Record Breaking Proposed Fines Against British Airways and Marriott International Under GDPR
The Information Commissioner’s Office (ICO), the UK’s independent authority on data privacy, issued notices of its intention to fine British Airways and Marriott International £183,390,000 and £99,200,396, respectively, for infringement of the EU General Data Protection Regulations (GDPR). The proposed fines arise from unrelated data breaches at the two companies. These fines are of interest to Canadian businesses both because some Canadians do business in the EU and in light of recent government indications that Canada may revise its privacy laws in a manner bringing them closer to GDPR.
The proposed fine against British Airways relates to a cyber incident beginning in June 2018. The personal data of approximately 500,000 customers was harvested by attackers as user traffic was diverted from the British Airways website to a fraudulent site. The ICO asserts that information such as log in details, payment cards, travel booking details, names and addresses were compromised as a result of poor security arrangements by British Airways.
The proposed fine against Marriott International relates to a cyber incident involving the exposure of the personal data contained in approximately 339 million guest records globally. The vulnerability is believed to have begun within the systems of the Starwood Hotels Group in 2014, which was subsequently acquired by Marriott International in 2016. The exposure was not discovered until 2018. The ICO asserts that Marriott International failed to undertake sufficient due diligence for the 2016 purchase, and failed to ensure proper security of its systems.
British Airways and Marriott International will have the opportunity to make representations to the ICO regarding the ICO’s findings and these proposed large fines.
The EU General Data Protection Regulations
GDPR, which came into effect in May 2018, is directed at protecting the security of, and providing greater control for, personal information collected by organizations. The regulations apply to any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (e.g., name, IP address). The regulations impose significant accountability obligations on both data controllers (the entity determining how data is collected and used by the organization) and processors (third parties engaged in processing personal data for controllers).
Under the regime, organizations engaged in serious breaches of the GDPR can be fined up to 4% of annual global turnover or €20,000,000, whichever is greater. Less significant infringements, such as not notifying the supervising authority and data subject about a breach, or failing to conduct an impact assessment, can result in lesser fines.
Why This Matters to Canadian Businesses
GDPR can apply to Canadian businesses that conduct business in the EU. This does not just mean having physical offices in the EU but includes offering goods and services to individuals in the EU through websites or mobile apps. In some circumstances, collecting personal information about individuals in the EU can also engage GDPR. In light of the large fines that can potentially be levied, businesses that collect personal information about individuals in the EU should seek professional advice.
Canada’s own privacy regime may also be headed toward a more GDPR-like approach. The Privacy Commissioner of Canada has recently taken aggressive actions based on a potential interpretation of Canadian legislation that incorporates concepts found in the GDPR, such as recently making a reference to the Federal Court of Canada seeking a ruling about whether Canadian law includes a GDPR-type “right to be forgotten”. The Government of Canada has also announced a Digital Charter, that appears to foreshadow an evolution of Canadian privacy law toward a GDPR-like system. Canadian businesses should ensure not only that they have the safeguards to comply with current law but also the ability to adapt to future requirements.
Authors
Insights
-
Litigation and Dispute Resolution
No “Magic Words” Required: Supreme Court of Canada Holds Exclusion Clauses Released Seller From Implied Statutory Conditions
On May 31, 2024, the Supreme Court of Canada released its decision in Earthco Soil Mixtures Inc. v. Pine Valley Enterprises Inc., 2024 SCC 20, which clarifies how contractual exclusion clauses are to… -
Capital Markets
Public Safety Canada Releases Updated Guidance on Modern Slavery Reporting Obligations
The Fighting Against Forced Labour and Child Labour in Supply Chains Act (the “Act”) came into force on January 1, 2024, implementing enhanced reporting requirements for certain entities to… -
Crisis Management and Urgent Proceedings
Panoramic Next: Crisis Management 2024 - Canada Chapter
Mark Dunn and Sarah Stothart co-authored the Canada Chapter of Panoramic Next: Crisis Management 2024. Through a series of interviews with expert legal… -
Capital Markets
Modern Slavery Reporting Obligations for Canadian Entities Effective January 1, 2024
The Fighting Against Forced Labour and Child Labour in Supply Chains Act (the “Act”) came into force on January 1, 2024, implementing enhanced reporting requirements for certain companies and… -
Litigation and Dispute Resolution
Director Duties and Climate Change
Decisions earlier this year from the English courts in ClientEarth v Shell Plc et al., and the recent appeal decision from the Court of Appeal of England and Wales, shed light on climate change issues… -
Intellectual Property
Canadian Intellectual Property Office Increases Fees Effective January 1, 2024
As of January 1, 2024, the Canadian Intellectual Property Office (CIPO) will be increasing most of its fees by 25%. Filing fees, renewal fees, opposition filing fees, as well as fees for initiating…
Featured Work
-
Mergers and Acquisitions
Apotex Inc. acquires Searchlight Pharma Inc.
Goodmans LLP advised Apotex Inc. in connection with its acquisition of Searchlight Pharma Inc… -
Shareholder Activism
Browning West achieves landmark victory in Gildan Activewear proxy campaign
Goodmans LLP acted for Browning West, LP in the successful reconstitution of Gildan Activewear’s entire board, culminating in the reinstatement of CEO Glenn Chamandy… -
Capital Markets
Dye & Durham’s defence of requisition from Engine Capital
Goodmans LLP is acting for the board of Dye & Durham in connection with a defence of requisition from Engine Capital… -
Capital Markets
Board of WonderFi Technologies Inc.’s proxy defense from KAOS Capital and Mogo
Goodmans LLP is acting for the special committee of the board of WonderFi Technologies Inc in connection with its defense of a proxy contest launched by KAOS Capital and MOGO. KAOS Capital is a… -
Restructuring
LoyaltyOne cross-border restructuring
Goodmans LLP is counsel to KSV Restructuring Inc. in its capacity as court-appointed monitor of LoyaltyOne, Co. in its restructuring proceedings under the Companies’ Creditors Arrangement Act before… -
Mergers and Acquisitions
Coinsquare, WonderFi and CoinSmart close business combination
Goodmans LLP acted for Coinsquare Ltd. in its business combination transaction with WonderFi Technologies Inc. and CoinSmart Financial Inc…
News & Events
-
Litigation and Dispute Resolution
Goodmans Welcomes Julia Martschenko
Goodmans is pleased to announce Julia Martschenko has joined the firm as an associate in the Dispute Resolution Group. Julia will be a terrific addition to our firm.We warmly welcome Julia to… -
Litigation and Dispute Resolution
Goodmans Awarded at the 2024 Benchmark Canada Awards
For the second time in as many months, Goodmans Intellectual Property Group has won multiple awards. We are delighted to share Goodmans has been honoured with two distinguished awards at the… -
Litigation and Dispute Resolution
Goodmans Recognized in the 2024 edition of Benchmark Litigation Canada
We are proud to announce that we have once again been recognized in the 2024 edition of Benchmark Litigation Canada.16 Goodmans lawyers have been recognized as being the country’s most…