November 20, 2019

November 20, 2019

Subscribe to Latest Legal News and Analysis

November 19, 2019

Subscribe to Latest Legal News and Analysis

November 18, 2019

Subscribe to Latest Legal News and Analysis

UK ICO Proposes GDPR Fines for British Airways and Marriott Data Breaches

Earlier this week, the UK Information Commissioner’s Office (ICO) announced its intent to fine British Airways £183,390 million ($230 million) and its intent to fine Marriott International more than £99 million ($123 million) for violations of the General Data Protection Regulation (GDPR) arising out of data breaches. The ICO investigated the breaches as the lead supervisory authority under the GDPR “one stop shop” enforcement mechanism. Both companies have an opportunity to comment on the ICO’s proposals, and other EU Member State data protection authorities (DPAs) have an opportunity to comment before the ICO renders a final decision.

British Airways announced a data breach in September 2018 affecting personal information for approximately 500,000 customers after hackers installed malware on British Airway’s website that directed customers to a fraudulent site where personal information was accessed. According to a July 8, 2019, ICO statement, “a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well as name and address information.” The ICO’s proposed fine – the highest for a data breach under the GDPR to date – represents approximately 1.5% of the airline’s annual revenue, which is not as high as the GDPR’s ceiling of 4% of yearly turnover.

In November 2018, Marriott notified the ICO of a data breach affecting its subsidiary Starwood, which reportedly compromised personal information for approximately 339 million guests. Marriott acquired Starwood in 2016, but the breach was believed to have occurred in 2014 and was not discovered until 2018. In a July 9, 2019 ICO statement announcing the proposed fine, the Information Commissioner stressed the importance of performing sufficient data protection due diligence as part of a corporate acquisition.

The ICO is proving to be an activist data protection authority under the GDPR, but it is not the only member state DPA to flex its enforcement muscles. In January, the French DPA fined Google $57 million for the “misuse of personal data” of its users. The Irish DPA is currently investigating Facebook’s data security practices after a massive data breach affecting 50 million accounts occurred in September 2018, and the social media giant’s fine could reach around $1.63 billion should the maximum penalty be imposed. The two significant fines proposed by the UK ICO for the British Airways and Marriott data breaches indicate that DPAs are looking beyond social media companies and tech giants when potential compliance violations are identified, especially in the wake of a data breach.

Article 33 of the GDPR requires controllers to notify the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it…unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Some DPAs have stressed the need for companies to evaluate this harms-based threshold for filings. The fines may result in increasing the number of reports of possible data breaches to DPAs as companies conservatively elect to report, but companies must consider applicable reporting obligations in other jurisdictions, recognizing that any breach notification can trigger an investigation of a company’s security practices by relevant regulators.

Breach notification in the United States remains complicated because the reporting thresholds are not consistent, as our state data breach notification resource indicates. It remains critical for companies to establish sound data security, breach identification, breach management, and breach reporting procedures consistent with not only the GDPR, but all applicable laws where they operate.

© 2019 Keller and Heckman LLP

TRENDING LEGAL ANALYSIS


About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney
Partner

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

202-434-4646
Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer
Partner

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and commercial e-mail messages, contests and sweepstakes, endorsements and testimonials, marketing to children, and data breach notification. Ms. Marshall also helps clients establish best practices for collecting, storing, sharing, and disposing of data, and manage outsourcing arrangements and transborder data flows. In addition, she assists with drafting and implementing internal privacy, data security, and breach notification policies, as well as public privacy policies and website terms and conditions.

As to intellectual property matters, Ms. Marshall helps clients protect their copyrights and trademarks through registration, enforcement actions, and licensing agreements.

She also represents clients in proceedings before the Federal Communications Commission and Federal Trade Commission.

Ms. Marshall is a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP) and a contributing author of Beyond Telecom Law Blog and Consumer Protection Connection.

Education: Washington and Lee University (B.A., 1997); American University, Washington College of Law (J.D., 2002).

Admissions: District of Columbia; Maryland

Memberships: American Bar Association

202-434-4234