Why is the Information Commissioner’s Office like the England cricket team?
What a week it has been. England have won the Cricket World Cup, and both Marriott and British Airways have been hit for six by the ICO. It’s fair to say that both the England team and the ICO have upped their game.
In the same week, the ICO published its annual report naming another airline that will be subject to substantial investigation alongside British Airways and Marriott. This is in response to Cathay Pacific’s announcement in 2018 that it had discovered unauthorised access to the personal data of 9.4 million customers.
Having already been publicly criticised by Hong Kong’s privacy commissioner for maintaining inadequate security systems, it will be interesting to see how any fine shapes up against the other two Notices of Intention to fine issued this week, given that there were less British nationals involved in the data breach and the organisation is based outside of the EU.
It is worth considering the level of the ICO’s fines across the whole of the European Union, under the new umbrella of the GDPR. We commented on the fine issued to Google by the CNIL in France in January 2019, which was close to £44m. Based on Google’s recent figures, this equates to approximately 0.05% of Google’s total revenue and 1% of the possible maximum fine that could have been imposed.
In comparison, the ICO’s intended fines determined this week were 35% of BA’s possible maximum fine and 15% of Marriott’s, based on recent figures. The level at which these fines have been issued will likely reverberate across Europe, but whether we will achieve cross-jurisdictional consistency of future fines remains to be seen, especially given two of the major organisations mentioned in the ICO’s annual report are based outside of the EU.
As the GDPR is being used as a pilot for other countries to follow suit on data protection, the recent fines are a watershed moment. The ICO has exercised its powers, not only on organisations in the UK but further afield, and this will begin to set a precedent.
It is important to remember at this stage that these fines are Notices of Intent to fine the two organisations, and the next steps will be integral to the process of confirming those fines. Both organisations have at least 21 days from receipt to make written representations to the ICO and, if they are deemed exceptional circumstances, may be afforded the opportunity to make oral submissions.
As the impact of both of the breaches, and those others going forward, extend far beyond data subjects residing in the UK, the ICO will also seek advices and representations from their counterparts in other EU member states. Following the ICO’s informed decision based upon this process, the organisations will then have the opportunity to appeal to the First-tier tribunal or to make the payment. We are sure that both of these decisions will be monitored closely by companies with any base of operation in an EU member state.
Given the gravity of the intended fines and the substantial corporate impact in the boardroom, it is likely that the ICO will try to maintain their position as much as possible. Any indication that they may have been overzealous with their new powers may be construed as a sign of weakness from their perspective. Given the size of both organisations, it is likely that we will see the ICO’s powers tested before a tribunal sooner rather than later.
Both the England team and the ICO have sent shockwaves out this week, which will continue to reverberate for years to come. Having threatened to lead the way for a long time, it will be interesting to see, now that they have made their mark on the world stage, whether their current form will continue when put to the test by other nations.