ICO Fines: Analysis of issues Part 2
Following on from our Part 1 discussion of this years' ICO Fines, we begin with their common themes.
There are many more areas of similarity than difference between the MPNs in these cases. One thing which is instantly apparent to those who have been reading MPNs for many years is the sheer length of the documents that the ICO has produced, and the depth of critical analysis, which in many ways is superior to the pre-GDPR form. Here are some of the more pertinent similarities:
- All MPNs focused on the primary infringements arising from Article 5 (1) (f) and 32 GDPR, finding in each case that this long-standing but somewhat amorphous security standard was not achieved. All ancillary breach allegations were dropped, often with inadequate explanation. For example, issues regarding late reporting by Marriott and Ticketmaster were let go, as were allegations regarding failure to comply with Article 25 GDPR.
- All 3 controllers were found by the ICO to be negligent regarding the various breaches that occurred. Each one had some underlying factor of IT security embarrassment, perhaps most notably BA whose system insecurities could have, at least in part, been resolved by deploying Microsoft standard updates.
- BA and Marriott received exactly the same percentage discounts for mitigation steps, but no explanation is provided as to why they are identical. They each received exactly 20% reductions.
- BA and Marriott also received an identical reduction of £4m each in consideration of Covid-19 trading issues. Ticketmaster by comparison received just £250,000 reduction for Covid-19 related issues.
- All of the breaches involved to some extent vulnerabilities created by third parties connected to the controllers, proving the maxim that security is only as good as the weakest link.
- The starting point for the penalty calculation with Ticketmaster appears objectively more realistic than that with BA and Marriott. The likely explanation for this is, in part, that the DIP does not appear to have been applied to Ticketmaster either in part or at all. The reasons for this are unclear, but the following seem relevant: (1) by the time the Commissioner had issued the Ticketmaster NOI, it had received the hefty criticisms from BA and Marriott about the DIP and perhaps had time to reflect on its use and (2) the Ticketmaster MPN makes a passing reference to the fact that Ticketmaster was making a substantial post-tax loss, which was not the case with BA or Marriott (but which is arguably irrelevant when one considers that penalty values are connected to turnover, not profit).
- One of the key differences between BA and Ticketmaster was the sheer number of data subjects affected. The total number of affected data subjects for Ticketmaster was 9.4 million whereas only 429,612 customers were affected, making it very hard to justify such a drastically different assessment of the initial NOI values;
- The BA incident involved a superfast response to shut down the incident; the Marriott and Ticketmaster responses did not. This point does not appear to have been determinative and for both Marriott and Ticketmaster, the ICO seems to take very lenient view of what “awareness” means in the context of Article 33 GDPR, something which is useful to professional advisors when it comes to assessing time frames for reporting.
So Why Did The BA and Marriott Fines Come Down So Much?
The first point to note here is that, when it comes to penalty levels, BA and Marriott were given significantly different starting points to Ticketmaster. But why, given the overlap in the incidents?
"The gaping hole in the BA and Marriott MPNs is the ICO’s failure to explain why it disapplied the DIP."
If the DIP was reliable as a starting point, then it surely makes at least as much sense to seek to apply it either in practice or in principle, and to defend that decision. The ICO seems, again and again, to acknowledge the use of the DIP when calculating both BA and Marriott fines in the run up to July 2019, but unable to explain why it was so easily set aside in the face of counter-argument. Take the following paragraph from the BA MPN:
“The Commissioner remains of the view that the controller’s turnover is a relevant consideration in determining the appropriate level of penalty. However, before issuing the draft decision to BA, the Commissioner agreed that the DIP should not be used in the present case”
What is then sorely lacking in this paragraph, and every other paragraph where references are made to the DIP, is a sentence that begins with “This decision was reached because…”
Consider also this passage from the Marriott MPN:
“The Commissioner does not seek to use the £99.2m original figure as proposed in the NOI as a ‘reference point’ for…present penalty. Rather, the Commissioner carried out a fresh calculation exercise having regard to the factors listed under Article 83 of the GDPR and the RAP”.
Once again, the sentence so noticeably absent, is the one which begins after that quoted above with “The Commissioner’s reasons for doing this are…”
It of course leaves a data protection practitioner to observe that the unspoken reason is rather simple: the Commissioner was wrong to rely on the DIP and doesn’t want to say so.
The likely error was that she relied entirely or predominately on that DIP rather than taking all factors into account equally per the 5 steps of the RAP. The primary objection to the DIP is that it was an unpublished policy the use of which was unfair and contrary to the ICO’s duty as a public regulator, and that the DIP set out various turnover bands which should be the starting point for calculating fines.
The exact thresholds of those bands remains a mystery. This then, it would seem, is the origin of such outlandish initial penalties in the NOIs for BA and Marriott: the ICO simply applied a secretive and unpublished policy which was not finished yet (quite literally, the title is draft internal procedure) and then failed to justify its use as a reliable starting point for calculating fine values in the face of stern opposition, choosing instead to simply start again.
Undoubtedly the detailed representations from BA and Marriott would have had the effect of reducing whatever the original NOI values were, but it cannot be the case that all other factors would result in circa 90% reductions in both cases.
"What is far more likely is that the ICO, whether through bad judgment or over-excitement (or both) applied an unfinished policy relying heavily on the turnover values of both businesses as the starting point for fine values."
