Big GDPR Fines in UK and Ireland: What's the Holdup?Both Countries Have Each Issued Only a Single, Finalized Fine Under EU's Privacy Law
The EU's General Data Protection Regulation was meant to finally bring in line organizations that didn't treat Europeans' personal data with respect. But two years after the regulation went into full effect, why have both the U.K. and Ireland each issued only one final GDPR fine to date?
See Also: Regulation Cheat Sheet
When GDPR went into full effect on May 25, 2018, so too did EU members states' privacy watchdogs' bigger enforcement powers. Organizations were given just 72 hours to alert regulators when they'd discovered a breach and provide the particulars of what happened, when and how. Any organization that fails to so notify, or which had inadequate security controls in place for protecting personally identifiable information - whether or not it got breached - now faces the potential of steep fines.
GDPR empowers EU regulators to levy fines of up to 4% of an organization's annual global revenue or €20 million ($22.2 million) - whichever is greater - if they violate Europeans' privacy rights, for example, by failing to secure their personal data (see: GDPR: Europe Counts 65,000 Data Breach Notifications So Far).
But so far, both the U.K. and Ireland have only issued a single fine each. That's despite data from law firm DLA Piper showing that as of Jan. 27, the countries respectively received the third and fourth greatest numbers of data breach notifications among European nations.
Notifications do not necessarily lead to fines, and the volume of notifications does not necessarily correlate with overall severity. But it's notable that numerous technology giants - including Apple, Facebook and Google - have their headquarters in Ireland. Accordingly, Ireland's GDPR enforcer, the Data Protection Commission, takes the lead on any GDPR investigations into those firms. In February, DPC revealed that it had 21 open inquiries into several of those firms, although no fines have been issued - at least yet (see: Irish Privacy Report Gives Glimpse Into GDPR Investigations).
GDPR Fines to Date
Ireland's only GDPR fine so far was announced on May 17, when the DPC fined the government's child and family agency, Tusla, €75,000 ($84,000), for three cases in which information about children was incorrectly disclosed to third parties.
Meanwhile, the U.K.'s only finalized GDPR fine was issued on Dec. 17, 2019, against London-based Doorstop Dispensary, for £275,000 ($341,000), after it stored patient records in a "careless" manner.
Doorstop, which supplies medicine to customers and care homes, "left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware," the ICO said in its enforcement notice. "The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people," and suffered water damage.
The scant number of GDPR fines in the U.K. and Ireland stands "in notable contrast to some of the ICO's peer supervisory authorities," Jon Baines, an attorney at London-based Mishcon de Reya, said in a blog post last month. "Germany and Spain have issued more than 20 [fines], for instance, while France and Italy have each issued around 10."
As of Jan. 17, France, Germany and Austria had already respectively imposed total GDPR fines of about €51 million ($57 million), €24.5 million ($27 million) and €18 million ($20 million), according to DLA Piper (see: GDPR: $126 Million in Fines and Counting).
Delayed: UK's Potential Mega-Fines
Meanwhile, two potentially record-setting British fines against British Airways and Marriott International, have been repeatedly delayed (see: Dear BA and Marriott: Your GDPR Fines Are Important to Us).
Earlier this month, legal news service MLex reported that U.K. Information Commissioner Elizabeth Denham, who heads the ICO, told an online conference being hosted in Washington that the final penalties against British Airways and Marriott wouldn't be announced before August. That would be more than 12 months after the ICO first published its notice of intent to fine the airline a record-setting £184 million ($228 million), and Marriott £99 million ($123 million).
Except in unusual circumstances, the ICO is meant to issue final fines within six months of issuing its notice of intent to fine, says Mishcon de Reya's Baines. Any delays can only be made with the agreement of the organization facing a fine, he adds.
In April, the ICO said that in light of COVID-19 taking a big bite out of both businesses, the final fines were sure to be lower, so it's no surprise the organizations would have agreed to a delay. The ICO has also said that for as long as the pandemic continues, it will be applying to all of its efforts a more flexible, "empathetic and pragmatic approach" (see: GDPR and COVID-19: Privacy Regulator Promises 'Flexibility').
As part of that shift, the ICO last month announced that it was pausing its investigation into the advertising technology industry. “The ICO recently set out its regulatory approach during the COVID-19 pandemic, where we spoke about reassessing our priorities and resources. Taking this into account we have made the decision to pause our investigation into real-time bidding and the adtech industry," the ICO said in a statement. “It is not our intention to put undue pressure on any industry at this time, but our concerns about adtech remain, and we aim to restart our work in the coming months, when the time is right.”
What's the Holdup?
But the continuing delay in final fines being issued against British Airways and Marriott raises this obvious question: Why the delay?
"Pandemic aside, the time being taken to resolve these two cases is raising more questions than answers," Jonathan Armstrong, a partner at London-based firm Cordery, tells Information Security Media Group.
"Although the impact of COVID-19 may explain some of the current, continued delay, quite why what may end up being over a year to resolve these matters since the ICO announced its intentions to fine may leave some wondering whether GDPR enforcement is going as quickly as it should," he says. "In addition, what was also expected to be a showcase for the first significant fines under GDPR in the U.K. may now be a letdown."
But Brian Honan, who heads Dublin-based cybersecurity consultancy BH Consulting, says that seeing an extended legal process isn't surprising, especially because GDPR enforcement norms have yet to be set. "The regulator, be that the ICO or any other regulator, has to ensure their case is a legally watertight as it can be before issuing a fine or a penalty. This is very important as organizations, particularly large ones with deep legal resources, will no doubt challenge any penalties imposed on them," he says.
"The BA and Marriott cases are a prime example of this," says Honan, who's also a cybersecurity adviser to Europol, the EU's law enforcement intelligence agency. "We also have to take into account many of the regulators have limited resources, and their staff have to ensure they support the rights of all data subjects as best they can."
Remote Work: Breaches May Spike
The paucity of U.K. and Irish GDPR fines so far is not necessarily an indicator of things to come.
Plus, COVID-19 seems set to drive an increase in breaches, given that more people are working remotely, which has made it more difficult for many organizations to monitor and defend them with sufficiently robust security controls, Honan says.
"In many cases, those people may not be working in the most ideal environments or with the most secure systems, such as using their own personal computers. Many companies just focused on getting their business to continue operating - by any means possible - and security and data protection considerations may not have been on top of anyone’s minds," he says. "Indeed, we are seeing an increase in the number of organizations coming to us, looking for assistance in managing a breach."