott £99.2 million back in July 2019.  The NOI to fine for Ticketmaster was £1.5M.

Clearly, something has changed.  But what is it?

Why were the fines reduced by so much?

The most significant reason for the reduction in the level of the fines issued against the companies appears to be due to the ICO using a fresh methodology to calculate the fines.

For the BA and Marriot NOIs, the ICO had relied on a methodology set out in an unpublished, internal document. This provided that turnover should be the key consideration for the ICO when setting fines under the GDPR. However, BA argued that reliance upon this was unlawful and, ultimately, the ICO decided to depart from this methodology entirely when calculating the fines issued against BA and Marriott.  It did not use this methodology for Ticketmaster and hence there was only a small reduction from £1.5M to £1.25M.

Instead, the ICO calculated the fines in line with its Regulatory Action Policy (“RAP”). The RAP sets out a five step process that the ICO must follow when issuing fines.  Steps 1 to 4 deal with factors which add to the level of the fine (including, amongst other matters, whether the infringing party obtained any financial gain from their actions and the severity of the infringement). Taking into account these factors alone, the ICO deemed that BA’s breach of GDPR would warrant a fine of £30 million, Marriott’s would warrant a fine of £28 million and Ticketmaster £1.5 million.

However, step 5 of the process requires the ICO to take into account any mitigating factors (a list of which are set out in the RAP) which should result in the fine being reduced.

A number of overlapping mitigating factors were considered to be present in the case of both the BA and Marriott breaches. These mitigating factors included:

  • both companies implemented immediate measures to minimise and mitigate the effects of the attacks;
  • both companies cooperated fully with the ICO as part of its investigations into the incidents;
  • the broad press coverage relating to the cyber-attacks likely raised awareness with other companies as to the risks involved with cyber-attacks; and
  • both companies suffered significant reputational loss as a result of the cyber-attacks.

Taking into account all mitigating circumstances, the ICO determined that each company should have their fine reduced by 20% (representing a £6 million reduction in the case of BA and a £5.6 million reduction in the case of Marriott).

Finally, the ICO took account of the impact of Covid-19 on the companies. In the case of both BA and Marriott, this resulted in the fine being reduced by a sum of £4 million. In the case of Ticketmaster this was £250,000.

This is a relatively small amount considering how hard these companies have been hit by the pandemic and suggests that companies should not expect too much leniency for infringements during this time.

Other key take-aways

In addition to the above, a number of other conclusions can be drawn from the enforcement notices. We have set out a summary of these below:

  1. Importance of security frameworks – the ICO found that the companies should have had in place various security measures (such as multifactor authentication and encryption) which would have either prevented the cyber-security incidents from occurring or at least mitigated their effects. In reaching these conclusions, the ICO referred to guidance from various IT security institutes and bodies, including the National Cybersecurity Centre, OWASP and NIST. As a result, it appears that all companies should have regard to well-known security frameworks when assessing and implementing their security protocols.
  2. Intent not required for heavy sanctions – both BA and Marriott argued that it was unfair for them to be heavily sanctioned for the cyber-security incidents given that they themselves were victims of the cyber-attacks and not the perpetrators. However, the ICO found that, given their size and sophistication, the companies were negligent in failing to implement proper security measures and therefore the breaches fell within the bracket of the most severe type of infringement under the ICO’s RAP. This is in line with the wording in Art. 83 GDPR which allows supervisory authorities to take into account the “negligent character of the infringement” when issuing fines.
  3.  Act fast and cooperate in the event of a breach – BA and Marriot, both companies had their fines significantly reduced in part due to their speedy action to mitigate the effects of the breach and their cooperation with the ICO. However, Tickmaster’s slowness to respond was perceived to be an aggravating factor.  It is clear that cooperating with the ICO in the event of a breach will be received positively.
  4.  Compliance with principles is essential – the companies were all found by the ICO to have violated the principle of integrity and confidentiality under Art. 5(1)(f), as well as the security obligations set out under Art. 32 GDPR. Violation of the GDPR’s principles attracts the highest levels of fines and therefore compliance with these should be considered a priority for all organisations caught by the GDPR.

