The UK data protection and privacy regulator intends to issue record fines for two separate data breaches, sending a strong signal that the EU’s data protection laws have real teeth.
On July 8, the Information Commissioner’s Office (ICO) announced its intention to fine a UK company £183 million for infringements of the General Data Protection Regulation (GDPR), following a 2018 data breach.
The next day, the ICO announced its intention to fine a US hospitality group £99 million for breaches of the GDPR related to a November 2018 cyber-attack.
Both companies now have an opportunity to appeal the decisions. Following representations by the companies, the regulator will finalise the penalties, which could be reduced if the appeals are successful.
The two ICO enforcement actions – which cover some of the largest and most high-profile data breaches to occur since the GDPR became effective – are widely regarded as test cases for the new regulation’s enforcement.
If upheld, the proposed fines would be the largest ever levied by the ICO, as well as the largest issued in Europe for a breach of the GDPR.
The largest fine under the GDPR prior to the ICO announcements was a €50 million fine against a technology company by the French regulator CNIL in January 2018, although the company said it intends to appeal the fine.
The two proposed fines also dwarf prior ICO enforcement actions under the UK’s former data protection law, the Data Protection Act 1998 (DPA).
These included two separate enforcement actions of £500,000 in 2018, the maximum permitted under the DPA and the ICO’s highest ever fines.
In the first nine months that the GDPR was in effect, EU regulators brought more than 200,000 cases in 31 countries and issued nearly €56 million in fines, according to the European Data Protection Board (EDPB), which coordinates the EU’s data protection authorities.
Setting the Tone
Thousands of GDPR actions are currently pending, and organisations should expect EU regulators to continue to stringently pursue instances of non-compliance.
The ICO can impose even larger fines under the GDPR, as regulators can impose a maximum fine of up to 4% of a firms’ global annual turnover, or €20 million, whichever is highest.
However, maximum fines are intended for the most severe breaches of the GDPR, and mitigating factors would presumably be reflected in the penalty.
Insurability of Fines
The ICO has not yet published details of its investigations into the two breaches, nor explained the reasoning behind the enforcement actions and level of fines.
However, the enforcement actions highlight some interesting issues, including the insurability of fines under the GDPR, which varies by location.
Fines and penalties under data protection laws, including the GDPR, may be covered by cyber insurance, where insurable by law.
However, coverage will depend on the nature of the fine or penalty (whether it is civil or criminal and how egregious the non-compliance), as well as the specifics of insurance contracts, and court decisions in relevant jurisdictions.
Further clarification on the issue is expected, once the first cases are submitted as claims to insurers and/or go to court.
In the meantime, organisations should work with their advisors to understand how their policies might respond and, where possible, seek to add policy wording that provides the best chance of recovery in the event of GDPR non-compliance.
The ICO enforcement actions also highlight the extra-territorial reach of the GDPR. The rules protect the personal data of EU citizens and can be applied to companies holding or processing their data, even when located outside the EU.
In both data breaches, the ICO investigated the incidents as the lead supervisory authority on behalf of other EU member states’ data protection authorities.
It also liaised with other regulators. Under the GDPR “one-stop shop” provisions, data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.
Commenting on the proposed fine, UK Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold.
This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess, not only what personal data has been acquired, but also how it is protected.”
The ICO announced the proposed record GDPR fines following what it described as an “unprecedented” year for the regulator. In its recently published annual report, the ICO recorded a 66% increase in data protection enquiries to 471,224, while data protection complaints received by the ICO doubled to 41,661 in 2018/19.
The period was also a record-breaking year of monetary penalties under the DPA, with 22 fines issued and fines totalling £3 million, including two fines of £500,000, the maximum allowed.
Enforcement actions in Europe have also gathered momentum since the GDPR came into force on May 25, 2018.
During the year, the ICO received 13,840 reports of personal data breaches, a big jump from the 3,311 reported personal data breaches in the pre-GDPR 2017/18 period, and the 2,565 breaches notified in 2016/17.
The ICO welcomed the increase in breach reporting (mandatory under the GDPR), saying it demonstrates that organisations are taking the GDPR requirements seriously.
Notifications were highest among general business (18%), health care (16%), education (13%), and financial services (11%).
As a competent regulator for the EU’s Network and Information Systems (NIS) Regulations in May 2018, the ICO revealed the number of cyber incident referrals it received within its annual report.
During 2018-19, the ICO received around 2,500 cyber security incident referrals, of which 44% were phishing attacks and 29% were attributed to unauthorised access.
These figures further indicate the impact of the GDPR and the prevalence of phishing attacks.