Protecting the Public or Protecting Big Business?… The recent downgrading of fines by the UK ICO for British Airways and Marriott raises some questions.
Let’s face it: During the second half of October 2020, we probably came across the first major milestone since GDPR came into force on 25th May 2018: The downgrading by the UK ICO of the fines it had proposed in the summer of 2019 in relation to the 2018 data breaches at British Airways and Marriott.
The UK regulator probably intended to showcase its business acumen and its understanding of the situation those industries are going through with the COVID crisis, but in practice, it is likely to be seen over time as a sign of weakness, and it definitely sets a precedent.
And we must not overlook the size of the “rebate”, which – interestingly – is not even mentioned in the press releases from the ICO we have come across: From proposed fines of £183m for BA and £99m for Marriott, down towards the £20m mark for each of them… quite a substantial drop…
Right from the start in 2016-2017, it was obvious that the role the regulators decide to take with regards to GDPR, and their appetite for enforcement will be key in determining the way the regulation is seen by businesses.
After all, quite a lot of the GDPR content was already embedded in pre-existing legislations and had been for over 20 years (and much longer in many European countries, with France for example having enacted its first laws on the matter in 1978).
Of course, over that period, technology had changed dramatically and with it, the ability of firms to collect and process personal data.
The absence of strong regulatory powers under the pre-existing legislations inherited from the directive 95/46/EC had relegated data protection and privacy compliance to legal backrooms, and there is no doubt that it was necessary to redress that.
If we go back to basics, regulation exists as a market force, to repair an imbalance between market players and in particular, to address situations where one player is abusing of a dominant position (clearly the case with personal data in many industries).
The primary role of the regulator is not to educate market players; it is to maintain market equilibrium through the exercise of their powers.
So the main thing which stood out with GDPR was their new ability to impose fines up to 2% and 4% of global turnover, and it is on that basis that most of the storytelling around GDPR was developed by tech vendors and consultants in the run up to 25th May 2018.
This is understandable: If you are a global leader in your field turning over 50bn a year with a massive exposure to B2C markets, potential fines up to 2bn will register on the radar of your CFO. And proportionally, similar ratios may be even more scary for smaller firms which may not be as cash rich.
This is the basis on which very significant programmes of work were built to drive GDPR compliance, to the tune of tens of millions in many large firms.
The cold reality is that, so far, no fine – across Europe – has been anywhere near those levels.
Actually, the 2 data breach surveys released by law firm DLA Piper in February 2019 and January 2020 paint a very different picture: Over the first 20 months of GDPR up to January 2020, approximately 160,000 data breaches had been reported to regulators across the EU and the total amount of fines imposed was in the region of EUR 114m, including the one-off fine of EUR 50m imposed by the French regulator on Google… Remove it from the total and you get a sense of the real situation: The regulators have simply not yet settled in their new roles, probably constrained by resources and skills and also maybe, by political pressure.
This is why the 2 large fines proposed by the UK ICO for British Airways (£183M) and Marriott (£99M) in the summer of 2019 were always going to be significant – as the two largest ever proposed – and their downgrading is turning them into landmark cases, irrespective of the reasoning invoked.
This cannot help the acceptance of privacy regulation and data protection into mainstream business practice: Senior executives, who would have consented to very significant investments around data protection in the past few years to prevent regulatory intervention, might now question that advice, and this is definitely something the regulators must start to consider.
It is obvious that the regulators are in a delicate situation and that they will be criticised whatever they do – whether they take a softer line or a harder line (and the economic meltdown induced by the COVID crisis is accentuating those matters even further).
But, irrespective of those considerations, the time is coming when they will have to act decisively to protect their own credibility and the credibility of any future data privacy regulation. Whether they like it or not, their dithering over BA and Marriott sets a precedent. Should the proposed class-action against Marriott be successful, they might find themselves even more isolated – and irrelevant in their role to protect the citizens.
Let’s not forget in conclusion, that those 2 breaches were very significant breaches where hundreds of millions of personal records were potentially compromised: Personal data entrusted by real people to the care of 2 world-leading organisations which would have had information security and privacy practices in place for decades and would have spent collectively hundreds of millions on those matters over those years. They should have been in a better shape and those breaches should not have happened. Period.
Whatever they do next, the regulators must not lose sight of that: They also exist to protect the public.