Two big statements came out of the Information Commissioner's Office ('ICO') last week. The Commissioner stated that she has not yet but soon may issue a monetary penalty notice ('MPN'), (i.e., a fine) for a data breach, against:
British Airways ('BA') in the sum of £183,390,000. The reaction of the company was unequivocal: 'We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals.' (1)
Marriott International ('Marriott') in the sum of £99,200,396. The Chief Executive Officer did not hesitate to announce: 'The company intends to respond and vigorously defend its position.' (2)
Both companies' determination to vigorously fight the ICO is not the only common theme here. As evident from the ICO's press releases, in the course of the investigations both companies co-operated with the Regulator and already made improvements to their security arrangements since the incidents came to light. Further, neither incident appears to be derived from wilful misconduct or negligence. Criminals simply hacked the IT systems of BA and Marriott. Nevertheless, seven to eight figure fines are very likely to be issued against the companies.
BA and Marriot now have 21 days to formally respond to the ICO's notices of intent, but so do a number of other 'concerned' European data protection authorities that may weigh in to the discussion. If the ICO actually issues the MPNs after it hears the parties then these would be the first eye watering GDPR fines in the UK. The penalties are likely to be appealed before the First-tier tribunal within 28 days of issue. And if that too proves dissatisfactory to the companies, they can then take the matter to the Court of Appeal.
The final amount of the fines may well be decreased in court. The ICO's track record is not flawless. The biggest fine the Regulator has issued so far (under the previous DPA 1998 regime) was against Facebook and in relation to Cambridge Analytica. This is currently under appeal. In April this year, the Commissioner formally asked Facebook to drop the appeal and let justice find its way however Facebook did not discontinue. (3) The tech giant even won a small victory on 27 June this year. Facebook convinced the First-tier tribunal that the company's counter arguments relating to procedural flaws in issuing the fine, to bias, to predetermination and to procedural irregularity have enough merit to be at least formally heard. We are yet to see the outcome of Facebook's challenge.
Nevertheless, in the end it is more likely than not that there will be at least some fines levied against Marriott and BA. These two investigations are finally making it clear that the Commissioner is keen to use her new powers under the GDPR. In the case of British Airways at least, the intended fine s equal to roughly 1.5% of the company's annual turnover. But what will happen after BA and Marriot pay? Is that the end of it? Possibly not.
Under most data processing agreements that business signed in the run up to the 25 May last year, processors are usually asked to provide controllers an indemnity in respect of any breaches of data protection law including security breaches. With companies often using external IT providers to host their systems, databases or websites, it is highly likely that BA, Marriot or any other controller, will seek to recover their losses from a data breach fine from their processors, where a processor (ie supplier or sub-contractor) has had some responsibility for the breach.
Controllers may feel entitled to pursue such losses in such circumstances, however the BA and Marriott fines were not calculated with respect to these companies' processors' annual turnovers. They were calculated on the basis of the controllers' turnover. So, whilst £183 million may be a difficult amount for BA to digest, it certainly is an amount that will bankrupt many of its suppliers. Given that the enormous fines are now starting to materialise, it is incredibly important to ensure that data processing agreements are watertight and liability is negotiated and capped to a reasonable level.
Withers tech routinely helps clients negotiate data processing and data sharing agreements between them and their customers, suppliers and partners in Europe and beyond. Our clients range from start-ups to large multinationals and in addition to the full spectrum of data protection advice we can give, we can offer the full service for all your legal needs. For more information, please contact Richard Penfold or any other member of the firm's data protection team.