The EU’s General Data Privacy Regulation (GDPR) is designed to improve the state of data privacy and security for EU citizens. Under the new regulation, organizations are held to a much higher standard regarding how they collect and manage an individual’s personal data, and the fines for non-compliance have increased dramatically compared to existing legislation.
Recently, the Information Commissioner’s Office (ICO), the GDPR regulator for the UK, has announced fines for two organizations: British Airways and Marriott. These fines are notable for their magnitude and the reasons that the organization was liable. Previously, most GDPR fines were small and applied in cases of deliberate ignorance of GDPR’s rules, like hiding aspects of an application’s privacy policy and settings within multiple pages.
The fines levied against British Airways and Marriott are different. First, they dwarf the fines applied in the first year of GDPR enforcement. Second, they are punishments for “unintentional” violations of GDPR: an exploited web application security flaw and an existing breach inherited during a merger.
The History of GDPR Enforcement
The EU’s General Data Privacy Regulation (GDPR) went into effect on May 25, 2018. Under the new regulation, the definition of protected personal information was expanded as well as the responsibilities of organizations when holding or using it. A more famous aspect of the new regulation was the fact that fines increased dramatically for non-compliance. A GDPR infraction carries a maximum possible penalty of up to 20 million Euros or 4% of global turnover, whichever is greater.
In the first year of GDPR, the regulatory bodies reviewed over 200,000 cases of alleged violations of GDPR. From these cases, a total of 56 million Euros in fines was levied, of which 50 million Euros was a single fine against Google.
The reason for this (relatively) low number of fines was the fact that GDPR regulators considered it a transition year where regulators acclimated to the new legislation and worked to manage the massive influx of new cases. Also, these early cases demonstrated to organizations that regulators can and will levy fines under the new regulations, underscoring the importance of achieving compliance with the new regulation.
The British Airways and Marriott Breaches
New fines announced by the UK’s Information Commissioner’s Office (ICO), the UK organization responsible for policing GDPR compliance, has demonstrated that they’re not fooling around regarding GDPR enforcement. The ICO has publicized the fact that they intend to fine British Airways and Marriott hotels 183.5 million and 99 million Euros respectively for failing to properly secure data protected under GDPR. While these fines are still open to appeal, they represent the largest GDPR fines announced to date.
In the case of British Airways, the cause of the breach was a poorly-secured web application. Attackers managed to modify the website’s Javascript code to include Magecart, a common piece of malware designed to steal credit card information. As a result, 380,000 victims had their information stolen.
The Marriott breach was caused by a hack of the Starwood database, which was compromised even before Marriott acquired Starwood in 2016. However, the breach continued past May 25, 2018, making it fall under GDPR jurisdiction. This fine demonstrated that the GDPR regulatory authorities intend to enforce protection of all personal data in an organization’s possession, even if the original breach “wasn’t their fault”.
The British Airways and Marriott fines are striking due to the size of the penalties. Previously, the ICO’s largest fine levied under data protection legislation was 500,000 Euros for the Facebook Cambridge Analytica scandal. This was the maximum possible fine allowable under GDPR’s predecessor, and the Starwood and Marriott fines demonstrate that the ICO is happy to take advantage of the higher ceiling offered under GDPR.
The new fines against British Airways and Marriott are each greater than all of the fines levied in the first year of GDPR combined (and the British Airways one is over three times as much). These fines are likely designed to set a precedent and serve as a warning to other companies currently under investigation for GDPR violations (like Google and Facebook).
Becoming GDPR Compliant
The EU’s General Data Privacy Regulation (GDPR) demonstrates their commitment to holding companies accountable for how they collect and use the personal data of their customers. Under the GDPR, a greater range of personal data is protected by the regulation, and the fines for non-compliance have dramatically increased. The previous regulation capped fines at 500,000 Euros, while the new regulation allows penalties up to the greater of 20 million Euros or 4% of a company’s global turnover.
While the penalties levied in the first year of GDPR were relatively low, the new British Airways and Marriott breaches demonstrate that this will not always be the case. Either of these fines is greater than all fines levied in the first year of GDPR combined, demonstrating that the ICO is ushering in a new era of GDPR enforcement.
These fines underscore the importance of implementing proper data and web application security protections for any organization. Neither breach was caused by deliberate noncompliance and could have been prevented if data monitoring and loss protection solutions were in place. While the magnitude of the British Airways and Marriott fines was likely intended to send a warning to other organizations of the cost of deliberate noncompliance with GDPR, there is no guarantee that regulators will not continue to levy fines of this magnitude for similar violations.
