Lloyd v Google class action denied: what now for data breach class actions?

Kolvin Stone
Kolvin Stone (partner)
Ben Nolan
Ben Nolan (associate)

The Supreme Court has issued its long-awaited ruling in the Lloyd v Google case, overturning the Court of Appeal’s 2019 ruling which granted permission for ‘opt-out class action’ proceedings relating to Google’s alleged breach of the (old) Data Protection Act 1998 (“DPA”) to be served on Google in the USA.

The Supreme Court ruled that the claim had no likely prospect of success, reversing the grant of permission to serve. The decision will likely be well received by businesses but disappoint privacy activists and consumer rights groups.

The case is not only important from a data protection perspective, as it clarifies the circumstances in which damages for data protection breaches under the DPA can be obtained; but also helps clarify the situations in which “opt-out” class action legal proceedings can be brought in England and Wales under the Civil Procedure Rules (CPR).

Although the decision appears to stem a potential tide of “opt-out” data breach class actions, importantly, the Supreme Court does point to other formulations of claims which would have been successful. Data controllers should, therefore, continue to be mindful of their obligations under the DPA and the General Data Protection Regulation (GDPR) to avoid unnecessary litigation risk.

Background

The facts in brief, relate to Google’s use of advertising cookies to collect data on iPhone users’ internet browsing habits between 2011 and 2012 without those individuals having any knowledge of the cookies being used.

Google subsequently sold the data collected through use of the cookies (some of which is alleged to have been sensitive in nature) to third parties for advertising purposes.

The case against Google was brought by Richard Lloyd, a well-known consumer rights activist, as a representative action under CPR 19.6 claiming damages on behalf of all four million iPhone users whose data were obtained by Google during this time.

The claim was unique; it purported to be akin to an ‘opt-out’ consumer class action (something which is not expressly provided for under English law, except in relation to certain competition claims).

Mr Lloyd sought permission from the court to serve Google outside the jurisdiction. Google responded by seeking to strike out the claim on the basis that it had no real prospect of success. The case made its way all the way to the UK Supreme Court, with Google successful at first instance and Mr Lloyd successful before the Court of Appeal.

Supreme Court decision

The Supreme Court’s decision centred around two key issues:

  1. Whether the claim could be brought as a representative action.
  2. Whether damages could be awarded to the class under the DPA for Google’s breach of the DPA.

Appropriateness of the representative action

The Supreme Court ruled that it was not acceptable for Lloyd to bring a representative action claiming damages on behalf of the class.

The only requirement for a representative action to be brought is that the representative has the same interest in bringing the claim as the persons represented. Here, the Supreme Court considered it conceivable that the class members could have the same interests as Lloyd.

However, the issue stemmed from the fact that Lloyd was seeking damages on behalf of the class members on a uniform, lowest common denominator ‘tariff’ basis (£750 per person, for loss of control of personal data).

The purpose of damages under common law is to put the individual in the same position in which they would have been if the wrong had not been committed. Similarly, section 13 of the DPA gives an individual who suffers damage “by reason of any contravention by a data controller of any of the requirements of this Act” a right to compensation from the data controller for that damage.

The extent of the harm suffered by members of the class would ultimately depend on a range of factors, such as the extent of the tracking carried out by Google in relation to each user, and the sensitivity of the information obtained by Google. This would require each class member having their claim for damages assessed on an individual basis. Lloyd had therefore failed to meet the ‘same interest’ requirement under CPR 19.6.

Damages under the DPA

Lloyd argued that the class members were entitled to compensation under the DPA on the basis that Google’s breach had resulted in them incurring a “loss of control” of their personal data.

The Supreme Court rejected Lloyd’s argument on the basis that individuals must have suffered material damage (i.e. financial loss or distress) to be entitled to compensation under section 13 of the DPA. It was not possible to construe section 13 of the DPA as providing individuals with a right to obtain compensation on the basis of a controller’s breach of the DPA alone.

Whilst certain members of the class may indeed have suffered material damage as a result of Google’s breach, entitling them to obtain compensation, the way in which the claim was structured (i.e. on a lowest common denominator basis) made it impossible for damages to be awarded under it.

