October 2020 was a relatively busy month for ICO enforcements, with some hefty fines for some of the organisations who were the subject of the enforcement. This month, the ICO issued enforcement notices against some well-known names. The full list for those in October are:
– British Airways
– Marriott International Inc
– Experian Limited
– Reliance Advisory Limited
– Studios MG Limited
We have reviewed the enforcement notices and what they mean for data protection, taking lessons from what the ICO expect, and more importantly, what examples are made of organisations to show what practices are not acceptable.
It is important to note that organisations do not often act with nefarious intentions. It is their negligence or lack of due diligence which ultimately makes them fall foul of the law.
British Airways – £20m
On 16th October 2020, the ICO fined British Airways (BA) £20 million for “failing to protect the personal and financial details of more than 400,000 of its customers.”
An ICO investigation reports that BA were processing large amounts of personal data without adequate security measures being properly implemented to allow the processing of that data.
“The Commissioner’s view is that the personal data stored within and processed by BA’s systems, including the BA website, were not being processed in a manner that ensured appropriate security of that personal data, including using appropriate technical or organisational measures. BA failed to implement appropriate technical and organisational measures to protect the rights of data subjects and comply with the data protection principles.”
This is in light of the fact that BA were targeted by a cyber-attack on 22nd June 2018 which is understood to have affected 429,612 customers and staff. It is reported that the personal data of 244,000 customers were breached, including details of their:
– Payment card numbers
– CVV numbers
“BA was negligent (under Article 83(2)(b)) in failing to ensure that it had taken all appropriate measures to secure personal data”
BA were not aware of the attack until 5th September 2018 when they were notified by a third party.
Elizabeth Denham (The Information Commissioner) stated “Their (BA’s) failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date”.
“Addressing these security issues would have prevented the 2018 cyber-attack being carried out in this way”.
We are now seeing the feared upper limit of the fines which were threatened by serious breaches of data protection law by the GDPR. In this case, the compounded facts of a poorly implemented security measures, mixed with a lack of action in light of those measures proved to be incredibly costly for BA, who, like all airlines, will have already been struggling during the pandemic.
Organisations should use this as a lesson to:
– Take all reasonable precautions to have security systems which are as robust as possible;
– be proactive when they are alerted to security issues, whether that be by their penetration tests, their IG leads, or any interested third parties, and act as quickly as possible to ensure that the appropriate security measures are in place.
Marriott International Inc – £18.4m
On 30th October 2020, the ICO fined Marriott International Inc £18.4 million for “failing to keep millions of customers’ personal data secure”. The ICO estimates that a staggering total of 339 million guest records were affected as a result of a cyber-attack in 2014. This attack was on Starwood Hotels and Resorts Worldwide Inc, who were the relevant company at the time, before Marriott took them over. The attack was unnoticed for 4 years, and when it was finally notice in September 2018, the company had been acquired by Marriott.
This is another heavy fine from the ICO in the same month.
Similarly to British Airways, the cyber-attack included personal and confidential information of its clients. The following are reported to have been accessed of the 339 million guests on record.
– Email addresses
– Phone numbers
– Unencrypted passport numbers
– Arrival/departure information
– Guests’ VIP status
– Loyalty programme membership number
Despite Marriott acting promptly when aware of the breach to contact its customers and the ICO, and instigating better security measures to prevent against another attack of a similar nature in the future, the ICO still fined Marriott the eye watering sum of £18.4 million.
This just goes to demonstrate how important security measures are in an organisation which holds such a wealth of personal data. Marriott (well, at the time Starwood Hotels and Resorts Worldwide Inc.) had records on 339 million guests. The scale of a data breach that size is unthinkable. It is a number similar to the entire population of the United States of America, the third most populous country in the world.
Whilst not a financial penalty, the ICO has ordered Experian to make significant changes to how it handles personal data in its direct marketing services. The ICO’s enforcement notice is under the premise that they are compelled to make the changes within 9 months, or further action will be taken. Such action could be a fine up to £20m or 4% of the organisation’s total annual worldwide turnover.
“The ICO found that significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. It is ‘invisible’ because the individual is not aware that the organisation is collecting and using their personal data. This is against data protection law.”
“The enforcement notice follows a two-year investigation by the ICO into how Experian, Equifax and TransUnion used personal data within their data broking businesses for direct marketing purposes. A complaint from the campaign group Privacy International to the ICO also raised concerns about the data broking industry, specifically Equifax and Experian.
So, what does the enforcement notice actually say?
Transparency is a key principle in the GDPR, and the ICO clearly felt that Experian were not being transparent in their data processing. The ICO have demanded that Experian informs people that it holds their personal data, and how they use that data for marketing purposes. Such information is commonly found in a Privacy Notice, and should be readily available for customers to access. Any existing Privacy Notices Experian had in place were clearly inadequate.
The ICO also demanded that Experian ceased using personal data from its “credit referencing side of the business” for marketing purposes, which it currently does. In the current arrangement, “people have no choice about whether their data is shared with Experian for credit referencing purposes and that Experian’s processing of this data for marketing purposes is unexpected”.
Sadly, this is all too common a decision for the ICO to make. It is almost a little surprising about how complacent some organisations can be when it comes to using their customer’s data in ways which are outside the scope of the GDPR. Organisations need to properly take stock of how they process personal data and the lawfulness, they need to identify any weaknesses or gaps in their compliance with the GDPR and address them as a matter of urgency.
Reliance Advisory Limited – £250,000
This is an ICO fine which doesn’t have the same ‘shock factor’ as some other fines, however, this does not make the actions of Reliance Advisory Limited insignificant. Fines are very much relative to size and scope of the organisation.
“The ICO found that over a six month period from the start of 2019, the Bury-based company RAL made 15.1 million calls in relation to claims management services such as mis-sold PPI. All of the calls, of which 1.1 million connected, were made to people who had not consent to receive them.”
The ICO received a number of complaints in relation to these calls, including calls being received numerous times a day. Some of the callers were allegedly aggressive and rude, compounding the distress it was causing the recipients of the nuisance calls.
Andy Curry, ICO Head of Investigations:
“Nuisance calls continue to be a matter of great distress, annoyance and significant concern for the public and we will continue to find and take action against the worst offenders.
The law exists for a reason, and that is to protect people from this high degree of intrusion into their private lives. Businesses must respect the law and the onus is on them to be aware of their responsibilities. Pleading ignorance of the rules, as was put forward in this case, will never be a valid argument.”
Studio MG Ltd – £40,000
The final enforcement notice to mention this month, is in relation to Studio MG sending spam emails, selling face masks, during the COVID-19 pandemic.
Studio MG were not supplying PPE, but rather that the director had made the decision to purchase face masks in order to sell them at a profit.
It is understood that the company deleted a database of “key evidence which would have shown the fully extent of the volume of emails they had sent.”
Ultimately, no evidence could be provided that they had obtained consent from the recipients of the emails, and as such was unlawful pursuant to the Privacy and Electronic Communications Regulations 2003.