We’re more than a year into the General Data Protection Regulation (GDPR) era, and we now have a few enforcement actions under our belts as data points. Earlier in 2019, there was the jaw-dropping $56 million fine by the French regulators against Google. More recently, the UK’s data protection authority, the ICO, announced its intent to fine British Airways over $200 million — almost 1% of its worldwide revenue — and Marriott International $120 million for GDPR violations.
In between these enormous bookends, there are some lesser but still significant fines against other companies. I’ll boldly say we have enough GDPR enforcement cases to understand what’s really being enforced and for us to draw some security and privacy lessons.
GDPR’s Two-Tiered Fine System
Before we look a little more closely at the violations of Google, British Airways, and the rest, there’s basic knowledge we need to go over first.
Under the GDPR’s article 83, fines are divided into two separate categories. The first, which merits a maximum 2% of global revenue, is associated with security violations (see below). These violations start at article 25 (“Data protection by design and default”), and continue through articles relating to the security of processors, security controls, data impact assessments, breach notification, and data protection officers. In other words, the heart and soul of the security aspects of GDPR.
The second category merits a more severe fine at 4% of global revenue (below). We all talk about the 4% fines for GDPR—I’m as guilty as anybody —but this higher fine relates specifically to privacy violations.
Let me repeat: regulators can impose the maximum 4% GDPR for violations of privacy requirements. Got that?
You can look at the specific GDPR requirements for yourself, but articles 5, 6, and 7 relate to limiting processing for personal data, gaining consent, and processing data lawfully.
The rest of the privacy requirements involve fundamental EU personal data rights. I’d like to highlight these 4% violations:
- Right of consumers, or data subjects in GDPR-ese, to access their personal data (article 15)
- Right of subjects to correct their personal data (article 16)
- Right of subjects to ask companies or controllers to erase their data (article 17, aka “Right to be Forgotten”)
You read that right! Failure to carry out data subject access requests (DSARs) or right-to-delete requests put companies into the more severe 4% tier.
You can review this legal analysis covering the considerations involved in deciding the seriousness of GDPR infringements — it includes the number of subjects affected, duration of the violation, harm to data subjects, and level of technical and administrative controls implemented.
In short, a single DSAR failure obviously won’t warrant a 4% fine, but if there are more systematic problems, then the higher-level fine can be in play.
With this as context, let’s take a closer look at some of the more significant fines so far this year.
Key GDPR Enforcement Decisions 2019
Not surprisingly, the largest fine so far this year was for privacy violations from everyone’s favorite search engine. Complaints from consumer groups about the Android setup process, led CNIL, the French data protection authority (DPA), to investigate Google’s ad personalization process. In their decision, CNIL cited two key factors that led to this enormous fine
First, CNIL said the Google did not provide easy access to the information related to the processing of subject data. They pointed out that details about ads personalization processing required “five actions of the data subjects” merely to find out what it is that Google did with their data. Ease of access is covered in article 12 of the GDPR, and Google clearly violated it.
Second, the data controller — Google in this case — has to be clear about what it is they’re doing with the subject’s personal data. CNIL found that Google fell short here as well, and didn’t give data subjects enough background for an informed consent.
To summarize: Google didn’t make it easy to find the relevant information about personal data processing, and they were not “transparent” in GDPR-ese about what it was the were doing with the data once a consumer eventually discovered these details!
And that led to a violation of article 6: Google didn’t have a lawful basis for the processing of personal data collected on Android. In short, CNIL found that Google was illegally collecting personal data!
There’s more legal analysis here as to why Google received higher scrutiny and higher fines — it had to do with the scale and personal details collected by Google. The key point is that these were not security- or breach- related infringements More on what this means at the end.
Active Assurance, Sergic, and Rousseau
There were several GDPR violations that weren’t headline-making news items, but certainly worth looking at to understand what gets a DPA’s attention.
Sergic, a French property development company was fined about $450,000 and another French company, Active Assurance, was fined over $200,000. It Italy, the gaming platform and data processor known as Rousseau received a $50,000 fine from Garante, the national DPA.
They all have one thing in common: they were each cited these for violating the core GDPR security requirements found in Article 32 (Security of Processing). Two of them, Sergic and Active, were not involved in a security breach. The enforcement actions were instead triggered by a few users noticing they were able to access other users’ [personal data — by just changing a URL!
The Rousseau platform, though, was the target of a previous breach, which led regulators to ask for improved security measures. In a follow-up review in 2019, regulators decided the security implementations were lacking, and Rousseau was specifically called out for inadequate vulnerability assessments, weak cryptographic measures, and limited logging of user activities.
You get the picture: poor security practices that were never completely addressed after a previous warning are very worthy of fines.
British Airways and Marriott
This leads nicely to the biggest GDPR headlines of the year, involving British Airways, and Marriot International. The UK’s Information Commissioner’s Office (ICO) announced that they intend to investigate both companies after massive breaches were discovered. The fines are good guesstimates at this point, and eventually we’ll get more details about the specific infringements and the final fine amount.
However, we can say based on the above cases that they minimally violated article 32 and possibly article 25 (“Data protection by design and default”). The ICO took the enormous number of records involved — 30 million for Marriott, and 500,000 for British Airways — into account in the proposed fines. Though the Marriott breach involved more records than British Airways, the fine was smaller. The ICO seemed to allow for the fact that actual hotel chain was not owned by Marriott at the time of the breach — it was acquired later. The ICO is looking more closely into Marriott’s due diligence efforts during the acquisition.
Three Lessons Learned and a Word of Warning
I’m going to point out what I believe are the three most important lessons from these cases.
1. Users or customers or consumer groups can complain directly to a DPA about a company’s security practices. So DPA investigations don’t have to be initiated by a data breach. Obviously, large breaches get the regulators attention, but that’s not the only source of information for them.
Lesson: you can’t neglect security under GDPR when the general public is observing your security practices all the time!
2. Don’t forget about privacy practices: it’s half of the GDPR! And while writing clear privacy notices and obtaining legal consent is important, they’re not the only privacy requirements of GDPR. You can be fined at the 4% level for not deleting data, or not adequately allowing consumers to access and correct their privacy data or allowing access to personal data without getting proper consent.
Lesson: Privacy is a fundamental EU right — it’s in the EU Charter! — and therefore taken very seriously by the regulators.
3. The DPAs are not just issuing fines and writing opinions on security and privacy practices; they do follow up and check whether violators have corrected deficiencies. The DPAs can and will look at past infringements and overall histories in setting fines for the next data breach or security lapse. Article 83 says the DPAs can consider the “intentional or negligent character of the infringement”.
Lesson: if you keep on getting called out for privacy and security violations, the GDPR regulators can view that as a sign of an overall breakdown in practices, and increase the fines accordingly.
What does it all mean? There are clear warning signs based on these recent fines, particularly for, cough, one US social media company in particular, but other US multi-national companies as well: if they don’t make data security and privacy an essential corporate priority, then there will be serious fines that’ll make the British Airways’ fine look like chump change.