The European Union (“EU”) adopted the General Data Protection Regulation (“GDPR”) with much fanfare on 25 May 2018.
The GDPR applies, not just in the (until BREXIT) 28 EU Member States but also to non-EU based organisations that:
- have an “establishment” (e.g. an office) in the EU; or
- process the personal data of individuals within the EU for the purpose of offering goods or services to them (whether or not for payment) or monitoring their behaviour, e.g. via targeted advertising, credit card transaction processing or location tracking via mobile applications or devices, etc.
Many overseas-based companies (and other organisations such as universities) may therefore be caught by the GDPR rules without being aware of it and, of course, the mere fact that such businesses are not physically located in the EU would not prevent EU data protection regulators from imposing penalties on them if they should infringe those rules.
In fact, Article 27 of the GDPR requires organisations located outside the EU that nevertheless fall within its rules in one of the two ways set out above to have a representative (which can be an external advisor such as a law firm) inside the EU to act as the contact point with local enforcement agencies and customers.
The GDPR is therefore highly relevant even for organisations not primarily based in the EU and in the lead-up to the new regulation, many had noted its provisions for very heavy fines of up to €20 million or 4% of global group turnover, whichever is higher.
Data protection, it was said, would progress from being the preserve of geeks in the IT department to a major Board issue.
This conviction was strengthened by fears on the part of many commentators about the rise of “Big Data” and its scope both for intrusion into the personal lives of individuals and manipulation of the political process, a fear seemingly confirmed by various scandals involving the use of data analytics by the leave campaign during the UK’s BREXIT referendum.
Since then, in the UK at least, it would probably have been true to say that the reality failed to live up to the hype – as the Office of the Information Commissioner (“ICO”) did not impose a major fine on any company or organisation for a breach of the GDPR in the year following its entry into force.
There may have been several reasons for this, including that the GDPR does not have retrospective effect and could only apply to infringements of data protection law taking place (or at least continuing) after 25 May 2018.
Another – somewhat embarrassing – reason may be that, as a glance at the “enforcement action taken” page of the ICO’s website will attest, many of the worst offenders are public sector bodies, such as local authorities, hospitals and the police that do not always seem to be as careful in looking after the personal data of their “customers” as one would wish them to be. In these days of austerity, it would not be surprising if the ICO were reluctant to increase the financial strain on public bodies by imposing significant fines on them.
A third reason for the apparent lack of activity may be the more admirable one that, to ensure that the legal rights of organisations to put forward a defence are respected, investigations under data protection law take time to complete so the cases being reported in the year following the introduction of the GDPR actually related to breaches committed under the previous data protection regime where the maximum fine that could be imposed was only £500,000.
However, any feeling of anti-climax must surely have been banished with the announcement by the ICO on 8 July that it intends to fine British Airways a massive £183.38 million for an alleged breach of the GDPR.
The proposed fine relates to a breach of security that came to light in September 2018 and which appears to have involved the diversion of user traffic intended for the British Airways website to a site run by fraudsters.
The hackers involved are said to have “harvested” the personal details of approximately 500,000 customers , including their name and address, travel plans and, most worryingly, credit card details. The security breach is believed to have begun in June 2018.
Although the ICO’s statement does not specifically identify the breach of the GDPR allegedly committed by British Airways, it seems likely to have involved a failure to process personal data “in a manner that ensures appropriate security of the personal data, including protection against unauthorised processing and accidental loss, destruction or damage, using appropriate technical and organisational measures” as required by Article 5(1)(f) of the GDPR.
Commenting on the case, UK Information Commissioner Elizabeth Denham said:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Eye-watering as the fine is, it could actually have been even worse.
As stated above, the GDPR allows for fines or up to €20 million or 4% of global group turnover, whichever is greater, so the maximum fine on BA could therefore potentially have been well over £450 million.
The proposed fine on BA amounts to “only” 1.7% of its global revenues in the relevant year, so arguably, it is being treated leniently.
This may be because it: (i) cooperated with the ICO investigation; (ii) has subsequently made improvements to its cyber security arrangements; and (iii) self-reported the breach to the ICO, as required by Article 32 of the GDPR. Had these three factors not applied, the proposed fine could well have been even larger.
It should be borne in mind that the ICO has not yet reached its final decision in this case and British Airways will have the opportunity to make representations to the ICO as to the proposed findings and sanction. The data protection authorities of other countries will also have the opportunity to make their views known.
The ICO is not alone in imposing stiff fines on companies that breach the GDPR.
For confirmation of this, one need only look across the Channel where the French data protection authority, the Commission Nationale de l’Informatique et des Libertés (“CNIL”), imposed a fine of €50 million under the GDPR on Google in January this year. That fine related to the use allegedly made by Google of user personal data for advertising purposes without adequate consents having been obtained and mirrors similar concerns that arose in the case of Facebook in 2018.
There are also reports that the Irish Data Protection Commissioner is presently conducting at least 10 investigations into Facebook (whose European Headquarters are in Dublin). Organisations should therefore continue to prioritise data protection compliance.
However, regulatory fines are not the only consequence of data protection breaches.
Customers that have suffered loss, for example through fraudulent use of leaked credit card details, have a right to sue the company responsible for damages in the Courts and the combined cost of class litigation actions on behalf of such customers can equal, or even exceed, the value of regulatory fines.
And of course, the reputational loss, as customers consider whether to entrust their precious personal details to organisations found to have fallen short in the past, can be even greater.
All in all then, compliance with data protection law must take centre stage for businesses and organisations wherever they are located and they need actively to manage their relationships with all key stakeholder groups, including regulators, staff and customers.
Whether or not an organisation is based in the EU, awareness raising among management and staff should be the starting point, but those non-EU organisations operating within the EU or engaging with EU-based customers should bear in mind the requirement to appoint a local representative in particular.
Finally, a word on BREXIT.
Some might have hoped that, since the GDPR is EU law, we can forget about it in a post-BREXIT world. Any such hopes would be misplaced – for two reasons.
First, because as we have seen, the GDPR applies to organisations, whether or not located in the EU, which process personal data related to individuals in the EU for the purposes of selling goods or services to them or monitoring their behaviour – so any organisation with customers or potential customers in the EU would need to continue to comply with the GDPR in relation to those customers.
Secondly, under section 3 of the European Union (Withdrawal) Act 2018, the GDPR will be incorporated into UK law when the UK leaves the EU, subject to some alterations introduced by the Data Protection Act 2018.
This is to ensure that, post-BREXIT, the UK will be seen by EU data protection regulators as having a compatible system of data protection law which will therefore ensure the frictionless transfer of personal data from the EU to the UK post-BREXIT – a vital consideration for business.
Accordingly, therefore, data protection compliance must remain at the top of the agenda for the foreseeable future.
Duncan Gillespie | 360 Business & Private Client Law | GDPR & Data Protection Lawyer