The latest Ticketmaster fine highlights that the ICO has honed its regulatory enforcement approach and we are unlikely to see the massive reduction in fines as in the cases of BA and Marriot.  It also establishes a marker for that future in that we are more likely to see fines in the single and tens of millions instead of hundreds of millions.

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.

New – Standard Contractual Clauses!

Nigel Miller
Nigel Miller

Background

Standard Contractual Clauses (SCCs) are the most commonly used mechanism to authorise transfers of personal data from the EEA. The attraction is that they are relatively straight forward and cost-effective to implement. The problem is that the current versions are hopelessly out of date and, given that they are often simply signed and “left in the drawer”, don’t really do a convincing job in terms of protecting personal data.

It was always the intention to update them to reflect the GDPR. However, two years on from GDPR go-live in May 2018, the old versions of SCCs are still very much in use in the absence of alternative solutions. Then, in July 2020, along came the decision of the European Court of Justice (“ECJ”) in Schrems II which shook up the world of international data transfers.

Schrems II

The Schrems II decision has two main consequences.  First, the ECJ found that the EU-US Privacy Shield like its predecessor the Safe Harbor – is invalid as a transfer mechanism.  Second, although the validity of SCCs was upheld, the ECJ stressed that simply signing off the SCCs will not always be sufficient. The ECJ said that the parties to the SCCs need to:

  • carry out a transfer impact assessment as to whether there is adequate protection for data in the country concerned; and
  • if necessary, implement “supplementary measures” to ensure that individuals have equivalent protections in respect of their data as afforded under EU law.

On 11 November 2020 the European Data Protection Board (“EDPB”) issued for consultation its much awaited guidance on these issues. This sets out the steps data exporters must take to determine if they need to put in place supplementary measures to be able to transfer data outside the EEA, and provides examples of measures that can be used. For our article on this, please see here

New SCCs

And then, barely noticed, the next day, the European Commission published its proposals for the new SCCs. There is a relatively short consultation period on the proposed new SCCs expiring on 10 December 2020.  Once the proposed new SCCs are approved, probably before the end of the year, we’ll have 12 months in which to replace all existing SCCs with the new ones. And this is far from a form-filling or box-ticking exercise.

We’ve taken a look at the proposed new SCCs and find some interesting developments:

  • The SCCs adopt a modular approach to cater for various transfer scenarios. They can be used for transfers from (i) controllers to other controllers, (ii) controllers to processors, (iii) processors to sub-processors and (iv) processors to controllers. This is helpful as the current SCCs do not cope with categories (iii) or (iv) which is problematic.
  • While the current SCCs can only be used by EU based controllers, the new SCCs can also be used by parties who are outside the EU who may be subject to the GDPR by virtue of its extraterritorial reach.
  • They allow for more than two parties to sign up to the SCCs, which can be useful (for example) for intra-group transfers.
  • They also allow for additional parties to accede to the clauses from time to time as exporters or importers.  For example, onward transfers by the importer to a recipient in another third country can be allowed if the recipient accedes to the SCCs.
  • Data subjects must be able to enforce the SCCs as a third party beneficiary. As such the SCCs must be governed by a law that allows for third party beneficiary rights.
  • For transparency purposes, data subjects should be provided with a copy of the SCCs and should be informed of any change of the identity of any third party to which the personal data is disclosed.
  • In respect of transfers by a controller to a processor, or by a processor to a sub-processor, the SCCs comply with the data processing requirements of the GDPR so that it will no longer be necessary to supplement the SCCs with data processing clauses.
  • The SCCs support EU processors by allowing for the transfer by an EU processor to a controller in a third country, reflecting the limited self-standing obligations of processors under the GDPR.
  • The SCCs have also been written with Schrems II in mind and provide for certain specific safeguards. The exporter must warrant that it has used reasonable efforts to determine that the importer is able to satisfy its obligations under the clauses and must document its transfer impact assessment. In the event that, for example, the importer is subject to a legal requirement to disclose data to a government or law enforcement agency, the importer must notify the exporter and, where possible, challenge the request. The data exporter may be required to suspend the data transfers if it considers that no appropriate safeguards can be ensured.

