Fines for data breaches and the General Data Protection Regulation

Much has been made of the imposition of the General Data Protection Regulation (“GDPR”), to be integrated into UK law via the Data Protection Bill (“DPB”), in anticipation of its coming into force on 25 May 2018. The rationale behind the GDPR is to provide a legal framework that acknowledges the sensitivity of personal data (such as names, NI numbers, IP addresses and personally identifying information) and its misuse in the digital era.  One feature of the GDPR is a far greater focus on fines.

The power of data protection regulators to impose fines is not new. The Data Protection Act 1998 (“DPA”) provides the UK’s data protection regulator, the Information Commissioners Office (“ICO”), the statutory mandate to impose fines of up to £500,000.

The most significant recent fine was that imposed upon Keurboom Communications Ltd, who were subject to a record fine of £400,000 on 10 May 2017 for conducting over 99.5 million marketing-oriented nuisance calls. It should be noted that there were aggravating factors in the case leading to a more serious fine- the failure of Keurboom to comply with the ICO’s investigation and the significant impact the practice had on the company’s ability to amass market share. In October 2016 TalkTalk was also fined £400,00 for failing to prevent a data breach which left the personal data of over 150,000 customers at risk.

The fine framework  

What has been the subject of substantive debate is the magnitude of fines which can be imposed under the GDPR, which can be applied to both controllers and processors of personal data. These are contained within s.150(5) and (6) of the DPB:

- a lower threshold of €10m or 2% of annual worldwide turnover; and

- a higher threshold of €20m or 4% of annual worldwide turnover.

In this context, it is unsurprising that many data processors and controllers are looking to conduct audits and overhauls of their existing data protection policies. Indeed, the magnitude of these fines is such that the Information Commissioner Elizabeth Denham sought to address rising tensions in a recent ICO blog article, stating:

“It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm. The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GPDR. We have always preferred a carrot to the stick.”

Comment

The Information Commissioner’s perspective on the levying of sanctions sends a clear message consistent with the historical approach of the ICO. Fines are a last resort, deterrent in their size and cautious in their imposition. Further, as the TalkTalk and Kerboom figures suggest, the volume of data subject to a breach has a proportionate impact on the fine imposed. Notably, the ICO yet to impose its maximum £500,000 fine under the current statutory regime. It seems likely that, in keeping with its pragmatic approach, the ICO does not intend to reach its new fine thresholds without significant justification.

Alongside the severity of fines increasing it is also clear is that the volume of fines imposed under the existing regime is also increasing- to date this year the ICO has imposed 49 fines with 34 in 2016 and 11 in 2015.  This perhaps reflects society's increasing reliance on digital media.  The introduction of larger fines together with other measures such as the right to erasure herald an age of more stringent regulation and enhanced transparency in the processing of personal data. In this context anyone who finds their personal data misappropriated, for example via text messages, applications, video or photos, may also benefit from enhanced consent requirements under the GDPR. This imposes the requirement that any processing of such personal data requires the “freely given, specific, informed and unambiguous consent” of the individual concerned. Furthermore, such consent may be withdrawn at any time. This enhanced framework of consent and the deterrence of significant fines, may provide much-needed recourse and control.

Click here to find out how Brett Wilson LLP solicitors can assist you if your personal data has been misused.