Now that the GDPR has been in force for nearly two years, the UK’s Information Commissioner’s Office (“ICO”), along with a number of other EU supervisory authorities, has begun to issue fines to infringing data controllers and processors for failure to adequately act upon their personal data breach notification obligations and protect personal data they handle.
In evaluating the enforcement of data breaches to date, this blog will first consider how the competent supervisory authority is determined, as well as how they investigate and decide on a data breach. We will reflect on the ICO’s role during and after the Brexit transition period, following which we will consider how fines for data breaches have been calculated in the UK. We will also briefly compare the UK approach to the German model.
How is the competent supervisory authority determined?
Assuming the organisation is established in the EU, the key point to consider is whether the breach occurred in the context of cross-border processing of personal data.
If this answer is no, then the competent supervisory authority is the authority of the country where the controller whose processing was affected by the breach is established. For example, if the employee database of a London-based company suffered a malware attack and data was exfiltrated by the malicious perpetrator, then the ICO would be the competent authority. In exceptional cases, other supervisory authorities may potentially (also) be competent; for example, where the processing involves data of individuals from a single EU Member State other than that of the controller, the supervisory authority of that other EU Member State would also be competent.
The recent headline cases, including that of global airline British Airways, reinforce the idea that data breaches are often multi-jurisdictional. A data breach arising out of cross-border processing could occur in two situations (Article 4.23 of the GDPR):
- where a breach impacts the processing of establishments in several countries (for example, a ransomware attack on a pan-European group of companies); or
- where a breach affects individuals in multiple countries (for example, an online payments company’s servers being hacked, leading to financial data of residents of several EU countries being affected).
In this situation, the competent authority to investigate the breach is the ‘Lead authority’, which according to Art 56.1 of the GDPR is the authority of the ‘main establishment’[1] or of the single establishment of the controller. The lead supervisory authority will investigate and propose a draft decision regarding the data breach.
The lead authority has to cooperate with supervisory authorities concerned in the decision-making process in order to reach consensus. This mechanism is usually known as the ‘One-stop-shop’. Concerned supervisory authorities include those that are based in EU countries:
- where other establishments suffering the breach are located;
- where individuals substantially affected/likely to be substantially affected by the breach reside; or
- where the complaint has been lodged.
For example, in the British Airways case, where personal data of approximately 500,000 customers (likely including residents of multiple Member States) were compromised in the incident, the ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities.
Concerned supervisory authorities may express objections to the draft decision. If the lead supervisory authority does not follow the objections or does not believe the objections are relevant or reasoned, they must submit the matter to the consistency mechanism for dispute resolution by the European Data Protection Board (“EDPB”). In this case, the EDPB will make a common binding opinion on the matter after a vote.
However, in some cross-border cases, there is no lead authority. Even if the data breach is cross-border insofar as it impacted the processing carried out by establishments in several EU Member States, none of the establishments may qualify as the ‘main establishment’ as set forth in Article 4.16 of the GDPR. In such cases, all authorities of the countries impacted by the breach can be competent pursuant to Articles 55 and 58 of the GDPR. Organisations with no lead authority in the EU will not be able to make use of the ‘One-stop-shop’ mechanism.
Will the ICO’s competence as a lead authority change in the Brexit transition period and beyond?
The ICO will maintain the lead for current cases until the end of the transition period. For cases initiated between 31 January 2020 and the end of the transition period, it will become the lead authority or supervisory authority concerned, in accordance with the GDPR. The ICO has recently confirmed this in its updated Brexit FAQs.
The ICO also states that it “will engage in the co-operation and consistency mechanism under GDPR.” That being said, as of 31 January 2020, the ICO no longer carries a member vote in the EDPB decision-making processes related to disputes regarding data breach enforcement. This follows Articles 70 and 71 of the Withdrawal Agreement, which provide that the GDPR applies in the UK in respect of the processing of personal data of data subjects outside the UK, with the exclusion of Chapter VII of the GDPR, which sets forth the rules for the cooperation and consistency mechanisms.
The ICO will be able to participate in EDPB meetings and mechanisms by invitation only, potentially as an observer. This may occur if the EDPB meetings discuss issues that directly affect UK data subjects, and where the ICO’s presence would be deemed beneficial. With regard to the cross-border data breaches, this means that during the transition period, cases where the ICO was lead authority may be impacted by EDPB decisions, absent the ICO’s vote.