What about Brexit?

The new SCCs may become effective just around the time the transition period expires and the UK fully leaves the EU. So, what will be the position so far as the UK is concerned?

First, the UK Government are seeking an “adequacy decision” from the European Commission as part of the Brexit deal. If there is no deal, or no adequacy decision or other transitional arrangement, in place by 31 December 2020, then the UK will become a third country and data transfers from the EU to the UK will need to comply with EU GDPR transfer restrictions. In this scenario, SCCs will be required for transfers from the EU to the UK. The new SCCs will be particularly helpful as they can be used to cover transfers by EUA based processors to UK controllers or sub-processors, something which is not possible under the current SCCs.

As regards transfers from the UK, UK rules will mirror the current GDPR rules. The UK government has confirmed that, when the transition period ends, transfers from the UK to the EEA will not be restricted.

The rules on transfers to countries outside the EEA will remain similar to the current GDPR rules. Although the UK will make its own adequacy decisions after the end of the transition period, the UK government has confirmed that it intends to recognise existing EU adequacy decisions and the EU approved SCCs.

Next steps

Organisations now have a year to review all international transfers. Where necessary this will involve conducting transfer impact assessments, implementing the new SCCs in place of the current ones, adopting supplemental measures, putting in place flow-down terms where there are onward data transfers and providing enhanced transparency to data subjects. Certain data transfers may need to be discontinued or restructured. It’s going to be a busy 2021!

New guidance for international transfers post-Schrems II

Ben Nolan
Ben Nolan

In July this year, the European Court of Justice (“ECJ”) thoroughly shook up the international data transfer regime when handing down its decision in the Schrems II case. In that case, the ECJ invalidated the Privacy Shield as a transfer mechanism. However, perhaps even more significantly, the ECJ upheld the validity of standard contractual clauses (“SCCs”) but only with major conditions attached, with the court effectively ruling that:

  • organisations seeking to rely on SCCs must carry out a transfer impact assessment to determine whether the SCCs guarantee an equivalent level of protection for the transferred data as applies under GDPR; and
  • if implementation of SCCs alone would not guarantee an equivalent level of protection, then “supplementary measures” need to be put in place to ensure such a level of protection.

Since the ruling, organisations transferring personal data on the basis of SCCs have been left somewhat in the dark about how exactly to conduct transfer impact assessments and what any “supplementary measures” may look like.

However, the European Data Protection Board (“EDPB”) has now issued its much awaited guidance on these issues (“EDPB Guidance”) (available here), which we discuss below.

EDPB Guidance

Transfer impact assessments

Transfer impact assessments essentially amount to a review of the laws and practices of the country where the recipient of the data is based to determine whether these would prevent the SCCs from ensuring an equivalent level of protection for the transferred data to that provided in the EU. The EDPB Guidance provides that these should be conducted by the transferring entity in conjunction with the entity receiving the data.

Laws which the EDPB Guidance suggests should present major red flags for organisations seeking to transfer personal data to third countries include those which impose requirements on organisations to disclose personal data to public authorities or which grant public authorities’ powers of access to personal data.

To help organisations assess whether the surveillance laws in place in the country of the recipient of the data are compatible with EU laws, the EDPB has published separate guidance on the European Essential Guarantees for surveillance measures (accessible here). The key criteria to be taken into account are as follows:

  • Processing should be based on clear, precise and accessible rules.
  • Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.
  • An independent oversight mechanism should exist.
  • Effective remedies need to be available to the individual.