Ongoing litigation risk – what now for data breach class actions?

Although the Supreme Court decision might appear to protect data controllers from litigation risk, we do not consider this to be the case. While Lloyd’s claim failed to meet the ‘same interest’ test, the court highlighted other formulations which would have satisfied the CPR 19.6 requirements.

It pointed to bifurcated or “split” proceedings, where common issues (such as the data controller’s liability) are considered first, with individual issues (such as damages suffered) being considered at a later stage/second trial.

In addition, it is important to note that the Supreme Court’s decision focussed on the DPA 1998, which has been replaced by the GDPR and Data Protection Act 2018. Article 82 of the GDPR introduced an individual’s right to seek compensation for material/non-material damage (including financial loss and distress) from organisations breaching the data protection rules.

Given that Lloyd’s claim focused on the loss of control of class members’ data (which is ‘non-material’), it may have succeeded had it (i) related to breaches of the GDPR and (ii) proceeded on a bifurcated basis.

Data controllers should, therefore, continue to be mindful of their exposure to potential consumer litigation for breaches under the amended DPA and under the GDPR.

Ultimately, the Supreme Court did not say that Google or other data controllers could not be liable for damage caused to groups of consumers; just that the particular way in which Lloyd sought to bring this particular claim could not work, because of the combination of the terms of the DPA and the CPR.

In other words, it is business as usual for data controllers, and for claimant lawyers investigating and prosecuting group actions on behalf of the victims of data privacy breaches.

The orthodox way to bring a consumer ‘class’ action for data breach – as an ‘opt-in’ group action subject to a Group Litigation Order if necessary – remains perfectly valid. While the orthodox ‘opt-in’ group action is inferior from an access to justice perspective – because of the upfront ‘book-building’ effort required for an ‘opt-in’ group action – it can still be effective, as shown by the group action case brought against British Airways which settled in July 2021.

Take home points

  1. Data controllers now have more clarity around how damages can be obtained for data protection breaches under the DPA and this will be welcomed.
  2. This does not eliminate their risk from being subject to a class action as the Supreme Court’s decision was based solely on the facts of this specific case.
  3. Despite the Supreme Court’s decision a class action still remains a fully viable way of claiming damages in relation to data protection breaches – but the focus must be on how to bring a case.

Contact us

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.

 

Privacy Policies – Do’s and Don’ts following WhatsApp €225m fine

Nigel Miller (partner)
Ben Nolan
Ben Nolan (associate)

At the beginning of September, WhatsApp was fined €225 million by the Irish Data Protection Commissioner (“DPC”) for a number of failings related to its compliance with the GDPR’s transparency obligations (primarily set out in Art. 13 and 14 GDPR).  The fine is the second highest handed out under the GDPR to date and the decision sheds light on some of the key issues to be taken into account when drafting and updating privacy notices.

Many of the practices for which WhatsApp was fined are relatively standard. The decision should, therefore, come as a warning shot for organisations, especially those in the online consumer technology space, to make sure that they are providing individuals with all the required information.

The DPC’s decision is extremely long winded (266 pages), so we have summarised the key “do’s” and “don’ts” for privacy notices in light of the decision below.

DO’S AND DON’TS

When providing information on the purposes for which you process personal data and the lawful bases upon which such processing is based (as required by Art. 13(1)(c) GDPR):

DO

  • Provide information to individuals around how their personal data is actually used to achieve the relevant purpose. For example, if personal data are processed “to promote safety and security”, you should explain how the data are used to achieve those purposes, rather than simply stating the overall objective.
  • Provide information regarding the categories of personal data which are processed for each purpose. Up until now, it has been relatively common for controllers to simply set out the purposes for which they process personal data and the corresponding lawful basis, without clarifying which types of personal data are required for each purpose.
  • If more than one lawful basis applies in respect of a specific purpose for which you process personal data, clearly specify the circumstances when each basis will apply (for example, if you rely on both consent and also legitimate interests to send marketing communications, you should explain when each of these will apply).
  • Where processing is carried out on the basis of Art. 6(1)(c) GDPR (i.e. to comply with a legal obligation), you should provide information as to the types of law which require such processing to take place.