In respect of EU personal data collected by UK organisations during the transition period, the UK will continue applying GDPR rules. A different arrangement for the post-transition period may be agreed in negotiations between the UK and the EU. These negotiations will also determine the UK’s and the ICO’s relationship with the EU after the transition period. Regardless of their outcome, UK organisations established in the EU or offering goods and/or services to EU residents will still have to comply with the GDPR rules and be subject to enforcement by EU supervisory authorities, independently of the ICO, due to the GDPR’s broad extraterritorial application.
How have fines for data breaches been calculated so far?
In response to data breaches, supervisory authorities have a number of corrective measures at their disposal, such as warnings, reprimands, or a temporary or definitive limitation, including a ban on processing (Article 58.2 of the GDPR). However, the most feared enforcement action has been the imposition of administrative fines.
Depending on which obligations under the GDPR are breached, companies can face fines (Article 83 of the GDPR):
- of up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year (for example, for not implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk; or not notifying the breach to the supervisory authority when required (Article 83.4a of the GDPR)); and
- of up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (for example, for not complying with the data protection principles set out in Article 5 (Article 83.5a of the GDPR)).
The fine is calculated based on the meaning of an ‘undertaking’ as understood under EU competition law. All legal entities engaged in an economic activity, which form an economic unit, such as a group of companies (i.e. a parent company and all involved subsidiaries) will be caught when calculating the fines. This application can be illustrated by the French supervisory authority’s (“CNIL”) imposition of a €50 million fine on Google LLC. CNIL considered the group turnover of Google LLC which included its 70 offices in fifty countries rather than the turnover of its French subsidiary Google France SARL.
In determining how substantial a fine ought to be, the supervisory authority must consider the criteria set out in Article 83 of the GDPR. In the ICO’s first (and to date, only) GDPR fine in December 2019 against London-based pharmacy Doorstep Dispensaree, it considered factors set out in the GDPR including the following:
- the nature, gravity and duration of the infringement;
- any action taken by the controller or processor to cooperate with the supervisory authority and to mitigate the damage suffered by data subjects; and
- the degree of responsibility of the controller or processor taking into account technical and organisational security measures implemented by them.
In addition, in the last pre-GDPR penalty notice issued by the ICO upon DSG Retail Limited, the ICO outlined a list of aggravating and mitigating factors that they would consider in enforcement proceedings. Of note, aggravating factors included how passive the party was in monitoring/detecting the security breach, whist mitigating factors included how committed the party was to subsequently improve its internal processes to avoid future breaches.
In contrast to the UK, the Conference of the German Data Protection Authorities (“DSK”) has taken a different approach, which is not currently binding for cross-border cases. In essence, DSK’s fining guidelines calculate the fine by first calculating a daily rate based on the annual turnover of the undertaking, and subsequently multiplying this rate by a factor that depends on the severity of the deed. Although DSK’s model is relatively helpful in providing transparency on the calculation of fines in Germany, it remains to be seen whether the ceiling-first approach to fines will be found compatible with Article 83 of the GDPR.
Given the intention of harmonisation across the EU, it will be interesting to see if the EDPB issues any updates to the Article 29 Working Party guidelines on the application and setting of administrative fines (October 2017).
Conclusions
Firstly, we would like to underline the importance of having a lead authority, in particular for multi-national companies, or companies which process the data of data subjects across the EU Member States. There are clear logistical and financial benefits to being able to engage with a single lead authority in the event of a cross-border personal data breach investigation. In addition to benefiting from a single point of contact, it offers a significant relief from being investigated by multiple supervisory authorities independently. This alternative may result in increased costs related to legal, human and often financial resources for the company.
Before the end of the Brexit transition period, those companies which currently have their main establishment in the UK may wish to reassess the location of their lead authority to one of the continental EU member states. This is because, save for a special arrangement which may still be agreed with the EU, the UK will be considered a third country for the purposes of the GDPR after the end of the transition period. Doing so will enable these companies to access the logistical and financial benefits discussed above. However, it is worth noting that such a reorganisation may incur costs for the company, associated with business functions/personnel/ infrastructure allocation, which should equally be considered.
Lastly, we would like to highlight the importance of companies taking a note of the various aggravating and mitigating factors that supervisory authorities have considered prior to issuing corrective measures following a personal data breach. In particular, companies should:
- cooperate with the authorities post-breach;
- implement technical and organisational measures to avoid and minimize future data breaches; and
- establish processes and staff training to deal with data breaches efficiently and in line with the GDPR.
SPB will continue monitoring current practices and trends in relation to personal data breaches.
[1] Within the meaning of Article 4.16 of the GDPR.