Record Breaking Proposed Fines Against British Airways and Marriott International Under GDPR
The Information Commissioner’s Office (ICO), the UK’s independent authority on data privacy, issued notices of its intention to fine British Airways and Marriott International £183,390,000 and £99,200,396, respectively, for infringement of the EU General Data Protection Regulations (GDPR). The proposed fines arise from unrelated data breaches at the two companies. These fines are of interest to Canadian businesses both because some Canadians do business in the EU and in light of recent government indications that Canada may revise its privacy laws in a manner bringing them closer to GDPR.
The proposed fine against British Airways relates to a cyber incident beginning in June 2018. The personal data of approximately 500,000 customers was harvested by attackers as user traffic was diverted from the British Airways website to a fraudulent site. The ICO asserts that information such as log in details, payment cards, travel booking details, names and addresses were compromised as a result of poor security arrangements by British Airways.
The proposed fine against Marriott International relates to a cyber incident involving the exposure of the personal data contained in approximately 339 million guest records globally. The vulnerability is believed to have begun within the systems of the Starwood Hotels Group in 2014, which was subsequently acquired by Marriott International in 2016. The exposure was not discovered until 2018. The ICO asserts that Marriott International failed to undertake sufficient due diligence for the 2016 purchase, and failed to ensure proper security of its systems.
British Airways and Marriott International will have the opportunity to make representations to the ICO regarding the ICO’s findings and these proposed large fines.
The EU General Data Protection Regulations
GDPR, which came into effect in May 2018, is directed at protecting the security of, and providing greater control for, personal information collected by organizations. The regulations apply to any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (e.g., name, IP address). The regulations impose significant accountability obligations on both data controllers (the entity determining how data is collected and used by the organization) and processors (third parties engaged in processing personal data for controllers).
Under the regime, organizations engaged in serious breaches of the GDPR can be fined up to 4% of annual global turnover or €20,000,000, whichever is greater. Less significant infringements, such as not notifying the supervising authority and data subject about a breach, or failing to conduct an impact assessment, can result in lesser fines.
Why This Matters to Canadian Businesses
GDPR can apply to Canadian businesses that conduct business in the EU. This does not just mean having physical offices in the EU but includes offering goods and services to individuals in the EU through websites or mobile apps. In some circumstances, collecting personal information about individuals in the EU can also engage GDPR. In light of the large fines that can potentially be levied, businesses that collect personal information about individuals in the EU should seek professional advice.
Canada’s own privacy regime may also be headed toward a more GDPR-like approach. The Privacy Commissioner of Canada has recently taken aggressive actions based on a potential interpretation of Canadian legislation that incorporates concepts found in the GDPR, such as recently making a reference to the Federal Court of Canada seeking a ruling about whether Canadian law includes a GDPR-type “right to be forgotten”. The Government of Canada has also announced a Digital Charter, that appears to foreshadow an evolution of Canadian privacy law toward a GDPR-like system. Canadian businesses should ensure not only that they have the safeguards to comply with current law but also the ability to adapt to future requirements.
Authors
Insights
-
Capital Markets
Public Safety Canada Releases Updated Guidance on Modern Slavery Reporting Obligations
The Fighting Against Forced Labour and Child Labour in Supply Chains Act (the “Act”) came into force on January 1, 2024, implementing enhanced reporting requirements for certain entities to… -
Crisis Management and Urgent Proceedings
Panoramic Next: Crisis Management 2024 - Canada Chapter
Mark Dunn and Sarah Stothart co-authored the Canada Chapter of Panoramic Next: Crisis Management 2024. Through a series of interviews with expert legal… -
Capital Markets
Modern Slavery Reporting Obligations for Canadian Entities Effective January 1, 2024
The Fighting Against Forced Labour and Child Labour in Supply Chains Act (the “Act”) came into force on January 1, 2024, implementing enhanced reporting requirements for certain companies and… -
Dispute Resolution
Director Duties and Climate Change
Decisions earlier this year from the English courts in ClientEarth v Shell Plc et al., and the recent appeal decision from the Court of Appeal of England and Wales, shed light on climate change issues… -
Intellectual Property
Canadian Intellectual Property Office Increases Fees Effective January 1, 2024
As of January 1, 2024, the Canadian Intellectual Property Office (CIPO) will be increasing most of its fees by 25%. Filing fees, renewal fees, opposition filing fees, as well as fees for initiating… -
Dispute Resolution
The Courtroom Climate, Best Lawyers
In Best Lawyers’ recent 2023 Business Edition, Peter Kolla explores justiciability, and other limitations Canadian Courts face when trying climate change cases. Excerpt from "The Climate…
Featured Work
-
Mergers and Acquisitions
Playmaker Capital Inc. enters into an agreement to be acquired by Better Collective A/S
Goodmans LLP acted for Playmaker Capital Inc. in connection with its agreement to be acquired by Better Collective A/S… -
Construction and Infrastructure
HB Construction Co. v. Potash Corp. of Saskatchewan Inc. et al
Goodmans LLP acted for HB Construction Co. in respect of the construction of a mine in New Brunswick. The litigation relates to a claim in respect of the installation of mechanical and electrical… -
Mergers and Acquisitions
McCain Capital Partners Acquisition of Forest City Fire Protection
Goodmans LLP acted for McCain Capital Partners in connection with its acquisition of Forest City Fire Protection. Forest City Fire Protection will now unite with Classic Fire Protection (another… -
Restructuring
Cirque du Soleil Restructuring
Goodmans LLP acted for the Ad Hoc Committee of Lenders of Cirque du Soleil Entertainment Group in connection with the successful closing of a sale transaction and its emergence from creditor… -
Mergers and Acquisitions
Harvest One Completes Acquisition of Delvira
Goodmans LLP represented Delivra Corp. in connection with its arrangement transaction with Harvest One Cannabis Inc., pursuant to which Harvest One acquired all of the issued and outstanding shares of… -
Mergers and Acquisitions
Newmont and Goldcorp Combine to Create World's Leading Gold Company
Goodmans LLP acted for Newmont Mining Corporation (NYSE: NEM) (Newmont or the Company) in connection with its agreement to acquire all of the outstanding common shares of Goldcorp Inc. (NYSE: GG, TSX…
News & Events
-
Banking and Financial Services
The Canadian Legal Lexpert Directory 2024 Continues to Recognize Goodmans
We are proud to announce Goodmans LLP has once again been recognized in the 2024 edition of The Canadian Legal Lexpert Directory.91 Goodmans lawyers have been recognized as top-tier in their… -
Dispute Resolution
Goodmans Partners Recognized in the Lexpert Special Edition: Litigation 2023
We are delighted to announce the Lexpert Special Edition: Litigation 2023 once again features Goodmans partners among Canada's experts in litigation.Congratulations to our 13 featured… -
Dispute Resolution
David Conklin quoted in "High bar for class actions", Lexpert
In an article published by Lexpert, David Conklin shares his insight in "High bar for class actions". “I hate to say this – it started with me 10 years ago – but defence counsel…