ICO Fines: Analysis of issues Part 1
This year the Information Commissioner’s Office (the “ICO”) has issued a number of penalty notices and fines to controllers found to be in breach of Article 5(1)(f) and Article 32 GDPR.
These have included a fine of £20 million issued to British Airways plc (“BA”) (reduced from over £183 million), a fine of £18.4 million to the hotel chain Marriott International Inc (“Marriott”) (reduced from £99.2 million) and a fine of £1.25 million to the online ticket retailer Ticketmaster UK Limited (“Ticketmaster”). This article will: explore and analyse the ICO’s findings in these cases; identify areas of difference and common themes between the findings; and seek to answer that rather thorny question: why did the ICO reduce the BA and Marriott fines by about 90%? Did it just get its initial figures wrong?
In an open letter in September this year, the Information Commissioner confirmed that her tenure will reach its end in July 2021. One cannot help but observe that it has been a truly jam-packed five years. One of the very notable episodes of her time in office (perhaps eclipsed only by the seismic arrival of the GDPR itself and the genuinely impressive work of Operation Cederberg) will be her office’s handling of the data breaches affecting BA and Marriott, and perhaps the difficult lingering questions connected to the ICO’s original treatment of BA and Marriott and its subsequent, rather significant, downward step to fines much diminished.
Before we start unpacking the reasons for the ICO’s climb-down, let us look very briefly at facts of each of the 3 cases. For the uninitiated, you should know that the Commissioner must provide a business with a notice of intent to fine (“NOI”) which, as its title suggests, is the prelude to the main event. It is merely an indication of the ICO’s initial findings and proposed penalty values. The controller receiving the NOI is then given a window of time to file representations with the ICO challenging the NOI, which the ICO must consider before it issues a monetary penalty notice (“MPN”) which contains the final penalty calculation.
The BA attack occurred between 22 June 2018 and 5 September 2018. An unidentified malicious actor accessed the BA Citrix platform using compromised details obtained from a third party supplier’s employee based in Trinidad and Tobago.
"The total number of affected data subjects was 429,612."
Remarkably, once BA found out what was going on, it took less than 100 minutes to respond by identifying this malicious activity and to block the transmission of personal data to the attacker’s website. It then filed a breach notification form with the ICO 24 hours later, on the 6 September 2018.
At this point the fact pattern remains unremarkable from a data protection practitioner’s perspective (attack happens, data is compromised, specific system issues are identified and quickly patched, report to ICO is filed). What happened next, though, was remarkable.
The ICO on 4 July 2019 issue BA with a NOI in which the proposed penalty was £183.39 million. By all accounts, and all methods of measurement, it would be the biggest fine in data protection history. To most practitioners at the time it seemed astronomical in light of the facts which had given rise to the incident.
What followed, quite predictably, was circa 15 months of legal debate between BA’s team and the ICO in which BA had 3 rounds of detailed argument and representations about the ICO’s proposed fine. BA’s line of attack covered almost every conceivable flaw in the NOI including that:
- the ICO had misapplied Article 83 (2) in deciding to levy a fine at all, or such a large fine
- a turnover-based approach to fines is a fundamentally flawed way of achieving effective and proportionate penalties
- the ICO had acted contrary to its regulatory action policy (“RAP”) which infers that fines of more than £1m would be preserved for the ‘most severe breaches’ and this incident was not the most
However, what appears to be singularly the most effective argument was that the ICO had, when calculating the proposed penalty of £183.39 million, unlawfully applied an unpublished internal document entitled “Draft Internal Procedure for Setting and Issuing Monetary Penalty Notices”. This Draft Internal Procedure (“DIP”) was a secret, unpublished document. BA’s challenge of its use was extremely effective and had several interesting consequences all of which are highly pertinent to the dramatic fine reduction. But let’s come back to that later, and move onto Marriott’s case.
In September 2016, Marriott bought Starwood Hotels. The deal was done at speed (this being the norm for corporate M&A as any lawyer involved in due diligence work will attest) and consequently only limited due diligence was carried out on Starwood’s data processing systems. The ICO, in its monetary penalty notice (“MPN”), makes a passing acknowledgement that “there may be circumstances in which in-depth due diligence of a competitor is not possible during a takeover” which could easily be mistaken as passive acknowledgement that corporate M&A work can be justifiably brief when analysing data protection risk.
Unfortunately the ICO quickly squash any idea of leniency in the circumstances by reminding us that “The need for a controller to conduct due diligence in respect of its data operations is not … a one-off requirement… Even if adequate due diligence had been undertaken at the point of acquisition, that would not have removed Marriott’s obligation to ensure, on an continuing basis, that it complied with the GDPR”. Corporate lawyers, be warned.
