Data privacy infringements are starting to test the limits of the 4% revenue penalty under the General Data Protection Regulation.
Until this week, Silicon Valley darlings were the major recipients of the GDPR's toughest fines.
Some fines handed down by regulators are well understood. Suffered a data breach? Expect a financial penalty. Selling unauthorized data to a third party? Pay up.
But some fines made by GDPR regulators are more nuanced.
GDPR regulators carve out fines based on several conditions:
-
What was the nature of the infringement, including how many consumers were impacted, how long the violation occurred, and the purpose of the data processing?
-
Was the infringement intentional or negligent?
-
What actions were taken following an incident, including prevention?
-
Does the company have a history of data privacy infringements?
-
What type of data was compromised or used?
-
How cooperative was a company with regulatory and authoritative entities following an incident?
"The expectation is not to be perfect," Odia Kagan, partner at Fox Rothschild LLP and chair of the GDPR Compliance and International Privacy Practice, told CIO Dive.
It is, rather, "to be able to demonstrate that you have the relevant protective measures and the process by which they will be implemented," she said.
What companies were fined
This week United Kingdom data privacy regulator the Information Commissioner's Office (ICO) announced its intent to fine British Airways $230 million (£183.39 million) and Marriott International $124 million (£99 million) for data breaches disclosed last year.
For more context on data breach fines, read our article outlining how GDPR impacted British Airways and Marriott International.
The companies' fines are still in the "intent to fine" stage of GDPR, which leaves a window of opportunity for the companies to bargain for a lower penalty. Detailed reasoning by the regulatory agencies will emerge when a final fine is settled.
While individual fines are determined by multiple factors, the clearest determinant is the nature of a company's infringement: Was it intentional or negligent?
In other words, was a company breached or did they willingly release users' data to third parties?
History of GDPR penalized GDPR infringements
| Company | Type of Infringement | Fine |
|---|---|---|
| Intentional | $646,315 | |
| Equifax | Negligence | $646,315 |
| Uber | Negligence | $491,284 |
| Uber | Negligence | $679,257 |
| Intentional | $57 million | |
| British Airways | Negligence | $230 million |
| Marriott International | Negligence | $124 million |
There is a noticeable difference in fines between the companies that committed negligent acts versus intentional ones.
"The harm to consumers in these instances is largely based on the exposure of their data," regardless of how personal data is compromised, said Divya Gupta, partner at international law firm Dorsey & Whitney, in an email to CIO Dive.
Pending penalties
GDPR authorities have already taken action on companies with data privacy incidents prior to May 25, 2018.
While it may seem like retroactive penalization, if a company is still storing the data in question, it falls under the "processing" mandate of GDPR.
There is a provision of GDPR that incudes the processing of personal data after May 25, 2018, according to Kagan, and most companies are still handling the data that was compromised.
Though Equifax's breach occurred and was disclosed in 2017, the ICO fined Equifax $658,000 (£500,000) in September of last year.
Equifax escaped GDPR. But, the ICO was able to fine the credit firm following the civil monetary penalties applicable under the then-most recent legislation, the Data Protection Act 1998, according to the ICO's announcement.
The maximum monetary penalty under the 1998 law was £500,000, otherwise Equifax faced the same 4% rule under GDPR.
By January, GDPR started catching up to infringements in real-time. Google was given the first "game changing" fine, about $57 million, of the GDPR era by French watchdog, the Commission Nationale de l'Informatique et des Libertés (CNIL).
There are other fines yet to be handed out from other regulatory bodies. In May, Ireland's Data Protection Commissioner opened an investigation into Google's data practices.
"The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction," abides by GDPR's expectations, according to the announcement. "The GDPR principles of transparency and data minimization, as well as Google's retention practices, will also be examined."
Where do the fines stop?
Having multiple watchdogs across the European Union adds another layer of complexity to GDPR's reach and ramifications. The possibility of paying repeated fines depends if a data privacy authority issues the "one-stop-shop" mechanism (1SS), according to Kagan.
The 1SS mechanism means a company will only have to answer to one regulatory body.
The mechanism was put in place specifically for entities, like Google, which have multiple headquarters around the world. It originally stated that the watchdog in the primary country, or "main establishment," held the power as the lead supervisory authority.
However, if 1SS is unavailable, "one company can be fined by different authorities for different aspects of what is essentially the same breach that was carried out across borders," said Kagan.
Though Google's fine from the CNIL was related to data management and not a breach, ignoring the 1SS protocol was similar in reasoning. Google now has to face Ireland, and potentially other EU countries, separately.
"Privacy is deemed a fundamental human right and they are taking enforcement seriously" in the EU, said Gupta. "We expect to see similar, if not greater, liability for companies that violate the upcoming [California Consumer Privacy Act]."
