One year of GDPR: the key cases so far – who has suffered and who has had a lucky escape? (Part 2)

This article will examine the case law surrounding the General Data Protection Regulation that came into effect on 25^th May 2018. It is part of a two part series of articles on the GDPR. See the first part on the data protection developments that led to the GDPR here.

Following the discovery that data rights were not being adequately protected by the Data Protection Directive 1995 passed by the European Union (transferred into UK law as the Data Protection Act 1998) in 2012 the European Commission announced that it was developing the GDPR. Subsequent legal cases such as those led by Max Schrems, David Carroll, the leaks by Edward Snowden and the Cambridge Analytica scandal have made the need for such regulation even more evident and urgent.

With just over one year of the new regulation, The Student Lawyer examines the newly established case law by GDPR and what this might mean for the future. This article will look at cases that include the fines imposed on Google, British Airways, Marriot International, the Enforcement Notice issued to Aggregate IQ Data Services Ltd (AIQ) and action taken by the Information Commissioner’s Office (ICO) against any organisation that did not pay the new data protection fee.

What is GDPR – a brief recap!

GDPR:

• Allows EU citizens to control what data is held about them (“right to be forgotten”)
• Overhauls and updates data rules for governments and businesses
• Makes the principle of “privacy by design” a legal requirement

GDPR means data must:

• Be collected and processed fairly and transparently (requests to process personal data must be clear and easy to find + the right to withdraw has been strengthened)
• Be accurate and up to date
• Be held for the minimum time necessary
• Be safe from hackers

GDPR applies to:

• Personal data (name, phone number, location data, online identifiers)
• Personal sensitive data (Ethnicity, Sexuality, Political affiliation, Religion, Biometric data, Medical conditions, criminal convictions)

Penalties for breaches or sales to third-parties:

• Limits or outright bans on data processing
• Compulsory audits of data handling
• Fines of up to 4% of global group turnover or €20 million (whichever is higher)
• “One-stop shop system” of penalties

GDPR has been transferred into UK domestic law via the Data Protection Act 2018, implementing the EU Law Enforcement Directive and elements that are left for Member State law to determine. It is protected under article 3 of the European Union (Withdrawal) Act 2018 in the case of a no-deal Brexit.

The first to fall foul of GDPR

The largest fine to date is currently the £183 million penalty (equivalent to 1.5% of BA’s worldwide turnover) awarded to British Airways by the ICO in July 2019 for failing to adequately protect its customers from a cyber attack where hackers stole the personal data, including bank details of 500,000 customers. The airline was targeted between 21^st August and 5^th September by a group of hacked that had carried out previous cyber-attacks on Ticketmaster in June 2018. This stands out as the pivotal ruling by the ICO that the days of a cool half a million for the most serious data breaches are over.

In a swift one-two boxing combo, the ICO dished out its second largest fine to Marriott, the international hotel group, the day after BA received its record-breaking fine. Marriott was fined £99 million after hackers stole the personal data of 339 million customers globally, including 7 million in the UK. In Marriott’s 2016 acquisition of Starwood hotels group, Marriott inherited Starwood’s weak IT system that left customers vulnerable to hackers. Both BA and Marriott say that they will appeal the ICO’s decisions.

The ICO also issued its first Enforcement Notice and took action against those who had failed to pay the new data protection fee in September 2018. Aggregate IQ Data Services Ltd (AIQ), a Canadian-based political consultancy and tech company, received the ICO’s first formal notice due to its role as the provider of software in the Cambridge Analytica scandal that illegally harvested personal data for political targeting for “Vote Leave” and “BeLeave” campaigns in the UK’s 2016 EU referendum. The fact that a Canadian-based (non-EU) company is subjected to GDPR is proof of the success of one of the regulation’s key objectives.

Across the Channel in France, Google was fined €50 million by the French Commission nationale de l’informatique et des libertés (CNIL) in January 2019. Google was caught out by GDPR as Google as it made it too difficult for users to be able to opt out of data-processing in the personalisation of adverts. Nevertheless, €50 million is a fraction of the possible €4 billion sum that is the maximum penalty that CNIL could impose and thus the case, whilst a key milestone at the time, has been overshadowed by the fines imposed on BA and Marriott.

And those who just got away with it!

Several companies were lucky enough to just escape the greatly increased fines that have been implemented under GDPR since the offences predated the new EU regulation.

Most notably, Facebook’s involvement in the Cambridge Analytica Scandal earnt them the maximum penalty of a £500,000 fine from the UK’s Information Commissioner’s Office (ICO) in October 2018. This half a million is nothing in comparison to the recent $5 billion settlement between Facebook and the Federal Trade Commission for the same scandal in the US. If this had fallen under GDPR, Facebook would most likely have paid over £600 million.

Similarly, Equifax was also fined £500,000 in September 2018 by the ICO after a cyber-attack left the personal data of 146 million people around the world and 15 million people in Britain. The credit rating agency had ignored warnings about a “critical vulnerability” in its systems and despite being headquartered in the US felt the full force of the old Data Protection Act 1998 as its UK branch was liable for the failure of its American HQ to protect its British customers.

Another curious lucky escapee of GDPR has been the Pregnancy club Bounty UK who were fined £400,000 by the ICO in April 2019. The ICO found that between June 2017 and April 2018, Bounty UK illegally shared personal data onto third parties (Acxiom, Equifax and Sky) for marketing purposes without notifying the 14 million people who had their data passed on. The data being shared was harvested from potentially vulnerable new mothers or mothers-to-be and their children and it included details such as young children’s date of birth and gender.

Conclusion/ takeaways

The ICO has proved that it is no longer the weak and dogmatic authority that it used to be perceived to be, with Elizabeth Denham, Information Commissioner, noting that the “law is clear – when you are entrusted with personal data you must look after it”. This new attitude about personal data protection that is enshrined in GDPR will have the tech giants worried. Google is currently under investigation by the ICO for a data breach on their G+ social network platform that exposed 50 million users’ data in October 2018 and the same breach for which CNIL fined Google €50 million in January. Similarly, Facebook is under investigation for a cyberattack that affected 50 million of its users in September 2018.

Another key case that remains to be concluded is the Morrisons appeal to the Supreme Court that it is not liable for data that was stolen by a rogue employee. The date of appeal for the case Various Claimants v Morrisons Supermarkets Plc. has been set for 6-7 November but demonstrates (despite being decided under the old Data Protection Act 1998) that it is vital to adequately prepare to avoid data breaches. If overturned, the case would set a huge precedent that might damage the effectiveness of GDPR.

For now, the number of GDPR complaints that the ICO receives is only growing, as people become more aware of the rights they have over their personal data.

 Article by William Holmes