It appears that, in July 2014, an external threat actor installed remote access Trojans to Starwood’s site, giving that attacker unrestricted access to any devices connected to the Starwood network and allowing the attacker to permit system reconnaissance. From there, the attacker was able to exfiltrate guest data contained within Starwood databases. On acquiring Starwood, the compromised IT system and databases became Marriott’s problem despite the IT systems and databases of both companies being kept separate. Marriott used Accenture to manage Starwood’s IT and it was Accenture who alerted Marriott to the attack on 8 September 2018. However, Marriott did not file a breach notification with the ICO until 22 November 2018, which all good data protection practitioners will automatically spot (at first glance) as being somewhat later than permitted by Article 33 GDPR.
The figures of affected data subjects in the Marriott breach are quite staggering when compared to BA.
"Marriott estimates that 339 million guest records were affected, of which 30.1 million were EEA data subjects (of which 7 million were in the UK)."
The compromised personal data included encrypted passport numbers and payment card details although it appears that the encryption key was not compromised. Unencrypted data included full identification and contact details of guests, hotel usage information (time of arrival, departure, number of adults/children etc). On 5 July 2019, the ICO issued Marriott with a NOI in which the proposed penalty was £99.2 million. Yet another stunning number, dwarfed only by the super-sized NOI that BA had been handed just 1 day earlier.
What followed, again quite predictably, was 15 months of legal debate between Marriott’s team and the ICO. Once again, the ICO relied on the DIP to calculate its starting point for the proposed penalty. Many of the points raised by Marriott’s team reflect those raised by BA’s team and, in particular, they raised the all-important criticism of the ICO’s reliance on the DIP. Could the DIP be the fundamental flaw that was leading to such extravagant penalty calculations?
"It took Marriott 4 months to notify the ICO from the point that they were arguably first alerted to an issue."
During that time it was even spotted by tech savvy members of the public who contacted Ticketmaster on Twitter to highlight the problem. Ticketmaster notified 9.4 million EEA customers (of which 1.5 million are in the UK) about the affected incident, although it is not thought that all were impacted. Still, assuming the worst case scenario, 9.4 million is clearly much lower than Marriott’s breach, but significantly higher than BA’s breach. Interestingly, the NOI that followed from the ICO, which was issued on 7 February 2020, was for £1.5m, being significantly lower than the other 2 cases despite seeming to be similar or worse than them in several respects (duration of breach, no. of affected data subjects, type of personal data compromised etc). Quite predictably, Ticketmaster then lodged its objections with the ICO in much the same way as BA and Marriott.
Then What Happened?
All of the cases resulted in a reduction in the proposed penalty values in the 3 NOIs, but clearly there were very different outcomes. With BA, the ICO entered into a long and complex dialogue about the merits of the case but, somewhat intriguingly, when it came to issue BA with the MPN the ICO began its calculation at a dramatically lower number of £30m without any explanation as to why such a number, which is 83% lower than the original NOI figure, was the appropriate starting point.
A similar approach was taken with Marriott. In that MPN the ICO spent considerable time assessing the merits of the arguments posed and then launches into a fine calculation which starts at £28m, being 71% less than the original Marriott NOI and without offering an explanation or justification as to why that was a more appropriate starting figure.
The same is not true for Ticketmaster, whose comparably low fine was not adjusted downwards until mitigation steps are considered. Ultimately, taking into account mitigation steps, good behaviour and Covid 19, the final penalty values for each entity were as follows:
- BA: £20m (down 89.07% from NOI value and 0.16% of BA’s group’s worldwide turnover)
- Marriott: £18.4m (down 81.45% from NOI value and 0.36% of Marriott’s group’s worldwide turnover)
- Ticketmaster: £1.250m (down 16.66% from NOI value and 1.21% of worldwide turnover)
Read our Part 2 of our analysis of ICO fines this year here.
Get in touch
For more information on this update, or any data protection related matters, please contact Matthew Holman.
 The ICO is obliged to issue such a notice before progressing to a MPN per section 155 (1) and Schedule 16 DPA 2018.
 There were circa 11 grounds of appeal filed by BA. For the full breakdown and discussion of the appeal arguments, see pages 76 to 111 of the MPN.
 Page 18, Marriott MPN dated 30 October 2020. The author would be intrigued to know of any corporate deal where in-depth DD of a competitor is truly possible.
 Marriott MPN, paras 6.64 and 6.66
 For a full breakdown of Marriott arguments, see pages 24 to 26 and 41 to 50 f the MPN.
 The BA MPN is 114 pages long.