DON’T

  • Use vague wording to explain your purpose for processing the data (e.g. will readers know what you mean if you say that you use their data for the purpose of “improving their experience”?)

When providing information regarding your reliance on legitimate interests (as required by Art. 13(1)(d) GDPR):

DO

  • Be as specific as possible in setting out the relevant interest which applies which makes the processing necessary.
  • If the processing is being carried out based on the legitimate interests of a third party, you should specify the relevant third party who will benefit from the processing.

DON’T

  • Bundle together numerous interests to justify processing being carried out for one purpose.
  • Simply say you rely on legitimate interests to carry out a certain type of processing without mentioning what your interests are (this is more common than you think!).

When providing information on the third parties with which you share personal data (as required by Art. 13(1)(e) GDPR):

DO

  • If you identify the “categories of recipients” (rather than the specific third parties with whom personal information is shared), be as specific as possible when setting out such categories. For example, if your privacy policy says that you share customers’ personal information with service providers, you should provide information on the different types of service providers you share data with (e.g. IT service providers, data hosting service providers, marketing agencies etc.).
  • Identify the categories of data which are transferred to the specific third parties referred to the notice. (NB. To date, it is uncommon for controllers to provide this level of information in connection with data sharing.)
  • If you share personal data with other group members, clearly identify the specific entities with which the data is shared.

When providing information on international transfers (as required by Art. 13(1)(f) GDPR):

DO

  • If relying on an adequacy decision(s) to transfer personal data internationally, identify the specific adequacy decision(s) relied upon.
  • Identify the categories of data that are being transferred internationally. (NB. Again, providing this level of information has been uncommon in practice.)

DON’T

  • Use conditional language such as “may” when referring to reliance on a transfer mechanism (e.g. “we may transfer personal data internationally on the basis of an adequacy decision”).

When providing information on the right to withdraw consent (as required by Art. 13(2)(c) GDPR):

DO

  • Inform individuals that this does not affect the lawfulness of processing based on consent before its withdrawal (the DPC considers this necessary to “manage the data subject’s expectations” and ensure they are fully informed on the right).
  • Include the relevant information in the section of the privacy notice which discusses data subject rights, as this is the area individuals are most likely to consult for information around this.

If you have collected personal data indirectly but are exempt from providing relevant individuals with a privacy notice on the basis that this would involve “disproportionate effort”:

DO

  • Make sure that you still provide all the information required under Art. 14(1) and (2) in a privacy notice which you make publicly available – you can’t rely on this exemption if not!
  • Clearly identify in the privacy notice the parts of the document which are intended to apply in respect of individuals who have not been provided the privacy notice directly.

DON’T

  • Assume that posting your privacy notice on your website will be sufficient to satisfy the requirement that the privacy notice be made “publicly available”. In the WhatsApp decision, the DPC noted that:

“WhatsApp should give careful consideration to the location and placement of such a public notice so as to ensure that it is discovered and accessed by as wide an audience of non-users as possible. [A]…non-user is unlikely to have a reason to visit WhatsApp’s website of his/her own volition such that he/she might discover the information which he/she is entitled to receive”.

OTHER COMMENTS

Much of the DPC’s decision focused on the way in which WhatsApp presented information in its privacy notice, with WhatsApp being found to have violated Art. 12(1) GDPR (which requires controllers to provide information in a concise, transparent, intelligible and easily accessible form, using clear and plain language) in numerous instances. In this regard, the following practical tips can be drawn from the decision:

  • Avoid excessive linking to external documents in your privacy notice, particularly where these duplicate or (even worse) contradict information set out in your privacy notice or elsewhere. Readers should not have to “work hard” to get to grips with the notice.
  • Consider where in your privacy notice you are setting out information to ensure information is presented in a cohesive way and in the place that readers would expect. For example, the DPC considered that it would be logical to include information on the right to withdraw consent and the right to a complain to a data protection regulator in the “data subject rights” section of WhatsApp’s privacy notice as this is where most readers would come to find this information.
  • Avoid using vague and opaque language.

