NON-COMPLIANCE RISKS ARE RISING
On 21 January 2019, the French data protection authority, CNIL, imposed a fine on Google of €50 million for various breaches of the GDPR, and the first fine imposed by CNIL.This was to biggest fine to-date by far imposed by any DPA pursuant to the GDPR.
In early June, at DeHeng GDPR seminars in Beijing and Shanghai, I predicted that the risks of non-compliance with GDPR would rise rapidly before the end of this year. I suggested that by year-end, the €50 million fine imposed on Google in January this year might seem rather low. We do not need to wait until the end of this year for things to get more complicated for infringers.
Two days ago, the UK data protection authority, the ICO, announced that it will fine British Airways under GDPR a total of €204 million for a data breach involving some 500,000 BA customers. The ICO found that BA's data security system was legally insufficient for the purposes of the GDPR. More specifically, the ICO found that BA had failed to protect customers' names, addresses, email addresses, credit card information and log-in passwords.
For data breaches under Article 32 of the GDPR, BA could have been fined a maximum of 2% of its global group turnover, or a total of €280 million.
As you will see, the ICO's fine on BA was close to the ceiling allowed under GDPR. This is a very disturbing development because it suggests that fines will rise much higher. For infringements other than data breaches, such as the failure to obtain the informed consent of an individual to the processing of his data, the maximum fine is 4% of the company's global group turnover. Clearly, if the national data protection authorities are now considering the imposition of the maximum fine (unlike what happened to Google in January), companies much larger than BA could be in for some very serious pain if they are the target of a GDPR investigation.
As for BA, the ICO fine is just the beginning. BA will now face any number of follow-on collective lawsuits by customer groups.
And then yesterday, the ICO announced that it will fine Marriott a total of €111 million for a massive breach of its data security involving customers.
Obviously, the stakes are rising fast for companies. As I explained in early June, Chinese companies exposed to GDPR who continue to be indecisive about compliance are doing so at their peril.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.