By Malcolm McBratney, Partner, Scott Coulthart, Special Counsel and Teneille Meyer, Lawyer
The European Information Commissioner’s Office (ICO) recently announced its intention to fine British Airways £183.39M for infringements of the European Union’s privacy law, the General Data Protection Regulation (GDPR).
The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. The incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, the following details of approximately 500,000 British Airline customers were harvested:
- log in details;
- payment card details;
- travel booking details; and
- name and address information.
The fine issued to British Airlines follows a number of other fines (albeit not as substantial) recently issued by the ICO, showing just how seriously the Information Commissioner is taking data protection.
The Information Commissioner commented in response to the British Airlines fine that:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
This seems to be just the start – the ICO has the power to enforce fines of up to €20 million, or 4% of a company’s annual global turnover – whichever is greater.
In Australia, it appears the Office of the Australian Information Commissioner (OAIC) is also starting to show its teeth. The OAIC now has the power to impose fines of up to $2.1 million for breaching the Australian privacy laws.
Overall, we are seeing companies becoming more and more vigilant and aware of their privacy obligations. Companies are recognising that they are not only risking financial loss if fines for non-compliance are imposed, but they are also risking reputational damage that will follow from being found to lack adequate data protection practices and policies.
In today’s climate, it’s no longer a question of ‘if’ your company suffers a data breach, it’s a question of ‘when’.
Key Takeaways (even if you only trade in Australia):
- Data breaches are on the rise and you need to be prepared.
- Understand your privacy obligations and current compliance levels – are your privacy policies and procedures up to date? Review your existing contracts, technology / data security and current policies and procedures. This may identify areas for improvement and may even allow you to take steps to prevent a data breach that might be waiting to happen.
- Develop a data breach response plan. This plan should include things like immediately escalating any suspected data breaches to senior management, assessing data breaches and reporting eligible data breaches to affected individuals and the OAIC (if required) in a timely manner.
- Monitor Compliance. Continually monitor and refine your policies, procedures and systems in place (and make sure your staff know about them!).
- Consider if you are caught by the GDPR. The GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to parties located in the EU, or receive or monitor the behaviour of EU data. This means a business might be caught if, for example, they collect ‘cookies’ from users located in the EU.