Lessons from the ICO’s decisions to reduce the BA and Marriott GDPR fines

Following swiftly on from its decision to fine British Airways (BA) £20m, the UK’s Information Commissioner’s Office (ICO) has now announced that it will fine Marriott International Inc. (Marriot) £18.4m for its breaches of GDPR. Whilst this is still a substantial fine, in common with the BA decision, it is significantly lower than the amount the ICO had originally proposed to fine Marriott.

With respect to BA, the ICO proposed a fine of £189.39m in July 2019, representing just under 1.5% of BA’s global turnover. For Marriott, the ICO’s proposed fine also in July 2019 was £99.2m, around 3.5% of the group’s turnover. The final £20m fine for BA represented a reduction of around 90% and is less than 0.2% of BA’s global revenues, and for Marriott it was a reduction of around 80% representing approximately 0.6% of Marriott’s global revenues.

Both fines fall well below the maximum amount the ICO could impose under GDPR and there has been some speculation Covid-19 may have been a reason for this. Whilst some element of reduction can be attributed to the economic impact of Covid-19, this is not the only factor which contributed to the reductions.

It will be of great interest to other organisations which have suffered data breaches, to understand whether the ICO simply miscalculated or made a mistake in its initial proposed fines, or whether there were other factors and lessons which can be learned about the ICO’s likely approach to the calculation of future fines. It is also likely to be of interest to investors considering valuations for businesses which have already suffered, or are at risk of, cyber attacks.

The basis for calculation of fines

The ICO issued the fines for infringement of GDPR using its powers under the Data Protection Act 2018 (DPA) and acted as lead supervisory authority on behalf of other EU Member State data protection authorities. Article 60 GDPR requires the lead supervisory authority to cooperate with other supervisory authorities in an endeavour to reach consensus.

Under the GDPR, an organisation can be fined up to 20m euros or 4% of its global turnover for the previous year, whichever is the higher. In considering whether to impose a penalty, and in calculating the amount of the penalty, the ICO has regard to the matters listed in Articles 83(1) and (2) GDPR and applies the five-step approach set out in the ICO’s Regulatory Action Policy (RAP). More recently the ICO has also published its regulatory approach to the Covid-19 pandemic.

According to the RAP, the ICO’s aim in issuing penalties is that they should be both an appropriate sanction for a breach of the legislation and an effective deterrent to others. Penalties are reserved for the most serious cases which will typically involve wilful, deliberate or negligent acts, or repeated breaches. It is more likely that the ICO will impose a penalty where (a) a number of individuals are affected; (b) there has been a degree of damage or harm (which may include distress and/or embarrassment); and/or (c) there has been a failure to apply reasonable measures (including relating to privacy by design) to mitigate any breach or the possibility of it. Each of these features was clearly present in the BA and Marriott cases.

5 Step Test

Where the ICO has discretion to set the amount of any penalty, it will do so by applying a 5-step mechanism which is described in the RAP. Details of how the ICO applied the 5 Step Test in connection with the BA and Marriott breaches are set out below.

Regulatory approach to Covid-19 pandemic impact

In response to the economic impact of Covid-19, the ICO has explained that, whilst organisations are still expected to comply with their legal obligations, before issuing fines it will take into account the economic impact and affordability of the fines for the organisation and in the current circumstances, this is likely to continue to mean that the level of fines will be reduced. The ICO applies the Covid-19 impact assessment after it has completed its 5-step assessment.

Representations made to ICO

As part of the lengthy process to investigate each of the breaches and arrive at the final penalties, the ICO considered extensive representations made by each of BA and Marriott.

Unlawful application of ICO’s Draft Internal Procedure

Both BA and Marriott alleged that the ICO had misapplied its powers under the GDPR and had unlawfully applied its RAP, including by reference to an unpublished draft internal procedure for calculating proposed penalties using turnover bands as a supplement to the RAP.

The ICO conceded that the draft internal procedure, which had been developed as a tool to assist decision-makers in applying Article 83 GDPR and the RAP, should not be applied as a “reference point” for the penalties and that it would apply only Article 83 GDPR, Section 155 DPA and the RAP.

The organisations also contested that turnover should not be used as a core metric in cases where the organisation had not benefited from the breach. However, the ICO remained firmly of the view that an organisation’s turnover remained a relevant consideration and that this was consistent with the approach taken to penalties in the GDPR. The ICO explained that, whilst not the sole factor in determining the penalty, an organisation’s financial position remained one of several core quantification metrics to be applied in order to ensure that the penalty was effective, proportionate and dissuasive. The ICO drew a comparison with the competition law regime which also emphasises deterrence and takes turnover into account in penalties.

Comparison to other EU fines under GDPR

BA and Marriott both challenged the amount of the proposed fine by reference to various fines imposed by other EU supervisory authorities under GDPR. The organisations both argued that the difference in the higher level of fine imposed by the ICO was inconsistent with the stated aim of the GDPR to create a harmonised regime. The ICO dismissed this argument on the basis that each case must turn on its own particular facts, that the ICO is obliged to impose a penalty in its own judgement having regard to all matters listed in Article 83, and accordingly that simple comparisons of penalties imposed in different cases are not relevant. The ICO further explained that given the relatively new regime, and where there is limited public information available about the reasons for the decisions taken by the other authorities, it would be premature and unhelpful to rely on a survey of action taken by other supervisory authorities.