When in reality it should have taken a holistic approach more consistent with the 5 steps set out in the RAP. As outlined above, when it came to the full MPNs for BA and Marriott, the ICO started at far more conservative fine values and then still worked down from there.
Finally, there is the broader analysis of penalty activity in other territories. BA made a lot of the fact that other EU supervisory authorities were not levelling fines anywhere near the original NOI values, and both BA and Marriott deployed the (at best, optimistic) argument that the ICO should stick to some form of regulatory precedent and treat them both as they would have been had their cases fallen under the old 1998 Act.
While the latter argument quite rightly fell at the first hurdle, the former argument does appear to have been successful in part, not least because the GDPR was designed to create a harmonised regime. The ICO states that “In principle, equivalent breaches should attract equivalent penalties. But in practice each case will turn on its own particular facts” reminding us all that predicting penalty values is a rather imprecise skill notwithstanding the ICO’s vacillations with BA and Marriott.
There is of course the fact that the NOIs were published at a point in time when there were relatively few comparators. At several points in the BA and Marriott MPNs the ICO alludes to the fact that they are “…the first major decisions made under the new EU data protection regime” and by inference: we’re finding our way here, too.
Other Points of Interest
Other than singularly failing to explain why it decided to disapply the DIP having sought and found significant publicity for the BA and Marriott proposed penalty values, there are other very interesting secondary points to note from the MPNs.
What is immediately apparent to the author is that the BA MPN contains significant and lavish redaction. This does not detract from the MPN, but at times feels excessive and is clearly distinguishable from the Marriott and Ticketmaster MPNs which have very little redaction at all. Somewhat interestingly, the only redactions in the Marriott MPN appear to have been fudged slightly by the ICO, because the footnotes from the redacted section remain in the published version, allowing the reader to learn that the ICO and Marriott were trying to conceal that they were arguing about whether the attacker could have run a particular script millions of times, something which the stray footnote tells us the ICO was prepared to overlook in point but not in principle.
- Each MPN contains rather embarrassing incidents of the businesses deploying policies which they then failed to honour. Take, for example, Ticketmaster’s security vetting procedure which should in theory be deployed with all external suppliers – it was not properly followed with its third party software provider, Ingenta. They serve as useful reminders that one should honour the standards set in internal policies.
- Equally, the contracts in these decisions come in for reasonable criticism. In particular the contract between Ticketmaster and Ingenta, received a lot of attention. Ticketmaster sought to argue that general duties in that contract to ensure no malware is present were enough to mean that the breach was not its fault. The ICO made short shrift of this. The contract was nowhere near specific enough to pass responsibility to Ingenta and, in any event, while Ingenta was not squeaky clean, Ticketmaster was the controller and Ticketmaster was ultimately responsible for the security of the personal data in question.
- When it comes to making contact with affected data subjects per Article 34 GDPR, if you have the email addresses of the said data subjects then email them directly. Marriott attempted to argue that its massive publicity awareness after the event was somehow an adequate method of communicating to a large number under Article 34 (3) GDPR. This, unsurprisingly, was shot down by the ICO who reminded Marriott that where you have the email addresses for the affected pool of data subjects, there is no excuse not to email them.
What we now know is that, in all likelihood, the original NOIs for BA and Marriott were drastically miscalculated. Far too much weight was placed on the DIP, which in turn relied on a measure of turnover of each business as the starting point for the penalty without considering all of the circumstances at hand.
Turnover must be a factor in calculating penalty values, but it is simply one of many. The reasons for the dramatic climb down have never been properly explained by the Commissioner who, let’s face it, has had rather a lot of other issues to deal with. Even so, the Commissioner should acknowledge these issues and come clean in the interests of transparency. It now seems that the ICO has reached a more settled position when calculating penalties in the short term and (perhaps more importantly) seems to have ditched the ill-fated DIP, for now at least.
Several low profile breaches in 2020 have received much lower values and less attention.
"The really interesting question is what action will the ICO take with the next high profile, big corporate breach?"
And in a regulatory regime where 4% of worldwide turnover fines were hardwired into the source regulation, would it be wrong for regulators to fail to use those powers which were so clearly given to them to create a change in the behaviour of markets and businesses when it comes to the rights of citizens? Will the ICO once ever levy a penalty in excess of £100m?
This is a question which seems even more poignant in the month when the first €100m fine was levied (CNIL, against Google of course). If the story of ICO penalties under the GDPR could be compared to the Harry Potter novel series, it seems as though we are still in the open chapters of the first book and Harry is still learning to figure out how to use his new powers in Privet Drive.
Continuing this odd closing metaphor, will the protagonist ever realise the great power with which it has been ordained? Will the data breaches that this decade inevitably has in store see the ICO start to show its teeth?
We will find out…
Get in touch
For more information on this update, or any data protection related matters, please contact Matthew Holman.
 Article 25 relates to data protection by design and default.
 Para 7.62 of BA MPN
 Para 7.67 of Marriott MPN.
 Para 7.119 of Marriott MPN.
 Para 5.9 of Marriott MPN
 See Marriott MPN at page 40.
 See Ticketmaster MPN para 6.22.2
This article was first publish by Thomson Reuters Practical Law on 18 December 2020 here.