One of the questions I hear most frequently is “will the GDPR be as big a deal as everyone promised?” Of course, the real question is “will the GDPR be as big a deal as you, Jay, promised,” and it is a fair one. Privacy commentators spent a great deal of time in 2018 talking about the importance of preparing, and the leadup to May 25 was rife with warnings, predictions, and forecasts about how GDPR would change everything, and that it was ushering in a new era. And then, the great day came and….crickets.
There was, to be sure, something of a letdown after GDPR became operative last year, at least from the perspective of American newsmedia expecting splashy headlines about EU regulators slapping massive fines on companies. In fact, there was very little to report on in 2018 and the first half of 2019, other than Google’s €50 million fine from the CNIL. Plenty of knowledgeable people began to wonder if the law wasn’t a paper tiger, openly noting that the much-anticipated regulatory ramp-up simply had not materialized.
That changed over the past two weeks.
Perhaps it was a year of growing staff or all the public commentary, but regulators across the EU have become much more focused on their regulatory profile. First, the French regulator CNIL announced that it was taking a new, more aggressive approach to handling online tracking and cookies. This announcement is particularly important given that the EU has still yet to finalize the text of the ePrivacy Regulation, which will govern tracking, and OBA across the Union. CNIL has taken the position that the present state of tracking online is, simply, incompatible with GDPR, and has put marketers and users of tracking technology that times are changing:
The CNIL will give stakeholders a transitional period of 12 months, so that they have the time to comply with the principles that diverge from the previous recommendation. During this transition period, scrolling down, browsing or swiping through a website or application will still be considered by the CNIL as acceptable.
In other words, there’s one more year of using cookies to gather every bit of data you can about consumers, then everything changes. CNIL has invited input from a broad range of stakeholders, including “content editors, advertisers, service providers and intermediaries in the marketing ecosystem, [and] civil society,” but one can assume that the real conversation will be with groups like IAB, the Interactive Advertising Bureau, which has stepped up its own anti-GDPR rhetoric lately. In the end, it’s not a fight that IAB is likely to win, especially given increasing public concern and awareness of online tracking.
The UK, too, has become more aggressive in its approach to GDPR enforcement. The Information Commissioner’s Office has, like CNIL, placed online tracking directly in its sights. In a white paper released late last month, ICO explained that it had taken a great deal of input from interested groups as it considers how to protect personal data in the context of realtime bidding — the process whereby advertisers bid for the right to advertise to you based on tracking data collected on an ongoing basis. ICO’s guidance is that, as currently constituted, most RTB practices are improper, and have to be scrapped. At the very least, companies engaged in RTB need to conduct a DPIA in order to ensure that their activities don’t run afoul of existing ICO guidance. In other words: like CNIL, ICO is giving advertisers a few more months to get their act together before the fines start.
But, to that point, will the fines be serious? At this point, other than Google’s we’ve only seen fines for €50,000 or €100,000, which, although serious, are not company-ending fines for most. So are the threats of major enforcement actions just that, threats? Or will the regulators start actually inflicting financial pain on companies that breach GDPR? Well…
Yes, I suppose I buried the lede a bit, but this would be the largest privacy-related fine, ever, anywhere. In September 2018, BA announced that it had been the victim of a cyber-attack between August 21 and September 5. It only took the airline 24 hours to announce the breach, well within the 72-hour limit imposed by GDPR – on September 6, the airline explained that data related to 380,000 booking transactions had been compromised, and that the breach included sensitive financial information including credit card account data. Apparently, the hackers had skimmed BA’s payment page prior to consumers submitting their orders, the same tool used against Ticketmaster earlier in 2018.
The predictions, in 2018, were that ICO would investigate and penalize BA to the tune of a few million pounds. As one cybersecurity professional put it, “[i]s it a test case? Absolutely. Will it result in a major fine? I don’t think so . . . [I predict a fine] in the £5 to 10 million range . . . That’s substantial but it does not put the company at risk and is not ‘too political.'” But, uh…yeah. That didn’t happen.
A fine of £183m is meaningful on a few levels. It represents about 1.5% of British Airways’ operating revenue for 2018 which, although not the 4% maximum, is still an extraordinarily high number, and far outstrips any fine preceding it. The fine also demonstrates ICO’s willingness to go after what is perceived as an essential national brand — it’s hard to imagine CNIL making a similar move against Airbus or BNP at this point. That willingness to be “tough” is, perhaps, a direct counterpoint to recent criticism leveled at the Irish Data Protection Commissioner’s office for being too cozy with Big Tech.
Finally, it hints at an enforcement posture that looks beyond October 31 and Brexit. BA, inevitably, will appeal the fine and attempt to have it whittled down to something smaller. The ICO will, in turn, make its case, but it will do so in a process that will certainly occur after Britain’s slated exit from the European Union. In a sense, then, the ICO may be hinting that its approach to data protection and privacy will not change, even if GDPR no long applies — after all, the Data Protection Act 2018, which implemented the terms of the GDPR in the UK, is organic British law, and not a regulation from Brussels. In short, this major fine against a major, iconic British entity, may well be proof that, even if the UK is no longer in the EU data protection regime, the EU’s approach to data protection isn’t going anywhere.