ICO announces unprecedented fines for GDPR breaches

On 8 and 9 July 2019, the Information Commissioner’s Office (“ICO”) announced its intention to impose two of the biggest fines for data security incidents since the General Data Protection Regulation (“GDPR”) and its UK equivalent, the Data Protection Act (2018), came into force on 25 May 2018. The penalty for breaching the GDPR is up to €20m or 4% of annual global turnover, whichever is highest[1]. This is far greater than the maximum penalty of £500,000[2] under its predecessor, the Data Protection Act (1998).

In October 2018, the ICO fined Facebook the maximum £500,000 for failing to protect users’ personal data resulting in the Cambridge Analytica scandal. The ICO considered this contravention to be serious and warned, “the fine would inevitably have been significantly higher under the GDPR.” This was the largest fine that the ICO had issued to date, which was significantly less than the two fines intended for British Airways and Marriot International.

While these are not the first fines issued under the GDPR, previous fines had been for less serious breaches, such as the ICO’s £100,000 fine against EE Limited on 24 June 2019, for failing to obtain consent before sending 2.5 million direct marketing messages.

British Airways

On 8 July 2019, the ICO published that it intended to fine British Airways £183.39m, following extensive investigations into a data security incident in June 2018.

The incident compromised the personal data of approximately 500,000 customers, including customer login and payment card details, travel bookings and name and address information. It resulted from a JavaScript vulnerability, which allowed hackers to divert customers to a fake website to enter payment details.

British Airways reported the incident within the 72-hour window required under the GDPR, and according to the ICO, British Airways has since cooperated with the authorities and improved its cyber security arrangements.

The fine equated to 1.5% of British Airways’ 2017 global turnover, which, whilst unprecedented, is still below the maximum 4% the ICO has the power to impose under the GDPR.

Marriot International

On 9 July 2019, the ICO also published its intention to fine Marriot International £99,200,396 for a data breach reported in November 2018. The breach exposed the personal data of approximately 339 million guests, 30 million of which were EEA residents, and included data such as credit card details, passport numbers and dates of birth.

The breach resulted from a vulnerability that had been present in the IT systems of Marriott’s subsidiary, Starwood, since 2014. Marriot acquired Starwood in 2016, but did not discover the vulnerability until September 2018, which it reported in November 2018.

The ICO found that Marriot did not undertake sufficient due diligence when it acquired Starwood and did not do enough to secure its systems. However, the ICO confirmed that Marriot has cooperated with the investigation and improved its information security arrangements since.

Marriot and British Airways, as well as any concerned data protection authority, are invited to make representations before the ICO makes its final decision.

Conclusion

The intended fines demonstrate that EU data protection authorities are willing to impose heavy monetary penalties on corporations, for GDPR breaches. They are intended as a reminder to companies to ensure that their information systems and processes are secure and that they adequately protect the fundamental right to privacy when handling personal data with which they are entrusted.

[1] General Data Protection Regulation (2018), Article 83;
Data Protection Act (2018), s157

[2] Data Protection Act (1998), s55C (1);
Information Commissioner’s Office, (2015), ‘Information Commissioner’s guidance about the issue of monetary penalties prepared and issued under section 55C (1) of the Data Protection Act 1998’, Accessed at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/422792/ico-guidance-money-penalties-2015.pdf

Related services

Sign up for notifications

Learn more

Cookie	Type	Duration	Description
_ga	third party	2 years	This cookie is installed by Google Analytics and collects information on how users interact with the website. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors. It is used to distinguish users.
_gat	third party	1 minute	Google Analytics cookies to track users as they navigate the website and help improve the website's usability.
_gid	third party	24 hours	This cookie is installed by Google Analytics and collects information on how users interact with the website. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors. It is used to distinguish users.
cookielawinfo-checkbox-necessary	session	1 year	Records the default button state of the corresponding category. It works only in coordination with the primary cookie.
cookielawinfo-checkbox-non-necessary	session	1 year
viewed_cookie_policy	session	1 year	Is the primary cookie that records the user consent for the usage of the cookies upon accept and reject. It doesn't track any personal data and is set only upon user action (accept/reject).