The EU’s General Data Privacy Regulation
(GDPR) is designed to improve the state of data privacy and security for EU
citizens. Under the new regulation, organizations are held to a much higher
standard regarding how they collect and manage an individual’s personal data,
and the fines for non-compliance have increased dramatically compared to
The fines levied against British Airways and
Marriott are different. First, they dwarf the fines applied in the first year
of GDPR enforcement. Second, they are punishments for “unintentional”
violations of GDPR: an exploited web application security flaw and
an existing breach inherited during a merger.
of GDPR Enforcement
The EU’s General Data Privacy Regulation (GDPR) went into effect on May 25, 2018. Under the new regulation, the definition of protected personal information was expanded as well as the responsibilities of organizations when holding or using it. A more famous aspect of the new regulation was the fact that fines increased dramatically for non-compliance. A GDPR infraction carries a maximum possible penalty of up to 20 million Euros or 4% of global turnover, whichever is greater.
In the first year of GDPR, the regulatory
bodies reviewed over 200,000 cases of
alleged violations of GDPR. From these cases, a total of 56 million Euros in
fines was levied, of which 50 million Euros was a single fine against Google.
The reason for this (relatively) low number of
fines was the fact that GDPR regulators considered it a transition year where
regulators acclimated to the new legislation and worked to manage the massive
influx of new cases. Also, these early cases demonstrated to organizations that
regulators can and will levy fines under the new regulations, underscoring the
importance of achieving compliance with the new regulation.
British Airways and Marriott Breaches
New fines announced by the UK’s Information
Commissioner’s Office (ICO), the UK organization
responsible for policing GDPR compliance, has demonstrated that they’re not
fooling around regarding GDPR enforcement. The ICO has publicized the fact that
they intend to fine British Airways and Marriott hotels 183.5 million and 99
million Euros respectively for failing to properly secure data protected under
GDPR. While these fines are still open to appeal, they represent the largest
GDPR fines announced to date.
In the case of British Airways, the cause of
the breach was a poorly-secured web application. Attackers managed to modify
designed to steal credit card information. As a result, 380,000 victims had
their information stolen.
The Marriott breach was caused by a hack of
the Starwood database, which was compromised even before Marriott acquired
Starwood in 2016. However, the breach continued past May 25, 2018, making it
fall under GDPR jurisdiction. This fine demonstrated that the GDPR regulatory
authorities intend to enforce protection of all personal data in an
organization’s possession, even if the original breach “wasn’t their fault”.
The British Airways and Marriott fines are
striking due to the size of the penalties. Previously, the ICO’s largest fine
levied under data protection legislation was 500,000 Euros for the Facebook
Cambridge Analytica scandal. This was the maximum possible fine allowable under
GDPR’s predecessor, and the Starwood and Marriott fines demonstrate that the
ICO is happy to take advantage of the higher ceiling offered under GDPR.
The new fines against British Airways and
Marriott are each greater than all of the fines levied in the first year of
GDPR combined (and the British Airways one is over three times as much). These
fines are likely designed to set a precedent and serve as a warning to other
companies currently under investigation for GDPR violations (like Google and
The EU’s General Data Privacy Regulation
(GDPR) demonstrates their commitment to holding companies accountable for how
they collect and use the personal data of their customers. Under the GDPR, a
greater range of personal data is protected by the regulation, and the fines
for non-compliance have dramatically increased. The previous regulation capped
fines at 500,000 Euros, while the new regulation allows penalties up to the
greater of 20 million Euros or 4% of a company’s global turnover.
While the penalties levied in the first year
of GDPR were relatively low, the new British Airways and Marriott breaches
demonstrate that this will not always be the case. Either of these fines is
greater than all fines levied in the first year of GDPR combined, demonstrating
that the ICO is ushering in a new era of GDPR enforcement.
These fines underscore the importance of
implementing proper data and web application security protections for any
organization. Neither breach was caused by deliberate noncompliance and could
have been prevented if data monitoring and loss protection solutions were in
place. While the magnitude of the British Airways and Marriott fines was likely
intended to send a warning to other organizations of the cost of deliberate
noncompliance with GDPR, there is no guarantee that regulators will not
continue to levy fines of this magnitude for similar violations.