Separately, the EDPB Guidance also stresses that transfer impact assessments should be objective in nature rather than subjective, meaning organisations should not give weight to factors such as the likelihood of the transferred personal data being accessed by surveillance authorities and handled inappropriately. This is interesting as it contrasts with a white paper published by the US government in September in response to the Schrems II ruling. In that paper, the US government attempted to appease concerns in relation to data transfers to the US by stating that US intelligence authorities are not interested in the vast majority of data transferred from Europe to the US despite them often having the power to access that data.

Supplementary measures

If, following a transfer impact assessment, it is clear that the SCCs alone would not ensure an equivalent level of protection for the transferred personal data, supplementary measures must be implemented to protect against the risks identified. The EDPB Guidance provides for three types of supplementary measures which can be taken: technical measures; contractual measures; and organisational measures. The exact supplementary measures to be implemented should be decided on a case-by-case basis depending on the specific issues raised by the transfer impact assessment.

The EDPB Guidance contains a handful of examples of supplementary measures in the context of specific scenarios which are set out in Annex 2 of the guidance. These include:

  • Technical measure: use of “strong encryption” using state-of-the-art techniques whereby only the organisation transferring the data (or an entity entrusted with this task in the UK / EEA) holds the key to decrypt the data.
  • Contractual measure: inclusion of a contractual provision committing the transferring entity and receiving entity to assist individuals in exercising their rights in the third country through redress mechanisms and legal counselling.
  • Organisational measure: adopting internal policies with clear allocation of responsibilities for data transfers, reporting channels and standard operating procedures for cases of covert or official requests from public authorities to access transferred data.

For transfers to countries with broad surveillance laws, the EDPB Guidance suggests that only implementation of technical measures will be sufficient to ensure an equivalent level of protection for the transferred data, irrespective of any contractual or organisational measures applied.

Whilst the EDPB Guidance is helpful to a point, the EDPB is forthright in making it known that implementation of supplementary measures will not always be enough to ensure an equivalent level of protection for transferred personal data. The EDPB gives the following two examples of when supplementary measures will not be effective:

  • Transfers to cloud services providers or other processors based in countries with broad surveillance laws which require access to data in an unencrypted form.
  • Remote access to data for business purposes by an organisation in a country with broad surveillance laws.

This will no doubt frustrate many companies which regularly carry out these transfers and which will now need to consider alternative approaches in relation to these going forward.

Practical steps for organisations

In light of the EDPB Guidance, organisations transferring personal data outside the EU or UK will need to:

  1. Review all existing international transfers they make. The EDPB Guidance applies in respect of new and existing transfers.
  2. Consider the basis upon which transfers are made. If transferring to a third country which is not subject to an adequacy decision, conduct a transfer impact assessment to verify whether the transferred personal data would benefit from an equivalent level of protection on the basis of SCCs alone.
  3. If the transferred personal data does not benefit from an equivalent level of protection, consider what technical, contractual or organisational measures could be applied to the transfer to ensure an equivalent level of protection and, if applicable, implement such measures.
  4. If it appears that no supplementary measures are available, consider whether it is possible to transfer the data on the basis of a derogation under Art. 49.
  5. If Art. 49 does not apply, consider what alternative approaches are available (for example, pursuing a data localisation strategy or using a service provider based in a third country whose laws would not prevent the effectiveness of the SCCs).

If you require any assistance with carrying out the above steps in relation to your organisation, please contact a member of the team or speak with your usual Fox Williams contact.

H&M 35m

Fashion retailer H&M hit with €35m fine

As a result of the monitoring of several hundred employees at their service centre in Nuremberg, the Hamburg Data Protection Commissioner has issued an eye-watering fine of €35.25m against H&M. This is the second largest fine under the GDPR to date.

