In 2020, the Information Commissioner’s Office (‘ICO’) has delivered two significant decisions. Taken together they provide a comparison of the ICO’s enforcement powers in relation to significant data protection breaches.
The current approach
The maximum potential fines available to the ICO under the General Data Protection Regulations are fairly well known, at €20million or 4% of annual global turnover (whichever is greater). The ICO has a wide discretion in when to apply such fines, and provides guidance in both its Regulatory Action Protocol (‘RAP’) and article 83 of the GDPR itself.
The RAP suggests a penalty is more likely if:
- a) a large number of individuals were affected by the breach;
- b) there was some damage or harm, including distress or embarrassment;
- c) there was a failure to apply reasonable measures or mitigation.
Other factors and situations which may affect the size of any penalty include:
- compliance with any investigation;
- culpability and size
- severity of the breach.
Where a fine is not imposed, the ICO has access to other tools beyond monetary penalties, such as warnings or enforcement notices. These can represent a significant non-financial burden and may forecast a stronger enforcement approach for future breaches.
The current rules in action – British Airways
The ICO’s decision against British Airways (‘BA’) provides a clear illustration of how fines are calculated. Some of the major factors included:
- BA did not benefit financially from the breach (such as selling the data);
- BA promptly notified the ICO when it discovered the breach, fully cooperated with the ICO’s investigation, and quickly took measures to mitigate and minimise the breach, including offering free credit reporting to some of the individuals affected;
- In line with current ICO guidance the fine was reduced due to the current pandemic situation.
- The breach was significant, including over 400,000 records, and it was also unclear whether BA would have discovered the breach themselves;
- While the last unauthorised access was 5th September 2018, the ICO held that the appropriate end date was 16th November 2018 when BA implemented its final technical measure as a result of the breach, meaning the breach in effect lasted a further two months;
- The ICO held that while BA had not intended the breach, it had been negligent – as a large, high profile organisation it should have been aware of its risk profile and taken ‘appropriate steps’;
The current rules in action – Experian Limited
The two-year investigation into Experian, Equifax and TransUnion illustrates differences in approach; while the ICO found ‘significant data protection failures’ at each of the three, Equifax and TransUnion made improvements requested during the investigation, withdrew some products and services and face no further regulatory action.
On the other hand, according to the ICO Experian also made improvements, but was unwilling to fully comply. Steps Experian resisted included issuing privacy information directly to individuals or ceasing to use credit reference data for direct marketing. Experian has since released a press release confirming that in its opinion the ICO’s requirements exceeded the legal requirements.
The ICO has issued an enforcement notice with which Experian is required to comply. If Experian fails to do so, it will then face a fine under the GDPR, which would likely be significant; it has until July 2021 to comply with the notice, but in the meantime has already indicated it will be appealing the decision.
While the ICO has the ability to leverage significant fines, it will not always choose to do so, and when it does there is still room to make submissions as to why those fines should be lower.
A prompt, strategic response can often minimise any penalties, and reduce any disruption. If your organisation is facing a regulatory investigation or data breach, Ashfords’ Business Risk and Regulation Team can guide you through your response; advise on interactions with the ICO and help you minimize the risk of negative outcomes.