Europe Gets Tough

GDPR enforcement finally starts to pack a punch

James J. Ward
Jul 8, 2019 · 6 min read

One of the questions I hear most frequently is “will the GDPR be as big a deal as everyone promised?” Of course, the real question is “will the GDPR be as big a deal as you, Jay, promised,” and it is a fair one. Privacy commentators spent a great deal of time in 2018 talking about the importance of preparing, and the leadup to May 25 was rife with warnings, predictions, and forecasts about how GDPR would change everything, and that it was ushering in a new era. And then, the great day came and….crickets.

Image for post
Image for postImage for post
“You can’t say that. *I* can say that, but you can’t say that.”

There was, to be sure, something of a letdown after GDPR became operative last year, at least from the perspective of American newsmedia expecting splashy headlines about EU regulators slapping massive fines on companies. In fact, there was very little to report on in 2018 and the first half of 2019, other than Google’s €50 million fine from the CNIL. Plenty of knowledgeable people began to wonder if the law wasn’t a paper tiger, openly noting that the much-anticipated regulatory ramp-up simply had not materialized.

That changed over the past two weeks.

Perhaps it was a year of growing staff or all the public commentary, but regulators across the EU have become much more focused on their regulatory profile. First, the French regulator CNIL announced that it was taking a new, more aggressive approach to handling online tracking and cookies. This announcement is particularly important given that the EU has still yet to finalize the text of the ePrivacy Regulation, which will govern tracking, and OBA across the Union. CNIL has taken the position that the present state of tracking online is, simply, incompatible with GDPR, and has put marketers and users of tracking technology that times are changing:

The CNIL will give stakeholders a transitional period of 12 months, so that they have the time to comply with the principles that diverge from the previous recommendation. During this transition period, scrolling down, browsing or swiping through a website or application will still be considered by the CNIL as acceptable.

In other words, there’s one more year of using cookies to gather every bit of data you can about consumers, then everything changes. CNIL has invited input from a broad range of stakeholders, including “content editors, advertisers, service providers and intermediaries in the marketing ecosystem, [and] civil society,” but one can assume that the real conversation will be with groups like IAB, the Interactive Advertising Bureau, which has stepped up its own anti-GDPR rhetoric lately. In the end, it’s not a fight that IAB is likely to win, especially given increasing public concern and awareness of online tracking.

The UK, too, has become more aggressive in its approach to GDPR enforcement. The Information Commissioner’s Office has, like CNIL, placed online tracking directly in its sights. In a white paper released late last month, ICO explained that it had taken a great deal of input from interested groups as it considers how to protect personal data in the context of realtime bidding — the process whereby advertisers bid for the right to advertise to you based on tracking data collected on an ongoing basis. ICO’s guidance is that, as currently constituted, most RTB practices are improper, and have to be scrapped. At the very least, companies engaged in RTB need to conduct a DPIA in order to ensure that their activities don’t run afoul of existing ICO guidance. In other words: like CNIL, ICO is giving advertisers a few more months to bring themselves into compliance before the fines start.

Image for post
Image for postImage for post
“Otherwise, go find me two slices of bread.”

But, to that point, will the fines be serious? At this point, other than Google’s we’ve only seen fines for €50,000 or €100,000, which, although serious, are not company-ending fines for most. So are the threats of major enforcement actions just that, threats? Or will the regulators start actually inflicting financial pain on companies that breach GDPR? Well…

Image for post
Image for postImage for post
I guess that answers that.

Yes, I suppose I buried the lede a bit, but this would be the largest privacy-related fine, ever, anywhere. In September 2018, BA announced that it had been the victim of a cyber-attack between August 21 and September 5. It only took the airline 24 hours to announce the breach, well within the 72-hour limit imposed by GDPR — on September 6, the airline explained that data related to 380,000 booking transactions had been compromised, and that the breach included sensitive financial information including credit card account data. Apparently, the hackers had skimmed BA’s payment page prior to consumers submitting their orders, the same tool used against Ticketmaster earlier in 2018.

The predictions, in 2018, were that ICO would investigate and penalize BA to the tune of a few million pounds. As one cybersecurity professional put it, “[i]s it a test case? Absolutely. Will it result in a major fine? I don’t think so . . . [I predict a fine] in the £5 to 10 million range . . . That’s substantial but it does not put the company at risk and is not ‘too political.’” But, uh…yeah. That didn’t happen.

Image for post
Image for postImage for post
Welp.

A fine of £183m is meaningful on a few levels. It represents about 1.5% of British Airways’ operating revenue for 2018 which, although not the 4% maximum, is still an extraordinarily high number, and far outstrips any fine preceding it. The fine also demonstrates ICO’s willingness to go after what is perceived as an essential national brand — it’s hard to imagine CNIL making a similar move against Airbus or BNP at this point. That willingness to be “tough” is, perhaps, a direct counterpoint to recent criticism leveled at the Irish Data Protection Commissioner’s office for being too cozy with Big Tech.

Finally, it hints at an enforcement posture that looks beyond October 31 and Brexit. BA, inevitably, will appeal the fine and attempt to have it whittled down to something smaller. The ICO will, in turn, make its case, but it will do so in a process that will certainly occur after Britain’s slated exit from the European Union. In a sense, then, the ICO may be hinting that its approach to data protection and privacy will not change, even if GDPR no long applies — after all, the Data Protection Act 2018, which implemented the terms of the GDPR in the UK, is organic British law, and not a regulation from Brussels. In short, this major fine against a major, iconic British entity, may well be proof that, even if the UK is no longer in the EU data protection regime, the EU’s approach to data protection isn’t going anywhere.

Image for post
Image for postImage for post
Nigel doesn’t even like Belgian waffles.

Originally published at https://wardpllc.com on July 8, 2019.

The Startup

Medium's largest active publication, followed by +669K people. Follow to join our community.

Sign up for Top Stories

By The Startup

A newsletter that delivers The Startup's most popular stories to your inbox once a month. Learn more

Create a free Medium account to get Top Stories in your inbox.

James J. Ward

Written by

Privacy lawyer, data nerd, fan of listing three things. Co-author of “Data Leverage.” Nothing posted is legal advice/don’t get legal advice from blogs.

The Startup

Medium's largest active publication, followed by +669K people. Follow to join our community.

James J. Ward

Written by

Privacy lawyer, data nerd, fan of listing three things. Co-author of “Data Leverage.” Nothing posted is legal advice/don’t get legal advice from blogs.

The Startup

Medium's largest active publication, followed by +669K people. Follow to join our community.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store