Marriott and BA's Reduced Privacy Fines: GDPR RealpolitikFinal Fines Set Precedent, Avoid Court Cases, Likely Reflect EU Penalty Benchmarks
As demonstrated by large, recently levied privacy fines against the likes of British Airways, H&M and Marriott, the EU's General Data Protection Regulation is growing up. Relatively large penalties - compared to the pre-GDPR era - are a regulatory reminder of companies' responsibility to safeguard Europeans' personal information.
The GDPR privacy law came into full force on May 25, 2018, and requires organizations that process people's private data to follow a raft of new rules. They include not just ensuring that sensitive data is properly protected, but also giving individuals' on-demand access to data that organizations store on them, and potentially having to employ a data protection officer.
"The new fines are probably still high by EU standards."
In addition, GDPR instituted tough new breach-notification rules, oftentimes requiring organizations that learn they've been breached to inform relevant authorities, including their national data protection authority, within 72 hours. Failure to comply exposes organizations to fines of up to 4% of their annual global revenue or €20 million ($23.3 million) - whichever is greater - and potentially also having their ability to process people's personal data get revoked.
GDPR's maximum penalties are a substantial increase compared to previous privacy laws - for example, in Britain, where the maximum penalty had been £500,000 ($650,000).
But one frequently heard question since GDPR came into effect has been: How will penalties work in practice?
BA and Marriott Fines Set Precedent
Two years later, the answer to that question is becoming clearer. In the U.K., the Information Commissioner's Office has recently finalized its two-largest GDPR fines to date, involving:
- British Airways: A 2018 data breach exposed the personal information for about 430,000 customers, with 244,000 possibly having their names, addresses, payment card numbers and CVVs compromised.
- Marriott: A four-year breach of Starwood's customer database began in 2014, continued even after Marriott acquired Starwood in 2016, and wasn't discovered until 2018. The breach exposed personal information for approximately 339 million customers worldwide.
In July 2019, the ICO issued notices of intent to fine BA £184 million ($238 million), and Marriott £99.2 million ($128.2 million) fine. While steep, these proposed fines were nowhere near the maximum possible. With $20.8 billion in 2018 revenue, for example, Marriott faced a maximum possible fine of nearly $840 million.
The final fines announced by the ICO are still record-setting for the U.K. But they are also much lower than what was initially proposed - down to £20 million ($26 million) for BA and £18.4 million ($23.8 million) for Marriott.
'The Fine Reductions Have Been Significant'
What accounts for the radical reduction between the initially proposed and final fines?
"The fine reductions have been significant, however, it is important to remember that these were only 'notices of intent' initially and that both were made public by the companies concerned, and not by the ICO," Jonathan Armstrong, a partner at London-based Cordery, tells me.
Marriott, for example, first disclosed the ICO's notice of intent to fine in a filing to the U.S. Securities and Exchange Commission, at the beginning of its lengthy negotiation process with the ICO.
Both businesses responded in detail to the ICO as its investigation continued, and the regulator says each one not only assisted, but has since substantially overhauled its security programs and practices.
For BA, the ICO said that the dire economic conditions facing the airline industry had been a major factor in its reducing the fine.
For Marriott, the ICO says that the lower final fine more reflects its evolving Regulatory Action Policy, currently under review, which states that "before issuing fines we take into account economic impact and affordability."
While admitting no liability, Marriott has also agreed to not contest the final fine. That means the ICO "avoided a costly and possibly lengthy appeal process," Armstrong says.
The final BA and Marriott fines are also more in line with what DPAs in other European countries have been levying.
"The new fine levels have likely also been benchmarked against similar fines across the EU," Armstrong says. "The amounts in the original notices of intent would have been GDPR's largest fines by a considerable margin. The new fines are probably still high by EU standards - especially compared with countries like Spain, who have been the most active in levying fines after a data breaches."
Indeed, last month Spain fined nine different organizations for violating GDPR, with the fines ranging from €3,000 ($3,500) against legal services firm Avata Hispania up to €60,000 ($70,300) against mobile network operator Lycamobile.
The biggest GDPR fine to date has been against Google, which France's privacy regulator CNIL last year hit with a penalty of €50 million ($59 million) for failing to clearly and transparently inform users about how it handles their personal data, and for failing to properly obtain their consent for personalized ads.
The second largest GDPR fine came to pass last month, when privacy regulators in Germany slammed clothing retailer H&M with a €35.2 million ($41.2 million) fine for improper workplace surveillance practices.
After Final Fines: Legal Peril
Final GDPR fines, however, don't necessarily spell the end of potential legal peril for breached organizations. "Quite aside from the precise levels of fine, the notices themselves also serve up a number of key findings of fact, which could form the basis of future civil liability for both organizations and data subjects in the coming weeks and months," privacy attorneys at London-based Mishcon de Reya say in a recent blog post.
Such potential legal perils represent even more reasons for organizations to keep their privacy house in order.