2019 Review of the Year: Why it's crunch time for GDPR

If the run-up to GDPR D-Day May 25 2018 was epitomised by scaremongering and misinformation, this year has seen a much more measured approach, with many companies recognising that compliance is a journey rather than a destination.

According to the DMA’s “Data privacy – An industry perspective” report, released at the beginning of the year, over half of all UK marketers believe the regulation has had no effect on their ability to meet customers’ demands. One in four (26%) went even further, insisting that GDPR has actually helped them to serve customers better.

The same could not be said for Google, however, which had the dubious honour of becoming the first business to be hit with a significant GDPR fine when French regulator CNIL slapped the tech giant with a €50m (£44m) penalty.

CNIL said that Google had made it too difficult for users to understand and manage preferences on how their personal information was used, in particular with regards to targeted advertising.

It was to be the first of many fines issued across the EU this year. According to figures compiled by law firm Mischon de Reya, 124 monetary penalties have been issued since GDPR came into force, with some countries – including Spain on 21, Germany with 15, and Romania on 12 – having data protection authorities apparently keen to exercise their powers.

Pressure mounts on the Irish DPC
Interestingly, the Irish Data Protection Commissioner, which is the supervisory authority for Facebook, Google, WhatsApp, Twitter and other major tech companies, has also yet to publish a single ruling.

Not that it has exactly been sitting on its hands. In August, the DPC launched its 21st statutory GDPR inquiry into tech giants; more than half relate to Facebook, eight directly focus on the main site, two for WhatsApp and one into Instagram. The Irish office also has three probes into Apple, and one each into Google, LinkedIn and Quantcast. In total, it has 61 official investigations under way.

The DPC recently confirmed it has concluded investigations into Twitter – as well as Facebook’s WhatsApp – over possible breaches of GDPR, with Commissioner Helen Dixon expected to issue draft decisions within the next few weeks.

ICO ups the ante with plans for massive fines
However, as the UK Information Commissioner’s Office has found, that is normally just the start of the process, with the GDPR debate in Britain dominated by two “notices of intent” issued against British Airways and Marriott International – but again not a single fine.

On July 8, BA became the first major UK brand to be pummelled, with the company facing a £183.39m penalty for the 2018 data breach, which saw the personal data of hundreds of thousands of customers compromised.

The intended fine, which represents 1.5% of the company’s global annual revenue, will also be the largest penalty issued anywhere in Europe under the new regulation. The current record is the €50m (£44m) Google fine levied by CNIL in January.

On July 9, the ICO issued another notice of intent, this time to whack Marriott International with a £99.2m penalty for flouting the regulation.

The fine relates to a cyber incident that Marriott self-reported in November last year, which exposed about 339 million guest records globally, of 7 million relate to UK customers.

What was perhaps most surprising was that both companies fully co-operated with the ICO investigation and have made improvements to their security arrangements since these events came to light yet still face tough sanctions.

The regulator insists that both firms have been given the opportunity to make representations to the ICO before it takes its final decision.

Even at the time, though, some data protection experts questioned whether the fines would ever be levied; five months later and there has been no word from the ICO, BA or Marriott.

The clock is ticking fast for the ICO
However, the clock is ticking fast for the ICO, as the law gives the regulator a strict six-month period from serving a notice of intent to serving the monetary penalty.

Exactly what has been going on behind the scenes is unclear, but the latest ICO accounts reveal the regulator has been forced to go cap in hand to the Treasury to meet increased legal and professional services expenditure – currently running £673,000 over budget – which has been blamed on “litigation linked to fines”.

With the ICO having a very quiet year by recent standards – it has only issued 13 penalties so this year, mainly for PECR offences, compared to over 30 in 2018 – it can only be assumed these soaring costs are due to the BA and Marriott cases.

Facebook appeal shows the stakes are high
Any thought that the ICO had that it was going to be an easy ride should have been scotched by the way Facebook challenged its pre-GDPR fine of £500,000 – over the Cambridge Analytica scandal – at appeal.

After months of wrangling over a fine that represents just 18 minutes of profit for Facebook, the two parties eventually reached a settlement. Facebook coughed up the £500,000 but got the regulator to agree that it was not liable for the issue.

The appeal tribunal had already issued an interim decision ruling that “procedural fairness and allegations of bias on the part of the ICO should be considered as part of the appeal”. It also demanded that the ICO should be required to “disclose materials relating to its decision-making process”.

Some data protection experts claim the ICO buckled as it did not want this alleged bias to be aired in court. Any procedural cock-ups in the BA and Marriott cases – or similar accusations of bias – could put the kibosh on both fines and prove highly embarrassing for the regulator.

Make no mistake, these rulings will also be make or break for many companies’ GDPR compliance journeys.