CONCLUSION

The DPC expects the information to be provided in privacy notices to be extremely granular, even more so than most organisations (and even data protection practitioners) would have expected to date, whilst still presenting the information in a concise and accessible manner. This will no doubt prove challenging for larger organisations carrying out complex processing operations, who will have to remain fully on top of their processing activities and data flows to stand a chance of providing the information expected by the DPC. The cost of compliance could be significant.

The decision is by an EU data protection regulator and relates to EU GDPR. It is not clear whether the UK ICO, which tends to be more pragmatic on data protection compliance, would take such a hard-line stance on the issues investigated by the DPC. However, it is clear that UK organisations that have a presence in the EU or are otherwise caught by the extra-territorial scope of the EU GDPR will need to update their privacy notices in line with the DPC’s decision.

 

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.

 

Cookies and the new ePrivacy Regulation

Nigel Miller (partner)

Why is it important?

While many people may not care too much about cookies, there are a number of reasons why they are important for website owners.

First, you cannot drop a cookie without prior consent. As a result of the changes already brought in by the GDPR since May 2018, it is no longer possible to reply on implied consent for cookies (for example, deemed consent by continuing to browse the website) as the standard for consent under the GDPR is much higher and requires a specific opt-in.

Second, the issue of cookies is high on regulator’s (the ICO) agenda. While many of us suffer from “cookie notice fatigue”, and just click through to get rid of the annoying banners, there has been an increasing number of complaints about cookies to the ICO, nearly 2,000 in the past year.

Third, the ICO is also currently investigating the Adtech sector which is largely driven by cookies. While many cookies are innocuous, others are highly privacy invasive and are involved in systematic monitoring and tracking browsing across devices, device fingerprinting and online behavioural advertising. The intrusive nature of the technology makes this a priority area for the regulators. In response to this, the hugely complex adtech industry will likely be required to adapt and provide much higher levels of transparency.

Fourth, because of the GDPR level fines; there is nothing like the eye-watering fines that can be issued under the GDPR, and have been issued in relation to cookies notably by the French regulator to Google and Amazon, to get this issue high up the corporate agenda (eg CNIL – €100m Google, €35m Amazon).

And finally, the law is developing with a new ePrivacy regulation on the horizon, which we look at below.

What is the current law?

The current law is based on the EU ePrivacy Directive of 2002. In the UK, this was implemented by the Privacy and Electronic Communications Regulations, fondly known as “PECR”.

Actually, the law does not refer to “cookies” as such; the regulation is technology neutral and covers a range of cookie-like technologies. The key point is that PECR covers any technology that can “access” or “store” data on the user device – this includes smartphones, smart TVs and other devices. It can also include technologies like tracking pixel gifs, often used to track if marketing emails have been opened which can provide valuable analytics.

The key requirement under PECR is that, where you deploy a cookie, you must:

  • provide the user with clear and comprehensive information about the purposes of the cookie; and
  • get the consent of the user.

There are a couple of exceptions to this, the most important one being that you do not need consent for cookies that are “strictly necessary” for the service requested by the user.

So, cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, as opposed to the user’s, will still require consent.

For example, cookies used to authenticate a user, to remember items in a shopping cart, or to remember language or other user preferences are regarded as “strictly necessary”, but cookies for analytics purposes, and advertising cookies are non-essential and need consent.

Even where consent is not a requirement, users must still be informed of the use of cookies through means of a cookie banner and policy.

PECR v GDPR

An important thing to bear in mind is that consent for cookies is needed, whether or not the cookie data involves any “personal data”.  If it does involve personal data, such as device ID, username, browsing details etc, then that will be subject to the GDPR as well as PECR.

Under the GDPR, you need a legal basis for processing personal data. Typically, for marketing, this could be either consent or legitimate interests. However, where cookies are deployed and processing of personal data is involved, then PECR trumps the GDPR. This means that, if consent is required under PECR, then consent is also the appropriate legal basis for processing personal data under the GDPR.

