2020 has been a busy year for data protection fines. We have seen some pretty seismic regulatory activity. Some of the headlines from the ICO include:
- British Airways: £20m.
- Marriott: £18.4m.
- Ticketmaster: £1.25m.
From EU regulators in this month we have also had:
- Google: €100m from the French regulator, CNIL.
- Amazon: €35m from French regulator, CNIL.
What happened in BA, Marriott and Ticketmaster?
BA was the subject of a hack on its website in 2018 allowing a malicious third party to syphon personal data including payment card details (including CVVs) of BA’s customer who were using the website. The total number of affected data subjects was 429,612. Remarkably, once BA found out what was going on, it took less than 100 minutes to respond by identifying this malicious activity and to block the transmission of personal data to the attacker’s website. It then filed a breach notification form with the ICO 24 hours later, on the 6 September 2018. To everyone’s surprise, the ICO then issued a notice of intent to fine (NOI) on 4 July 2019 in which the proposed penalty value was £183.39 million. By all accounts, and all methods of measurement, it would be the biggest fine in data protection history. To most practitioners at the time it seemed astronomical in light of the facts which had given rise to the incident.
There followed lots of legal debate between BA and the ICO about the nature and calculation of this fine. The main focus of BA’s attack appears to have been the ICO’s reliance on a document entitled “Draft Internal Procedure for Setting and Issuing Monetary Penalty Notices” (DIP).
The DIP was a secret, unpublished document. BA’s challenge of its use was extremely effective and had several interest consequences all of which are highly pertinent to the dramatic fine reduction.
Marriott also received a NOI as a result of the hack of its newly acquired company, Starwood Group. This attack had started in 2014, prior to the acquisition by Marriott, which completed in September 2016. The due diligence exercise did not pick up on the ongoing attack and Marriott was unaware until 8 September 2018 when its supplier, Accenture, notified it of an issue. It still took Marriott until 22 November 2018 to report the matter to the ICO, which is clearly outside of the 72 hour reporting window mandated by GDPR. The ICO issued Marriott with an NOI for £99.2 million, which was another stunning number, dwarfed only by the super-sized NOI that BA had been handed just one day earlier.
Finally, Ticketmaster’s website was attacked in February 2018. The attack bore similarities to the BA attack: a threat actor managed to gain access to the site and exfiltrated customer personal data, contact information and payment card details (including CVVs). It took Ticketmaster 4 months to notify the ICO from the point that they were arguably first alerted to an issue. During that time it was even spotted by tech savvy members of the public who contacted Ticketmaster on Twitter to highlight the problem.
Ticketmaster notified 9.4 million EEA customers (of which 1.5 million are in the UK) about the affected incident, although it is not thought that all were impacted. Still, assuming the worst case scenario, 9.4 million is clearly much lower than Marriott’s breach, but significantly higher than BA’s breach. Interestingly, the NOI that followed from the ICO, which was issued on 7 February 2020, was for £1.5m, being significantly lower than the other 2 cases despite seeming to be similar or worse than them in several respects (duration of breach, number of affected data subjects, type of personal data compromised, etc.). Quite predictably, Ticketmaster then lodged its objections with the ICO in much the same way as BA and Marriott.
Why did BA and Marriott get such big NOIs? And why did the ICO reduce them by so much?
The ICO considered all of the representations of BA, Marriott and Ticketmaster and reached the following revised amounts:
- BA: £20m (down 89.07% from NOI value and 0.16% of BA’s group’s worldwide turnover).
- Marriott: £18.4m (down 81.45% from NOI value and 0.36% of Marriott’s group’s worldwide turnover).
- Ticketmaster: £1.250m (down 16.66% from NOI value and 1.21% of worldwide turnover).
In each case the ICO held that the businesses were in breach of Articles 5 (1) (f) and 32 GDPR, being the general security standard for data processing. The obvious opening question is why on earth did BA and Marriott get such huge reductions? The full length version of this article explores these issues in more detail, but the primary reason appears to be that the ICO’s initial calculations for BA and Marriott relied on the DIP that was designed to help the Commissioner determine where to start when calculating penalties, and in particular to rely on the business’ turnover when doing so.
Leaving aside the question of whether that approach is right or wrong (the author would challenge it as being conceptually flawed), the use of the DIP was unlawful because it was secretive and unpublished. BA and Marriott challenged its use, and the ICO conceded that the DIP would be set aside when calculating the new penalty value in the monetary penalty notices (MPNs).
However, the gaping hole in the BA and Marriott MPNs is the ICO’s failure to explain why it disapplied the DIP. If the DIP was reliable as a starting point, then it surely makes at least as much sense to seek to continue applying it either in practice or in principle, and to defend that decision. The ICO fails to do this, instead beginning again at seemingly random starting points of £30m for BA (subsequently reduced to the values shown above) and £28 million for Marriott (also reduced, see above). The ICO wasn’t going to make the same mistake with Ticketmaster and had already stopped applying the DIP by the time it issued the Ticketmaster NOI, meaning the opening value of Ticketmaster’s fine was £1,500,000 despite that breach being worse than BA’s in many respects.
To see a more detailed discussion of the BA, Marriott and Ticketmaster decisions, see the full length article.
December brings a flurry: Google and Amazon
On 7 December 2020, the CNIL (French national supervisory authority) issued fines against Google totalling €100m. The fines were split between Google entities as follows: €60m for Google LLC and €40m for Google Ireland Ltd.
Unlike BA, Marriott and Ticketmaster, all of which relate to breaches of Article 5 (1) (f) and 32 GDPR (the security principles), the Google fine relates to a breach of cookie laws regarding Google’s deployment of advertising and tracking cookies without obtaining adequate consent. The CNIL was highly critical of Google’s activities, in particular its sub-par consent request banner and its unclear processing notices regarding activity of cookies set on French citizens’ browsers.
For those of you wondering if there is an element of deja vu here, you would be right; the CNIL issued a fine of €50m to Google in January 2019 (subsequently upheld on appeal) for opaque processing practices and unclear processing notices. Having scrutinised Google’s use of cookies, very similar issues were identified.
The CNIL found that by September 2020 Google had changed some of its cookie practices, but then made the apposite observation that, prior to changing its activities, Google had generated significant profits from unlawful deployment of cookies and this in turn justified the rather seismic numbers above, making it the largest combined data protection fine to date.
The action taken by the CNIL against Amazon Europe Core was very similar, although the penalty amount much lower, being €35 million. This is somewhat surprising given that the activity of Amazon appears to be less compliant than Google.
For example, Amazon failed to deploy a meaningful consent banner at all, instead relying on the (now very dangerous) wording which still litters many UK company websites:
“By using this website, you accept our use of cookies allowing to offer and improve our services. Read More.”
This wording singularly fails to give users the opportunity to opt out of cookies, especially those that track use or are deployed for ad personalisation.
The CNIL went on to say that “no matter what path the users used to visit the website, they were either insufficiently informed or never informed of the fact that cookies were placed on their computer”.
It remains to be seen whether Google or Amazon will appeal these decisions, but it serves as a very useful reminder of the increasing attention that cookie compliance receives from regulators.