GDPR 新动向 | 数据保护合规风险正在上升

DO
DeHeng Law Offices

Contributor

DeHeng Law Offices logo
DeHeng Law Offices is one of the leading law firms providing comprehensive legal services. It was founded in 1993 as China Law Office and was renamed in 1995 as DeHeng Law Offices, reflecting the firm's evolution from an institution of the Ministry of Justice to rapid emergence as an independent, private law firm with 37 domestic and foreign branches and over 2,500 legal service professionals.
2019年1月,谷歌因未履行GDPR规定义务,被法国监管机构国家信息与自由委员会(CNIL)处以5000万欧元罚款。7月8日,英国信息专员办公室ICO因数据泄露事ߥ
China Privacy

2019年1月,谷歌因未履行GDPR规定义务,被法国监管机构国家信息与自由委员会(CNIL)处以5000万欧元罚款。7月8日,英国信息专员办公室ICO因数据泄露事件,对英国航空公司处以2.04亿欧元的罚款处罚。7月9日,国际知名酒店万豪集团因泄露客户信息,将面临ICO1.11欧元罚款......数据合规进程任重而道远。

NON-COMPLIANCE RISKS ARE RISING

On 21 January 2019, the French data protection authority, CNIL, imposed a fine on Google of €50 million for various breaches of the GDPR, and the first fine imposed by CNIL.This was to biggest fine to-date by far imposed by any DPA pursuant to the GDPR.  

In early June, at DeHeng GDPR seminars in Beijing and Shanghai, I predicted that the risks of non-compliance with GDPR would rise rapidly before the end of this year.  I suggested that by year-end, the €50 million fine imposed on Google in January this year might seem rather low.  We do not need to wait until the end of this year for things to get more complicated for infringers.

As for Google, it is now facing a consumer class action in France for its GDPR infringement found in January by the French data protection authority, the CNIL.  As you will recall, the CNIL found that Google browser users were not given a sufficient opportunity to provide an informed and unambiguous consent to Google's privacy policy.  This could raise Google's total exposure for that GDPR infringement to well over the initial €50 million fine.  

Two days ago, the UK data protection authority, the ICO, announced that it will fine British Airways under GDPR a total of €204 million for a data breach involving some 500,000 BA customers.  The ICO found that BA's data security system was legally insufficient for the purposes of the GDPR.  More specifically, the ICO found that BA had failed to protect customers' names, addresses, email addresses, credit card information and log-in passwords. 

For data breaches under Article 32 of the GDPR, BA could have been fined a maximum of 2% of its global group turnover, or a total of €280 million.  

As you will see, the ICO's fine on BA was close to the ceiling allowed under GDPR.  This is a very disturbing development because it suggests that fines will rise much higher.  For infringements other than data breaches, such as the failure to obtain the informed consent of an individual to the processing of his data, the maximum fine is 4% of the company's global group turnover. Clearly, if the national data protection authorities are now considering the imposition of the maximum fine (unlike what happened to Google in January), companies much larger than BA could be in for some very serious pain if  they are the target of a GDPR investigation. 

As for BA, the ICO fine is just the beginning.  BA will now face any number of follow-on collective lawsuits by customer groups.  

And then yesterday, the ICO announced that it will fine Marriott a total of €111 million for a massive breach of its data security involving customers.  

Obviously, the stakes are rising fast for companies.  As I explained in early June, Chinese companies exposed to GDPR who continue to be indecisive about compliance are doing so at their peril.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More