GDPR £183 million Fine, the largest Fine issued to date

Under the new GDPR, Article 4 of the Regulation defines personal data as all data that can be deemed to identify someone. Thus precisely : ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. Several different cases can be seen whereby Member States imposed fines under the GDPR rules of which in March 2019, the Polish Personal Data Protection Office fined a polish organisation approximately around £193,500 for failure to inform millions of subjects that their data was being processed without their knowledge.

Following recent events, British Airways faces a record-breaking GDPR fine of more than £183 million by the Information Commissioner’s Office after serious data breaches which occurred on the 6 September 2018. This is by far one of the largest fines ever issued by the ICO, which exceeded the fine issued against Facebook for the Cambridge Analytical scandal. After extensive and thorough investigations, evidence clearly indicates that the malicious hackers stole personal data consisting of the name, address and email address together with the credit card information of the airline’s customers. Such credit card information consisted of the credit card numbers, together with the expiry dates and the three-digit CVV code which can be found on the back of the credit cards. However no passport data nor frequent flyer data had been compromised.

The penalties imposed for GDPR infringement not only result in administrative fines but can also consist of a range of other actions depending on the nature and gravity of such infringement. Provided that such penalties imposed are proportionate and effective to the breach at hand as well as subject to procedural and appropriate safeguards. Article 83(2) of the EU Regulation states that there are a range of factors and general conditions that one must take into account before imposing such fines. Besides the duration and the severity of the infringement, one must also determine whether the breach was intentional or negligent and if after such actions were committed did the organisation do everything within its power in order to remedy the situation and repair the damage suffered by the individuals. The authorities would also have to determine whether the necessary measures were implemented by the organisation in the first place and whether there were any previous infringements committed by the organisation or data processor. However, although in the case of British Airways, there was no evidence of fraudulent activity to steal customers data, this could have been easily prevented due to the fact that they had poor security management and thus in itself clear evidence of negligence on their behalf, consequentially resulting in a variety of personal and confidential clientele information being compromised.

Examples of other penalties imposed by the ICO consist of the issuing of a temporary or otherwise permanent ban on data processing, issuing of warnings and many other forms of actions such that if the breach is a minor infringement, a reprimand will be issued instead of a fine. On the other hand in the case of non-compliance with specific data articles of the regulation, the GDPR Regulation lays down two tiers of administrative discretionary fines faced by data controllers, which consist of a maximum of either €10 million or 2% of the total worldwide annual turnover of the preceding financial year, or else otherwise up to €20 million or 4% global turnover. These fines are imposed by such supervisory authorities of the respective Member States who have the power to impose and determine such fines.

Article 84 of the Regulation states that Member States, as seen in Chapter 586 Laws of Malta, Data Protection Act should be able to lay down rules on criminal penalties for not only breach of such Regulation but also for infringement of national rules.

At the end of the day, due to the rapid evolving digital world, GDPR is predominantly important in such area as besides offering detailed transparency requirements, it also provides protection and creates a safety net for anyone who has or will potentially suffer exposure of personal data. For this very reason therefore compliance to the GDPR rules in today’s world is unquestionable, providing further insight and clarification as to what companies that process personal data must do to in order to safeguard these rights of such subjects.