2019年1月,谷歌因未履行GDPR规定义务,被法国监管机构国家信息与自由委员会(CNIL)处以5000万欧元罚款。7月8日,英国信息专员办公室ICO因数据泄露事件,对英国航空公司处以2.04亿欧元的罚款处罚。7月9日,国际知名酒店万豪集团因泄露客户信息,将面临ICO1.11欧元罚款......数据合规进程任重而道远。

NON-COMPLIANCE RISKS ARE RISING

On 21 January 2019, the French data protection authority, CNIL, imposed a fine on Google of €50 million for various breaches of the GDPR, and the first fine imposed by CNIL.This was to biggest fine to-date by far imposed by any DPA pursuant to the GDPR.  

In early June, at DeHeng GDPR seminars in Beijing and Shanghai, I predicted that the risks of non-compliance with GDPR would rise rapidly before the end of this year.  I suggested that by year-end, the €50 million fine imposed on Google in January this year might seem rather low.  We do not need to wait until the end of this year for things to get more complicated for infringers.

As for Google, it is now facing a consumer class action in France for its GDPR infringement found in January by the French data protection authority, the CNIL.  As you will recall, the CNIL found that Google browser users were not given a sufficient opportunity to provide an informed and unambiguous consent to Google's privacy policy.  This could raise Google's total exposure for that GDPR infringement to well over the initial €50 million fine.  

Two days ago, the UK data protection authority, the ICO, announced that it will fine British Airways under GDPR a total of €204 million for a data breach involving some 500,000 BA customers.  The ICO found that BA's data security system was legally insufficient for the purposes of the GDPR.  More specifically, the ICO found that BA had failed to protect customers' names, addresses, email addresses, credit card information and log-in passwords. 

For data breaches under Article 32 of the GDPR, BA could have been fined a maximum of 2% of its global group turnover, or a total of €280 million.  

As you will see, the ICO's fine on BA was close to the ceiling allowed under GDPR.  This is a very disturbing development because it suggests that fines will rise much higher.  For infringements other than data breaches, such as the failure to obtain the informed consent of an individual to the processing of his data, the maximum fine is 4% of the company's global group turnover. Clearly, if the national data protection authorities are now considering the imposition of the maximum fine (unlike what happened to Google in January), companies much larger than BA could be in for some very serious pain if  they are the target of a GDPR investigation. 

As for BA, the ICO fine is just the beginning.  BA will now face any number of follow-on collective lawsuits by customer groups.  

And then yesterday, the ICO announced that it will fine Marriott a total of €111 million for a massive breach of its data security involving customers.  

Obviously, the stakes are rising fast for companies.  As I explained in early June, Chinese companies exposed to GDPR who continue to be indecisive about compliance are doing so at their peril.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.