Our Head of Media Disputes, Ryan Dunleavy, comments below on the announcement last week by the UK’s Information Commissioner’s Office (ICO) that it has fined Cathay Pacific Airways Limited the maximum fine legally possible for a data breach. He also considers what this could mean for monetary penalties against companies in future.
The announcement last week by the ICO that it has fined Cathay Pacific Airways for the airline’s failure to protect the security of its customers’ personal data may provide an indication of how the UK’s data privacy regulator is working through its caseload of potential companies that it intends to fine, and the approach it will take to valuing monetary penalties.
Since Britain’s Data Protection Act 2018 (DPA18) and the General Data Protection Regulation (GDPR) came into force at the end of May 2018, the ICO has been criticised by some quarters because it has only imposed one fine under the new data protection laws, and that financial penalty was fairly modest.
The UK regulator’s only fine to date under the GDPR
The fine was issued on 17 December 2019. It was only for £275,000, which was well within the pre-DPA18/GDPR regime cap of £500,000. Under the DPA18/GDPR, the ICO could have imposed a maximum fine of €20m (or the equivalent in sterling), or 4% of the company’s total annual worldwide turnover in the preceding financial year, whichever was higher.
In other words, the post-DPA18/GDPR regime, despite legally applying to the case, was not necessary for the ICO to issue a monetary penalty of £275,000 against Doorstep Dispensaree. Such a fine could have been imposed under the data protection laws that were in place before May 2018.
By way of background, the Doorstep Dispensaree case related to about 500,000 documents in unlocked containers at the back of the company’s premises. Those documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.
The relatively low value of the fine against Doorstep Dispensaree was disheartening to some in a post DPA18/GDPR era who are eager to see regulators flex their muscles with large monetary penalties against companies that breach UK data privacy laws.
British Airways and Marriott
For those people, the new data privacy regime imposed in Britain after the end of May 2018 appeared hopeful in 2019, in terms of the potentially high fines.
There were statements of “intent” by the ICO on 8 July 2019 to fine British Airways £183.39m and on 9 July 2019 to fine Marriott International Inc £99.20m. Both intended regulatory fines were for infringements of the DPA18/GDPR.
These announcements by the ICO were greeted with much fanfare in the media. By mid/late-2019, all the signs were there that the ICO was starting to be bullish about its monetary penalties on companies.
Despite this, the ICO’s “intentions” do not appear to have turned into actual fines against British Airways or Marriott. The ICO generally announces penalty notices on its website, and no such announcement can be located in relation either to British Airways or Marriott. ICO statements on those cases seem to have simply dried up.
Under the DPA18/GDPR, there is ordinarily a maximum of a six month window between the ICO announcing an intention to issue a fine against a company and it doing so.
This is because Paragraph 2(2) of Schedule 16 of the DPA18 says, “The [ICO] may not give a penalty notice to a [company] in reliance on a notice of intent after the end of the period of 6 months beginning when the notice of intent is given,” unless this timeframe is extended by agreement between the ICO and the company it is intending to fine.
Clearly the six month timeframe has expired since the aggressive announcements about intended fines by the ICO in July 2019.
Rumours are now circulating among specialist data privacy lawyers that both British Airways and Marriott have quietly agreed with the ICO to an extension of the regulatory process until 31 March 2020.
Significant fines against British Airways and Marriott may therefore be issued quite shortly, depending upon what next step is taken by the ICO.
Cathay Pacific Airways
If we move on to consider the fine announced by the ICO last week against Cathay Pacific, it is worth extrapolating three points from it even though it was issued under laws that were in place before the DPA18/GDPR:
- The ICO is still indicating a potential appetite for issuing large fines against companies, within the confines of the laws in which it must operate. The Cathay Pacific fine was under the Data Protection Act 1998 (DPA98), rather than the DPA18/GDPR, but it was for the maximum amount legally possible, ie £500,000.It could potentially have been far higher under the DPA18/GDPR regime. The ICO’s other most recent fine under the old DPA98 regime, against DSG Retail Ltd in January 2020, was also for the maximum monetary penalty possible under the old regime, ie the DPA98[RD11].The ICO’s settlement in October 2018 against Facebook (with no admission of liability by the social media company) was also for a monetary sum reflecting the maximum fine that the ICO could have imposed on Facebook under the DPA98.These maximum regulatory monetary penalties are not one-offs since the DPA18/GDPR came into effect. There have been other maximum fines, albeit under the laws in force before the DPA18/GDPR. When looked at in this light, the ICO is perhaps being more aggressive with its fining than people give it credit for. It has to work within the legal constraints that are imposed upon it;
- There is a backlog and the regulator appears to be stretched in terms of its resources and how many cases it can process. The ICO is working through a large volume of cases, many of which do not yet relate to the post DPA18/GDPR period. It would arguably make the most sense for the regulator to work mainly on the older cases first, as evidence becomes less available over time and limitation periods loom for individuals seeking to pursue follow-on compensation claims in the courts.The ICO may be taking a more systematic and chronological approach to its investigations and fines than some people may have assumed.Judging by the amount of complaints about corporate data handling that it has received since the DPA18/GDPR came into force, there might be many more cases in the pipeline to which much higher potential fines can attach, once the ICO gets through processing all the pre-DPA18/GDPR cases it is still dealing with; and
- In terms of when the pipeline of pre-DPA18/GDPR applicable cases may end, the Cathay Pacific monetary penalty notice by the ICO shows that the regulator could be near the end of this process. In the Cathay Pacific case, the last date on which there was unauthorised access to personal data was 11 May 2018, in other words only a couple of weeks before the DPA18/GDPR came into force in the UK. In terms of timings of the breaches by Cathay Pacific, the company missed being fined for breaches occurring when the DPA18 and GDPR were in force by a whisker.
If rumours are correct that the ICO intends to pursue its intended fines against British Airways and Marriott this month, or next, and if the regulator is reaching the end of a backlog of cases where the applicable law pre-dates the DPA18/GDPR, we could see the value of regulatory fines rise significantly in 2020.
You can find further information regarding our expertise, experience and team on our Media Disputes page.
Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.