There is some debate about this in the adtech sector where it is argued that, while consent is needed for the cookie, “legitimate interests” could be used as the legal basis for any subsequent processing of the data. The regulator does not agree with this, but the actual legal position is not settled.

So, what do we need to do?

The first thing to do would be to carry out a cookie audit to make sure you know exactly what cookies are in use, and the purpose and duration of each. In this audit:

  • Identify any of the cookies that are “strictly necessary”, and so don’t need consent.
  • Identify any 3rd party cookies – in the case of 3rd party cookies, such as Google analytics or affiliate networks, while it is the third party that requires the consent as it is their cookie, in practice the third party requires that the site owner gets the consent on their behalf.
  • Review the consent mechanism you have on the site to make sure it is compliant – everyone seems to do this differently, and some ways are more compliant than others.
  • Review / update your cookie policy – to make sure that it meets the transparency requirement, and importantly that it is consistent with the cookies actually in use. There is no one-size-fits all for this as the policy needs to be specific to the cookies you have implemented and the purposes of those cookies.
  • Finally, you may need to carry out a data protection impact assessment under the GDPR – if the cookies involve personal data and are used for profiling for marketing or other purposes, then you may need to carry out a DPIA. Even if this is not strictly required, it can be good practice to do so to ensure that any risks are identified and any appropriate measure implemented to mitigate those risks.

How to get consent?

The consent required under PECR follows the GDPR standard, meaning it must be freely given, specific, informed, and an unambiguous indication of the end user’s wishes through a clear affirmative action. There are a few key points to bear in mind:

  • As above, there is no need to get consent for “strictly necessary” cookies. And there is no need therefore for a pre-ticked box for these cookies.
  • Where consent is needed, do not use pre-ticked boxes; this would not be a valid consent, as consent has to be signified by a positive step such as ticking the box.
  • This is important – do not set cookies before you get the opt-in, so you may need to do some technical work on the site to make sure that this is the case.
  • Provide clear and comprehensive information. This is because, if the information is not clear and comprehensive then, as well as breaching the transparency requirement, it will undermine the consent as it will not be a “fully informed” consent.
  • Do not bundle multiple consents into one; ideally, there would granular consents for each cookie, or at least each category.
  • There should also be an “Accept All” and a “Reject All” button.
  • Provide an option for users to revisit consents that they have given.

The new ePrivacy Regulation

A new ePrivacy Regulation has been on the horizon since the GDPR came into force but has been batted back and forth in Europe since 2017 without agreement being reached.  However, the text was finally agreed in February 2021 and it is now going to the European Parliament.

The objective of the ePrivacy Regulation is to update the ePrivacy Directive – which is nearly 20 years old – and to bring it into line with GDPR.  It aligns with the substantial fines possible under the GDPR, whereas at the moment fines under PECR are limited to £0.5m. The ePrivacy Regulation also allows for individuals to bring claims which could involve class action claims.

Also, like the GDPR, the regulation provides for extraterritorial application, so it will apply to businesses outside the EU insofar as it relates to end users in the EU. However, unlike the GDPR, it does not require that EU users are specifically targeted — the extraterritorial application is triggered as soon as users in the EU are implicated regardless of whether there was an intention to direct activities at the EU market.

So far as the cookie requirement is concerned:

  • There is still a need for affirmative consent, except in a number of circumstances which are a little broader than at present, and will include cookies for the purpose of audience measuring (e.g., web analytics) and for IT security purposes.
  • The regulation also allows for consent to be given by selecting technical settings in the browser, for example by having a whitelist of sites which the user consents to dropping cookies. But browsers will need to develop to facilitate this.
  • Also, users who have given consent must be reminded every 12 months of their right to withdraw consent.

Once the ePrivacy Regulation is finalised there will be a two year transition period before it comes into force.

