The Information Commissioner’s Office (ICO) recently fined British Airways (BA), Marriott International (Marriott), Ticketmaster £20 million, £18.4 million and £1.25m respectively for failures to keep their customers’ personal data secure. These companies suffered separate data breaches in 2018 which resulted in a large number of their customers having their personal data, including credit card details, compromised.
Whilst all these fines are significant (a record fine in the case of BA), what is interesting is the huge change of approach by the ICO which had originally issued notices of intention (“NOIs”) to fine BA an incredible £183.4 million and Marriott £99.2 million back in July 2019. The NOI fine for Ticketmaster was £1.5M.
Clearly, something has changed. But what is it?
Why were the fines reduced by so much?
The most significant reason for the reduction in the level of the fines issued against the companies appears to be due to the ICO using a fresh methodology to calculate the fines.
For the BA and Marriot NOIs, the ICO had relied on a methodology set out in an unpublished, internal document. This provided that turnover should be the key consideration for the ICO when setting fines under the GDPR. However, BA argued that reliance upon this was unlawful and, ultimately, the ICO decided to depart from this methodology entirely when calculating the fines issued against BA and Marriott. It did not use this methodology for Ticketmaster and hence there was only a small reduction from £1.5M to £1.25M.
Instead, the ICO calculated the fines in line with its Regulatory Action Policy (“RAP”). The RAP sets out a five step process that the ICO must follow when issuing fines. Steps 1 to 4 deal with factors which add to the level of the fine (including, amongst other matters, whether the infringing party obtained any financial gain from their actions and the severity of the infringement). Taking into account these factors alone, the ICO deemed that BA’s breach of GDPR would warrant a fine of £30 million, Marriott’s would warrant a fine of £28 million and Ticketmaster £1.5 million.
However, step 5 of the process requires the ICO to take into account any mitigating factors (a list of which are set out in the RAP) which should result in the fine being reduced.
A number of overlapping mitigating factors were considered to be present in the case of both the BA and Marriott breaches. These mitigating factors included:
Taking into account all mitigating circumstances, the ICO determined that each company should have their fine reduced by 20% (representing a £6 million reduction in the case of BA and a £5.6 million reduction in the case of Marriott).
Finally, the ICO took account of the impact of Covid-19 on the companies. In the case of both BA and Marriott, this resulted in the fine being reduced by a sum of £4 million. In the case of Ticketmaster this was £250,000.
This is a relatively small amount considering how hard these companies have been hit by the pandemic and suggests that companies should not expect too much leniency for infringements during this time.
Other key take-aways
In addition to the above, a number of other conclusions can be drawn from the enforcement notices. We have set out a summary of these below:
The latest Ticketmaster fine highlights that the ICO has honed its regulatory enforcement approach and we are unlikely to see the massive reduction in fines as in the cases of BA and Marriot. It also establishes a marker for the future in that we are more likely to see fines in the single and tens of millions instead of hundreds of millions.
If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.