NICOLE KOBIE
GDPR has let our data watchdog issue whopping fines, but it’s still not enough
GDPR has let our data watchdog issue whopping fines, but it’s still not enough.
Despite being the biggest yet doled out for privacy breaches in the UK, these charges are small beans for such massive corporations
Now we should try something new: we should err on the side of protecting user privacy and risk companies taking a hit
The data watchdog is toothless no more. Until last year’s arrival of GDPR, the Information Commissioner’s Office (ICO) was limited to fines of up to £500,000 against companies for data breaches. It didn’t use that power very often, saving it for the worst offenders, such as Facebook’s Cambridge Analytica debacle. Now, it can fine up to 4% of revenue or £17 million, whichever is larger – and it’s started to test just how sharp its new teeth are.
BA and Marriott both felt the bite within days of each other. BA was fined £183 million for “poor security arrangements”, according to the ICO, which led to hackers making off with half a million customers’ login credentials, payment card details and more, working out to £366 per person affected. Marriott was fined £99.2 million after hackers took personal data, including passport and credit card details, from 339 million guests globally. Both companies plan to appeal against the fines.
I’ve spent much of my career as a tech journalist in this country lamenting the failure of the ICO to take real action on data breaches and privacy invasions – back in 2013, Google was given a slap on the wrist for accidentally hoovering up personal data with its Street View camera cars. Such an incident deserved the highest fine possible, even if it was only £500,000 back then, in order to highlight the severity of what had happened.
So I should be celebrating the ICO finally baring its teeth, but it’s become clear that even these massive fines
aren’t enough. Despite being the biggest yet doled out for privacy breaches in the UK, these charges remain small beans for such massive corporations. BA’s fine of £183 million is 1.5% of its turnover; its owner IAG posted profits of €2.9 billion last year. Meanwhile, Marriott’s £99.2 million is about 3% of sales; the company made $3.6 billion profit in 2018.
Plus, the ICO simply has bad timing. Its biggest-yet fines came days before the US Federal Trade Commission (FTC) settlement with Facebook. Forget millions: Facebook will pay $5 billion for privacy invasions including the Cambridge Analytica debacle. At first glance, that sounds remarkable – it’s the most the FTC has ever fined a tech company and makes the ICO’s bite look like a nibble. And yet, Facebook’s share price ticked upwards; it had already accounted for the fine in its previous results, setting aside $3 billion back in April, and its profit for that quarter was still $2.4 billion. Not even the FTC’s weighty fine could push the company into the red, so forget the ICO’s piddling punitive action.
What’s the answer? For Facebook, it may be more direct regulatory action. The company has been slapped on the wrist by the FTC before, with small fines and toothless pledges to do better, but that clearly didn’t change a thing. You can forget about the reputation argument, too. If you were expecting user numbers to drop on the back of such negative headlines, forget it: Facebook’s monthly usage figures actually climbed 9% this year versus last.
The argument about reputation doesn’t work for companies such as BA and Marriott
either, because when we book flights and hotels we’re looking at destination and price rather than the difficult-to-know quality of their IT infrastructure. Instead of trying to inspire or encourage it via financial motivation, better behaviour may need to be forced.
One answer could be tighter privacy laws – ones that see liable directors end up in jail if they put customers at risk. Another route could be embedding regulators, similar to financial watchdogs that work directly out of banks – though I admit they’re hardly the most trusted institutions. The truth is that, despite years of writing about data breaches and how to inspire companies to spend cash on preventing them, I don’t have one definitive answer. I genuinely thought big fines would help, but it’s not enough.
Perhaps rather than one simple answer, we need a change in attitude. In the past, we’ve erred on the side of protecting companies, forgiving them for missteps to avoid crushing nascent industries and technologies. Now we should try something new: we should err on the side of protecting user privacy and risk companies taking a hit – as we’ve seen, they can afford it. These are all new problems, so let’s try out some new weapons. And thanks to the £282.2 million windfall about to hit the Treasury’s coffers, we can afford to pay for them now.