As regards the UK, following Brexit, the ePrivacy Regulation will not automatically extend to the UK, but the UK may amend PECR to align it to the ePrivacy Regulation, especially in so far as the Regulation is more business-friendly and provides additional exceptions to the cookie rule. Also, because of the extraterritorial application of the Regulation, it will effectively apply to all UK businesses as regards end users in the EU.

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.

Happy Data Privacy Day 2021!

Annually on 28 January, Data Privacy Day (or, if you prefer, Data Protection Day) is an “international effort to create awareness about the importance of respecting privacy, safeguarding data and enabling trust”.

We take the opportunity to highlight a number of key current issues with data protection.

  1. The EU / UK Trade Agreement: Three myths busted – Privacy and data protection
    Still reeling from the Brexit deal done on Christmas eve? The media (and social media in particular) are myth-ridden. Here, we consider and bust some myths related to privacy and data protection.
  2. Post-Brexit – data transfers
    As the UK and the EU reached a deal on Brexit, we provide a high level summary of the position on data transfers as from 1 January 2021.
  3. New – Standard Contractual Clauses
    Standard Contractual Clauses (SCCs) are the most commonly used mechanism to authorise transfers of personal data from the UK / EEA. We take a look at the proposed new SCCs and find some interesting developments.
  4. New guidance for international transfers post-Schrems II
    In July 2020, the European Court of Justice  thoroughly shook up the international data transfer regime when handing down its decision in the Schrems II case. We look at the European Data Protection Board guidance on handling cross-border data transfers post-Schrems.
  5. AI and data protection – uncomfortable bedfellows? 
    Artificial intelligence (AI) has been around for a long time. However, it is only fairly recently that we have seen its use spread into our daily lives. With the gradual uptake of AI, one might wonder what the GDPR has to say on the matter. We look at some of the key data protection issues.
  6. ICO resumes investigation into Adtech 
    On 22 January 2021 the ICO announced that it was resuming its investigation into the AdTech sector. The ICO’s initial views were that RTB is unlawful. It can be expected that the ICO will issue assessment notices to specific companies in the coming months.  We look at the key issues.
  7. Lessons learned from BA, Marriott and Ticketmaster fines
    The Information Commissioner’s Office (ICO) recently fined British Airways (BA), Marriott International (Marriott), Ticketmaster £20 million, £18.4 million and £1.25m respectively for failures to keep customers’ personal data secure.  We look at lessons to be learned.
  8. Covid-19 and WFH – can you monitor your employees under GDPR?
    The pandemic has resulted in a seismic shift in the number of employees working from home. A question which often arises is: can employers use technology to monitor employees work patterns? We set out some of the key data protection considerations.
  9. Six data protection steps for returning to the workplace
    As lockdown restrictions may ease in the coming weeks / months, we look at the key steps organisations need to consider in relation to the use of personal information.
  10. Do you need to register under the Data Protection Act?
    One of the most-read items on our website! Maybe it’s because it could save you from a fine up to £4,350.  While that’s not in the same league as GDPR fines generally, it’s easily avoided by making sure your ICO registration is up to date.

Contact us

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.

Lessons learned from BA, Marriott and Ticketmaster fines

Kolvin Stone
Kolvin Stone (partner)

Ben Nolan
Ben Nolan

The Information Commissioner’s Office (ICO) recently fined British Airways (BA), Marriott International (Marriott), Ticketmaster £20 million, £18.4 million and £1.25m respectively for failures to keep their customers’ personal data secure.  These companies suffered separate data breaches in 2018 which resulted in a large number of their customers having their personal data, including credit card details, compromised.

Whilst all these fines are significant (a record fine in the case of BA), what is interesting is the huge change of approach by the ICO which had originally issued notices of intention (“NOIs”) to fine BA an incredible £183.4 million and Marriott £99.2 million back in July 2019.  The NOI to fine for Ticketmaster was £1.5M.

Clearly, something has changed.  But what is it?

Why were the fines reduced by so much?

The most significant reason for the reduction in the level of the fines issued against the companies appears to be due to the ICO using a fresh methodology to calculate the fines.

