EU Data Privacy Fines Are Getting Steep. Will This Be the New Normal?
And will the end result encourage companies to try to keep cybersecurity breaches secret?
For some data activists, the General Data Protection Regulation (GDPR) has so far been kind of a dud. They hoped the EU's mammoth data privacy rules would bring largely-foreign tech giants to heel with complex requirements and steep fines.
Instead, the GDPR has mostly ended up being the "Google Data Protection Regulation," because the big guys can handle compliance hurdles better than everyone else. Other than one rousing anti-Google effort from the French, EU member nations have largely targeted small fish, including a small Austrian business whose security cameras captured "too much public space" (earning a €4,800 rebuke—$5,400 in U.S. currency) and a tardy Bulgarian firm that dragged its feet in responding to an employee's data request (to the tune a cool €500).
There have been a handful of more substantial actions as well. One pretty bonkers incident involved the soccer league La Liga allegedly sussing out which sports bars were pirating soccer matches by hijacking app user microphones. The Spanish Data Protection Agency said ¡basta ya! and slapped a quarter-million euro fine on the supposed soccer snoopers. (La Liga denies the allegations and is appealing.)
But in general, when you browse the unofficial databases of GDPR enforcement actions, you'll find a lot of snoozers.
A recent report by the law firm DLA Piper bears this out. It finds that there were some 59,000 publicly disclosed data breaches within the EU over the past year. Of these, only 41,502 made it as official EU-reported data breaches. But EU member states have only acted on 91 incidents, like the one involving our over-zealous Austrian company from earlier.
The researchers believe that EU member states are simply ill-equipped to manage the regulatory task at hand. Before the GDPR took effect, there were reports that many data protection authorities were ignorant of what "compliance" would even look like. It's not surprising that they would be slow on the bureaucratic uptake a year later.
This appears to be changing. Last week, the UK's Information Commissioner's Office (ICO) announced two major fines against alleged GDPR offenders.
First, British Airways was hit with a record-setting £183 million fee ($229 million U.S.) for a website vulnerability that redirected some half a million visitors to a fraudulent website in June of 2018. Personal data of the duped victims were apparently exposed to the fraudsters.
The beleaguered airline's CEO was surprised by the action, as the company has found no evidence that any fraudulent activity resulted from the breach. Furthermore, he says British Airways worked closely with the ICO to make security improvements following the breach. Tough break old chap, but I suppose the ICO only has so long to exercise its GDPR authorities until Brexit (maybe?) comes to wreck it all.
The U.S.-owned Marriott International was the next domino, facing a £99-million penalty ($124 million U.S.) for an incident of which the hotel chain notified the ICO last November. The Starwoods hotel group, which Marriott eventually purchased, suffered a system compromise in 2014. (The ICO press release does not mention numbers, but it's estimated that some 327 million customers were impacted.) Marriott later acquired Starwoods in 2016, but did not learn of the vulnerability until 2018, after which the company informed the ICO.
Despite this seeming good faith effort to work with regulators, the ICO still brought the book down on Marriott. The UK's data regulator ruled that Marriott "failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems." Of course, all of this occurred years before the GDPR even took effect, but no matter.
Right away, it's noteworthy that neither of these firms are "technology companies," strictly speaking. While British Airways and Marriott are major firms with all the attendant technological infrastructure needed to power its enterprises, they are not exactly who most people have in mind when they think about data privacy violations.
The GDPR was sold as a tool to tame the Googles and the Facebooks of the world. But law applies to any worldwide entity that "process[es] the personal data of data subjects who are in the Union," regardless of size or industry. No gamer is safe: this is why the humble rolz.org virtual tabletop dice roller was forced to shutter its European doors on the eve of the GDPR rollout.
In truth, any company is fair game for GDPR enforcement. In regulating "data use," the GDPR is regulating basically everything.
And producing "evidence of consumer harm" is not necessarily a requirement to issue bank-breaking fees. The ICO statements did not clarify the specific fallout for victims in either case. Maybe the data are merely "exposed" but never actually gathered or used—a clearly different beast than a situation where people's personal data are used in fraud or surveillance. The mere fact that a breach occurred could be reason enough to try and bag the big game.
Why not? GDPR fines can make handsome contributions to national treasuries (victims do not by default receive any of the proceeds). There is a great incentive for data protection authorities to issue steep fines wherever they can. Companies will try to dispute the charges, and final penalties may settle at lower levels. But they will usually be greater than zero, so data enforcers will tend to aim high when possible.
The leaders of other data protection authorities are surely viewing these two British cases with interest. The floodgates have been opened and copycats will follow. It's free money. Most big companies have suffered some kind of data breach in the course of their long histories. If you look hard enough, you'll probably find one. The bigger the company, the greater the digital attack surface—and tantalizingly for regulators, the deeper the pockets.
Trying to proactively work with regulators does not seem to buy goodwill either. This sets another pernicious incentive. Companies may shy away from reporting such incidents in fear of an EU shakedown. Such cover-ups may be found out anyway, which would create a whole new set of problems for compromised firms. But maybe they wouldn't, and breaches that could have otherwise been responsibly handled may be simply swept under the rug.
It's an unfortunate state of affairs. Companies are incentivized to spend millions in search of "compliance," whether or not that translates to meaningful progress in data practices. They may be tempted to hide breaches to avoid onerous fines. And data enforcements are incentivized to shake down any company that finds itself misaligned with vague GDPR dictates, regardless of whether there was any demonstrable harm.
Welcome to the new normal of a post-GDPR world. It may keep lawyers busy and state coffers fuller, but it doesn't do much to promote the improvements on data privacy policies that advocates had hoped.