Since 2014, employees of H&M had been subject to extensive recording of data relating to their private lives including sensitive personal data (special category data). For example, after vacation and sick leave – even short absences – the team leaders conducted a so-called “welcome back talk”. After these talks, details were recorded including not only the employees’ vacation experiences, but also symptoms of illness and diagnoses. In addition, supervisors acquired a broad knowledge of their employees’ private lives through casual conversations, ranging from harmless details to family problems and religious beliefs. Some of the findings were then recorded, digitally stored and accessible by up to 50 managers throughout the company.

The data collected in this way was used, among other things, to profile the employees and to support employment decisions.

The practice came to light following a data breach in October 2019 when, as a result of a configuration error, the data became accessible company-wide for several hours.

Aside from the fine, to show its contrition, H&M has expressly apologized to the affected employees and has also agreed to pay compensation. Other measures which H&M has agreed to take include the appointment of a data protection coordinator, monthly data protection status updates and enhanced whistle-blower protection.

Comment:

The case serves as a reminder that the GDPR applies equally to HR data as it does to consumer / customer data. In fact, given that HR data routinely involves processing of higher risk “special category” data, such as sickness records and details of employee personal issues, great care is needed in relation to the collection and storage of such data.

Aside from the data security breach, H&M would seem to have breached several of the data protection principles: for example,  data minimisation (only collecting data that is relevant and limited to the purpose for which it is collected), purpose limitation (collecting data only for legitimate purposes) and processing data fairly and in a transparent manner, making sure that employees are aware of the data which you are collecting and storing.

If your GDPR compliance programme did not focus on HR data with at least the same rigour as other data, or needs a refresh, there are 35m reasons why now would be a good time.

European Court issues major blow to transfer of personal data between EU and US

The European Court has today given its judgment which will come as a major blow to many businesses both in Europe and the US (particularly tech companies) which rely upon the Privacy Shield to transfer personal data to the US.

The judgment is concerned with the transfer of personal data by Facebook Ireland to its parent company in the US. Earlier this year we commented on the pre-judgment opinion of the Advocate General (“AG”) (here) which focused on the Controller to Processor Standard Contractual Clauses (“C2P SCCs”) and the fact that the AG had opined that the validity of these clauses should be upheld.

Whilst the European Court has now confirmed the validity of the C2P SCCs, it has unexpectedly found the EU-US Privacy Shield to be invalid.

Take home points

  1. Businesses which are currently relying on the Privacy Shield to transfer personal data to the US will need to rapidly review their data transfer practices and put in place alternative measures to allow for the data to continue to be transferred lawfully. The most suitable mechanism will most likely be for the organisation transferring the data to enter into standard contractual clauses (SCCs) with the US recipient. As an alternative, some businesses may now regard transfers to the US to be too complicated and look at options to retain the data within the EEA.
  2. Businesses which fail to put in place alternative measures will be exposed to claims for damages and fines by data protection regulators such as the Information Commissioner’s Office.

European Court Decision

In finding the Privacy Shield to be invalid, the European Court took the view that:

  • the requirements of US national security, public interest and law enforcement were put before the fundamental rights of data subjects whose personal data are transferred under the framework;
  • US law provides its public authorities with far reaching surveillance powers which go beyond what is “strictly necessary” (including in respect of non-US individuals) and do not afford individuals with adequate rights to challenge the relevant authorities before the courts;
  • the Ombudsman mechanism provided for under the Privacy Shield, which is designed to provide data subjects whose data are transferred under the framework with a right of recourse, does not guarantee data subjects the same protections that they would be afforded under EU law (for example, the Ombudsman does not have the power to make decisions which were binding on the US intelligence services).

As such the European Court decided that the Privacy Shield does not offer an adequate level of protection for data subjects whose personal data are transferred pursuant to it.  This is the second time that the scheme for EU-US data transfers has been struck down after the Safe Harbor was invalidated in 2015.

Ben Nolan (solicitor, qualified in Scotland)