For the BA and Marriot NOIs, the ICO had relied on a methodology set out in an unpublished, internal document. This provided that turnover should be the key consideration for the ICO when setting fines under the GDPR. However, BA argued that reliance upon this was unlawful and, ultimately, the ICO decided to depart from this methodology entirely when calculating the fines issued against BA and Marriott.  It did not use this methodology for Ticketmaster and hence there was only a small reduction from £1.5M to £1.25M.

Instead, the ICO calculated the fines in line with its Regulatory Action Policy (“RAP”). The RAP sets out a five step process that the ICO must follow when issuing fines.  Steps 1 to 4 deal with factors which add to the level of the fine (including, amongst other matters, whether the infringing party obtained any financial gain from their actions and the severity of the infringement). Taking into account these factors alone, the ICO deemed that BA’s breach of GDPR would warrant a fine of £30 million, Marriott’s would warrant a fine of £28 million and Ticketmaster £1.5 million.

However, step 5 of the process requires the ICO to take into account any mitigating factors (a list of which are set out in the RAP) which should result in the fine being reduced.

A number of overlapping mitigating factors were considered to be present in the case of both the BA and Marriott breaches. These mitigating factors included:

  • both companies implemented immediate measures to minimise and mitigate the effects of the attacks;
  • both companies cooperated fully with the ICO as part of its investigations into the incidents;
  • the broad press coverage relating to the cyber-attacks likely raised awareness with other companies as to the risks involved with cyber-attacks; and
  • both companies suffered significant reputational loss as a result of the cyber-attacks.

Taking into account all mitigating circumstances, the ICO determined that each company should have their fine reduced by 20% (representing a £6 million reduction in the case of BA and a £5.6 million reduction in the case of Marriott).

Finally, the ICO took account of the impact of Covid-19 on the companies. In the case of both BA and Marriott, this resulted in the fine being reduced by a sum of £4 million. In the case of Ticketmaster this was £250,000.

This is a relatively small amount considering how hard these companies have been hit by the pandemic and suggests that companies should not expect too much leniency for infringements during this time.

Other key take-aways

In addition to the above, a number of other conclusions can be drawn from the enforcement notices. We have set out a summary of these below:

  1. Importance of security frameworks – the ICO found that the companies should have had in place various security measures (such as multifactor authentication and encryption) which would have either prevented the cyber-security incidents from occurring or at least mitigated their effects. In reaching these conclusions, the ICO referred to guidance from various IT security institutes and bodies, including the National Cybersecurity Centre, OWASP and NIST. As a result, it appears that all companies should have regard to well-known security frameworks when assessing and implementing their security protocols.
  2. Intent not required for heavy sanctions – both BA and Marriott argued that it was unfair for them to be heavily sanctioned for the cyber-security incidents given that they themselves were victims of the cyber-attacks and not the perpetrators. However, the ICO found that, given their size and sophistication, the companies were negligent in failing to implement proper security measures and therefore the breaches fell within the bracket of the most severe type of infringement under the ICO’s RAP. This is in line with the wording in Art. 83 GDPR which allows supervisory authorities to take into account the “negligent character of the infringement” when issuing fines.
  3.  Act fast and cooperate in the event of a breach – BA and Marriot, both companies had their fines significantly reduced in part due to their speedy action to mitigate the effects of the breach and their cooperation with the ICO. However, Tickmaster’s slowness to respond was perceived to be an aggravating factor.  It is clear that cooperating with the ICO in the event of a breach will be received positively.
  4.  Compliance with principles is essential – the companies were all found by the ICO to have violated the principle of integrity and confidentiality under Art. 5(1)(f), as well as the security obligations set out under Art. 32 GDPR. Violation of the GDPR’s principles attracts the highest levels of fines and therefore compliance with these should be considered a priority for all organisations caught by the GDPR.

The latest Ticketmaster fine highlights that the ICO has honed its regulatory enforcement approach and we are unlikely to see the massive reduction in fines as in the cases of BA and Marriot.  It also establishes a marker for that future in that we are more likely to see fines in the single and tens of millions instead of hundreds of millions.

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.