The UK Information Commissioner’s Office (ICO) has issued Notices of Intent (NOI) to fine British Airways (for £183m) and US hotel group Marriott (for £99m) for breaches of the EU General Data Protection Regulation (GDPR).
Assuming that fines are ultimately issued, these will be the first fines to be issued under the ICO’s increased powers derived from the GDPR.
Now that these NOIs have been issued, this begs two questions: what are NOIs; and what is likely to come next?
Fines and Notices of Intent
Under the GDPR, Supervisory Authorities such as the ICO may issue fines of up to 4% of an organisation’s global turnover. Penalties at the higher end of the range are expected to be reserved for the most serious cases, involving willful, deliberate or negligent acts, or repeated breaches of information rights obligations.
The ICO must serve a written NOI to an organisation before issuing a fine. The NOI will outline the breach in question, the findings of the ICO’s investigations, the proposed fine and the reasons behind its amount.
What happens next?
1. Representations and recommendations
An organisation will have at least 21 calendar days from receiving a NOI to make written representations to the ICO about the imposition and amount of the fine.
In exceptional circumstances (for example if the central facts of the breach are in dispute), the ICO may also agree to a face-to-face meeting to discuss the representations in person. However, the ICO has absolute discretion on whether to agree to any such meeting, and it is unlikely the ICO will hear oral representations where the points at issue are technical (rather than factual) in nature.
During this period allocated for the organisation to make representations, the ICO will also consider representations by other “concerned Supervisory Authorities” where the ICO is acting as the lead Supervisory Authority in a breach concerning cross-border processing activities.
In addition, where the proposed fine set out in the NOI is “very significant”, the non-executive advisors to the ICO and technical advisors may convene to make recommendations to the UK Information Commissioner (a post currently held by Elizabeth Denham) on the level of the fine. The ICO Regulatory Action Policy, which looks to provide guidance on the ICO’s approach to these matters, is not definitive as to what amounts to a “very significant” fine, but notes the ICO expects the threshold to be set at £1m.
2. Final Decision and Penalty Notice
At the end of this process, the Information Commissioner has the final decision on the amount of the fine. The ICO will communicate the fine to the organisation in a written Penalty Notice along with any applicable rights of appeal.
3. Payment or Appeal
If the ICO issues a Penalty Notice, an organisation will have at least 28 days to pay the fine from the day it was given that Penalty Notice.
However, organisations have the right to appeal the Penalty Notice or the amount of the fine. Such appeals are generally to be made to a specific UK tribunal that is established to hear appeals against decisions made by regulatory bodies (the First-tier Tribunal (General Regulatory Chamber)).
4. So, what’s next for British Airways and Marriott?
British Airways and Marriott are both still in the period in which they (and any “concerned Supervisory Authorities” from other EU Member States) can make representations to the ICO on the imposition and amount of the ICO’s proposed fines. These periods must expire before the Information Commissioner can decide whether to actually issue Penalty Notices and, if so, in what amount.
Whether any such representations from British Airways or Marriott will actually be successful in causing the ICO to reduce the amount of any fines ultimately issued remains to be seen. We are somewhat doubtful this will occur at this point in proceedings.
In previous comments on impending enforcement actions, Elizabeth Denham has been at pains to suggest that Supervisory Authorities need to set a strong precedent with early enforcement actions. From the ICO’s perspective, it is vital to ‘get this right’ the first time – the ICO is surely acutely aware of this fact. For these reasons, we estimate that the ICO is pretty assured (internally at least) of the strength of its cases against British Airways and Marriott. Any ‘walkback’ by the ICO at this stage could be seen to present an image of weakness that the ICO would likely wish to avoid – particularly given the significant press attention given to the NOIs.
If and when issued with Penalty Notices, we estimate that it is very likely that British Airways and Marriott will appeal those fines and look to test the ICO’s position before the Tribunal in the first instance.
As these are the first fines issued by the ICO under the GDPR, and only very limited specifics are currently publicly available, the potential merits of any such appeals are wholly unclear to us at this stage.
What is clear is that we are in unchartered waters – and that what comes next will be hugely influential in shaping the business world’s approach to addressing GDPR enforcement risk in the UK and elsewhere going forward. We will keep this blog updated as matters progress.
Carolina Ljungwaldh, Summer Placement