European regulators not afraid to enforce GDPR penalties
By now you might have heard the news that British Airways is facing a record fine from the UK’s Information Commissioner’s Office (ICO) for a late 2018 breach affecting 500,000 customers, after cyber criminal group Magecart injected lines of script to compromise the airline’s card checkout pages on its website and mobile app and steal their data.
Back in January, the Irish Data Protection Commission (DPC) opened an investigation into Twitter for a GDPR violation regarding a user’s request for information. Around the same time, France’s Commission Nationale de l’Informatique et des Libertés (CNIL) came down on Google to the tune of $57 million, likewise for insufficient transparency with users, as well as consent processes. We reported at the time on how these incidents reflected the stance from European regulators towards infractions that compromise consumers’ personal data. While not necessarily what you might call hard line, it shows growing willingness from these agencies to at least use their teeth.
British Airways is discovering that now, with the £183 million fine the ICO has levied against them for last year’s data breach. As stated, this is a new record. Contrary to certain courts in the US, which might prefer to absolve companies of their data protection responsibilities, the agency seems to have the right attitude. According to Information Commissioner Elizabeth Denham, “when you are entrusted with personal data you must look after it,” and that handlers of big data must protect these “fundamental privacy rights” or face the consequences.
The penalty is certainly a higher sum than the £500,000 fine the ICO gave Facebook less than a year ago, for its role in the Cambridge Analytica scandal. Such is the result of GDPR. Under the previous, now defunct Data Protection Act, that paltry amount was actually the maximum allowed. How times have changed.
Poor security measures were cited as the reason for the airline’s breach, measures which have reportedly improved somewhat since the incident. Regardless, ‘surprise and disappointment’ were the sentiments British Airways expressed over the ICO’s decision.
Personally, I’m not too sure surprise should be too pronounced: not for GDPR doing what it says it will do. At the very least, it will likely be a less common reaction from organizations going forward.