The EU’s General Data Protection Regulation went into effect with great fanfare in May 2018, along with great trepidation about the potential fines regulators might impose for violation of the regulation’s requirements. In the following months, regulators imposed relatively few fines, for relatively modest amounts. However, just in the last several days, the U.K. privacy regulator has announced the potential imposition of two massive GDPR fines, underscoring the regulation’s potential huge impact. The newly announced fines, involving British Airways and Marriott International, have a number of serious implications for other companies, for the future of GDPR enforcement, and for the significance of privacy issues generally as an area of corporate risk.
British Airways: The first of the two recent fines came to light in a July 8, 2019 announcement from the U.K.’s Information Commissioner’s Office (ICO), in which the agency announced its intention to fine British Airways £183.39 million ($230 million) for violation of the GDPR. The proposed fine relates to a cyber incident that British Airways noticed to the ICO in September 2018. The cyber incident involved the diversion of user traffic from British Airways’ website to a fraudulent site. The ICO concluded that the personal data of approximately 500,000 customers was compromised. The diverted information included log in, payment card, and travel booking details as well as name and address information. The ICO says the incident was the result of “poor security arrangements at the company.”
If the British Airways fine is imposed as proposed, it will represent the highest ever fine under the GDPR. (The largest prior fine was €50 million fine the French privacy regulator imposed earlier this year on Alphabet, Google’s parent company.) The airline’s parent company, International Consolidated Airlines Group, which has been cooperating with the ICO investigation, has said that it intends to fight the fine.
Marriott International: The second of the two recent fines relates to Marriott International. On July 9, 2019, the ICO announced that it intends to impose a fine of £99,200,396 ($124 million) against the company in connection with the high-profile breach involving the company’s Starwood Customer loyalty program website. (The Starwood breach also has been the subject of regulatory investigations and securities litigation in the U.S., as well). The ICO‘s press release about the proposed fine says that the agency concluded that Marriott failed to “conduct proper due diligence” in connection with the company’s 2016 acquisition of Starwood and that Marriott “should have done more to secure its systems.” The breach of the Starwood system exposed as many as 339 million customer records, of which approximately 30 million involved records of customers living in the EU, including 7 million in the U.K.
In a July 9, 2019 press release, Marriott said that it has been cooperating with the investigation and that it intends to contest the ICO’s ruling.
There is of course a great deal of irony in the fact that these aggressive measures to enforce the EU’s GDPR are being taken by the U.K. privacy regulator. (Under the GDPR’s regulatory structure, national regulators are charged with the responsibility for enforcing the regulation’s requirements.) The U.K. is of course in the midst of an incredibly messy process by which the country intends eventually to withdraw from the EU. The EU’s regulation does of course remain in effect in the U.K. until the country completes its EU withdrawal, but given the country’s intended eventual withdrawal it would seem more logical that a national regulator of a country that has a longer term stake in the enforcement of EU regulations would be taking the enforcement lead.
Just the same, there are a number of very significant implications from the U.K. ICO’s recent actions. Before commenting on the ICO’s recent actions, I should emphasize that the recently announced fines are at this point merely proposed. The involved companies are contesting the proposed fines, and there is at this point no way of knowing for sure what the end result will be. However, the fact that fines of this magnitude have been proposed is of significance in and of itself. With that said, I note the following.
The Size of the Fines: First, the sheer size of the proposed fines is stunning. The fine proposed against Marriott represents 2.5% of the company’s global revenues. The proposed fine against British Airways represents 1.5% of the airline’s revenue. As massive as the proposed fines are, the fact is that at least as a theoretical matter the fines could have been even larger – the GDPR allow regulators to fine companies up to 4% of their annual revenue. The recent proposed fines underscore the GDPR’s extraordinary potential for the imposition of massive fines. It is not an original observation, but it does need to be said that the possibility of a GDPR represents a massive legal, regulatory, and financial risk for all companies to which the GDPR applies.
There is one more thing to keep in mind about these proposed fines — these are the fines proposed against companies that both self-reported and cooperated with the subsequent investigation. The implications for the potential size of the fine for a company that does not self-report or that does not cooperate are serious.
GDPR Fines Against Non-EU Companies: Second, it should be noted that the U.K. regulator has proposed to impose a massive fine against Marriott, despite the fact that Marriott is a U.S.-based company. To be sure, the record shows that the Starwood customer database breach resulted in the exposure of the records of millions of customers living in Europe. Just the same, the fact that a massive fine has been proposed against Marriott highlights the extent to which non-E.U. companies, including even companies based in the U.S., are potentially subject to the GDPR’s massive fines. GDPR is intended to protect the “personal data” of EU residents, which means that a company in possession of this kind of information (which GDPR defines extraordinarily broadly) potentially is subject to GDPR regulatory action, even if it has no offices or employees within the EU.
National Regulators’ Active Enforcement Approach: Third, and following closely on the prior point, the U.K. regulator at least has made it clear that it intends to take an active role in enforcing the GDPR’s requirements. The ICO’s press release about the proposed British Airways fine includes a statement by the U.K.’s information commissioner as saying that that the GDPR provides that “when you entrusted with personal data you must look after it,” and that companies that do not will “face scrutiny” to determine “whether they have taken appropriate steps to protect fundamental privacy rights.” Even if Brexit (eventually) makes the U.K.’s ICO’s office less relevant to GDPR enforcement, the likelihood is that other national privacy regulators will take a similar approach. Indeed, in the media coverage of the recent proposed fines, one press report included a statement that the Irish privacy regulator has over 50 active privacy investigations open. Thus, for companies subject to the GDPR, the regulation creates the possibility of massive fines, and the national regulators’ active enforcement approach further increases companies’ GDPR regulatory risk.
Merger-Related Risk: Fourth, in addition to the fact that the proposed Marriott fine involves a non-EU company, the fine proposed against the company is also significant in the fact that the fine proposed relates to a breach that came to light only after a merger transaction. As I noted in a recent blog post (here), a number of the significant data breach and privacy related D&O claims involve circumstances where the breach involved arose at a predecessor company prior to a merger transaction. The fact that Marriott may get hit with a massive GDPR fine based on a breach that occurred at Starwood prior to Marriott’s acquisition of the company underscores that in the current regulatory environment one of the significant merger-related risks that an acquiring company faces is the possibility of a massive privacy-related fine for cybersecurity shortcomings at the predecessor company.
Privacy as a Major Area of Corporate Risk: All of these observations underscore an important over-arching point that I have previously made on this blog, which is that going forward privacy may represent one of the most significant areas of potential corporate risk exposure. This risk includes not only the possibility of the massive regulatory fines that the GDPR permits, but it also includes the possibility of follow-on D&O claims, when shareholders claim that company management failed to take appropriate steps to prevent the regulatory fines or that management failed to fully inform investors of the regulatory risks that the company faces.
As massive as the recently announced proposed fines are, I suspect strongly that these proposed fines are only the tip of the iceberg. There are many more fines to come, and the future fines may be even more significant. There is much more to be heard about GDPR risks and about privacy risks generally.