ICO’s calculation of the fines for BA and Marriott

5 Step Test

Step	BA	Marriott
1. An “initial element” removing any financial gain from the breach.	BA had not gained any financial benefit so there was no element of fine at Step 1.	Marriott had not gained any financial benefit so there was no element of fine at Step 1.
2. Adding in an element to censure the breach based on its scale and severity, taking into account the considerations identified at section 155(2)-(4) of the DPA.	There were serious failures for which BA was wholly responsible and which were of significant and serious concern. Whilst the attacker was a malicious third party, BA was negligent. An organisation such as BA should be aware that it is a target for criminal activity and take appropriate security measures. There were multiple measures BA could have taken to prevent or mitigate the attack and which would not have entailed excessive cost or technical barriers to adoption. BA did not actually detect the breach itself but was notified by a third party. The ICO was uncertain that BA would have actually identified the attack themselves had it not been brought to their attention. The ICO did take into account that BA had no relevant previous infringements, it had cooperated fully with the ICO and had acted promptly in notifying the ICO, the data subjects and other authorities of the attack.	Although the attack on Marriott spanned a four-year period, the infringements the ICO relied on occurred between 25 May 2018[1] and 17 September 2018. This was a significant period of time over which unauthorised access to personal data went undetected and/or unremedied. Whilst the infringement was not an intentional or deliberate act, Marriott was negligent in maintaining vulnerable systems. A company the size and profile of Marriott is expected to be aware that it is likely to be targeted by attackers and that any compromise of the information it processes may have significant consequences. Engagement of a third party security management specialist did not reduce Marriott’s responsibility. Compliance with PCI DSS standards on certain data of itself was insufficient as obligations under GDPR extend to all types of personal data. The ICO did take into account that Marriott had no relevant previous infringements, it had cooperated fully with the ICO and had acted promptly in notifying the ICO, the data subjects and other authorities of the attack.
Calculation after Step 2	£30m	£28m
3 - Adding in an element to reflect any aggravating factors.	There were no other aggravating factors so no further increase of the penalty was made.	There were no other aggravating factors so no further increase of the penalty was made.
4 - Adding in an amount for deterrent effect to others.	There were no widespread issues of poor practice that may be deterred by the imposition of a higher penalty.	There were no widespread issues of poor practice that may be deterred by the imposition of a higher penalty.
5 - Reducing the amount (save that in the initial element) to reflect any mitigating factors, including ability to pay (e.g. financial hardship).	The ICO reduced the fine by 20% of the baseline having taken into consideration the following mitigating factors: BA took immediate measures to mitigate and minimise damage suffered by data subjects by implementing remedial measures; BA promptly informed the affected data subjects, the ICO and other relevant law enforcement and regulatory agencies and cooperated fully with the ICO’s enquiries; Widespread media reporting of the attack is likely to have increased the awareness of other data controllers of the risks posed by cyber-attacks and of the need to take all appropriate measures to secure personal data; The attack and regulatory action has adversely affected BA’s brand and reputation and will have had some dissuasive effect on BA and other data controllers.	The ICO reduced the fine by 20% of the baseline having taken into consideration the following mitigating factors: Marriott had, prior to becoming aware of the attack, confirmed a new $19m security investment, and subsequently raised its IT security budget to over $100m for 2020; Marriott took immediate measures to mitigate and minimise damage suffered by data subjects by implementing remedial measures; Marriott cooperated fully with the ICO’s investigation including responding promptly to requests for information; The ICO noted a similar point to BA regarding widespread media reporting; The ICO noted a similar point to BA regarding the adverse impact on Marriott’s brand; Marriott acted promptly to mitigate the risk of damage suffered by data subjects, by way of technical remedies, password resets, disabling compromised accounts and implementing detection tools.
Calculation after Step 5	£24m	£22.4m
Application of Covid-19 Policy.	The ICO further reduced the penalty to £20m.	The ICO further reduced the penalty to £18.4m.

[1] When GDPR came into force.

Final conclusions

Whilst the impact of the ICO’s regulatory policy relating to the economic impact of Covid-19 has had an impact, this is much less than might have been anticipated, particularly given it is harder to imagine many industries more heavily affected than the airline and hospitality sectors. The fact that BA and Marriott both co-operated fully with the ICO and took prompt action to alert data subjects and mitigate the loss suffered had a larger overall impact on the scale of reduction.

However, it also seems clear that by far the largest reduction was achieved through the representations and challenges made by BA and Marriott, in particular their successful challenges to the ICO’s use of its draft internal procedure and the turnover bandings. Whilst the ICO did not acknowledge it to be the case, we might also speculate that it also took into account the substantially lower scale of fines imposed by other supervisory authorities and, whilst there was undoubtedly a large element of negligence by both organisations, there was no wilful intent nor any benefit gained by either organisation.

In summary there are some useful lessons we can take away from this.

The ICO has confirmed that it will not apply the turnover bands set out in its draft internal procedure but will apply each penalty on the applicable facts and the particular circumstances of the controller/processor.
An organisation’s turnover and financial status remain a key factor in determining the level of a fine but are not the only factor; the ICO will also take into account other metrics including the size, scale and impact of the breach and the need for penalties to be effective, proportionate and dissuasive.
Promptly notifying the ICO, cooperating fully with it, taking all reasonable steps to mitigate the losses of data subjects and committing to a continuing programme of IT security improvements are likely to lead to reductions in the level of fines.
The impact of Covid-19 will be a consideration for the amount of the fine, but this will be case-specific. At less than 15% of the baseline amount in the case of both BA and Marriott, this amounts to a fairly small reduction overall. Organisations less badly impacted by the pandemic are unlikely to gain substantial reductions in penalties and the ICO still expects all organisations to continue to invest in good cyber security and data protection practice.
Finally, mounting a robust challenge to an ICO enforcement notice or notice of intent seems to be very worthwhile, especially when there is the risk of a substantial fine.

Please see our previous blog The ICO strikes again: Marriott fined for GDPR breaches.

For any further information about the issues discussed in this note please contact Anne Todd, Senior Solicitor.

More information

Commercial, Brands, IP and IT