Hot on the heels of the £20 million fine issued to British Airways, the Information Commissioner’s Office (“ICO“) has issued Marriott International Inc. (“Marriott“) with a long-awaited penalty notice for its failure to ensure appropriate security of the personal data it processed. The global hotel chain has been fined £18.4 million, which is a substantial reduction from the £99.2 million contemplated by the ICO’s notice of intention to fine. Unfortunately, the decision failed to give any detailed explanation for the reduction in the level of the fine from £99.2 million to £28 million. Although, a further 20% reduction to £22.4 million was designed to acknowledge Marriott’s cooperation, and a further £2 million reduction was to reflect the impact of the coronavirus pandemic. READ MORE
James Lloyd is a partner in Orrick's “outstanding” Cyber & Data Privacy Enforcement & Litigation Practice in London. Working with clients to navigate all aspects of international data privacy and cyber security crises to achieve better commercial, regulatory and judicial outcomes.
Bringing a unique approach to cybersecurity and privacy in the UK and Europe, James serves his clients in guiding their response to cyberattacks, data breaches and enforcement action by data protection regulators. Described by his clients as “extremely knowledgeable and can always be relied on to provide timely, pragmatic and commercial advice,” James helps them navigate the confusing and, at times, contradictory world of privacy with confidence, and support them to achieve their overall business aims and objectives.
James has led the response to significant enforcement investigations by international and domestic regulators, including the UK’s Information Commissioner’s Office, law enforcement agencies and Parliamentary Select Committees and also has significant expertise in conducting internal investigations on behalf of international corporations. Backed by extensive litigation experience, he is able to defend his clients when data privacy issues lead to litigation.
Posts by: James Lloyd
On November 11, 2020, the European Data Protection Board (EDPB) published its long-awaited guidance on what parties to international data transfers should be doing to perform such transfers in a manner compliant with the Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR) in light of the European Court of Justice’s (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II).
Unfortunately, the draft guidelines provide no panacea for companies engaged in international data transfers of personal data from the EEA to third countries. Instead, organizations face 55 pages of guidance that provide few workable solutions for international data transferors—apart from a lengthy protocol for conducting risk assessments. READ MORE
When British Airways (“BA”) suffered a significant personal data breach in September 2018, just months after the coming into force of the EU General Data Protection Regulation (“GDPR”), all eyes were on the UK’s Information Commissioner’s Office (“ICO”). Would the ICO use the UK’s flagship airline as a “poster child” for post GDPR enforcement? Was this the moment that much-hyped fines of up to 4% of global turnover come to pass? READ MORE
In September 2020, the UK government published its National Data Strategy (“NDS”), aiming to use data to boost the UK economy and to “unlock the power of data for the UK,” particularly in light of Brexit. The NDS is intended to set out the UK’s government focus on data, following the recent announcement that responsibility for government use of data will move from the Department for Digital Culture Media and Sport to the Cabinet Office. READ MORE
Following the CJEU’s invalidation of the EU Commission’s adequacy decision on the EU-U.S. Privacy Shield in Schrems 2.0, on September 8, 2020, the Federal Data Protection and Information Commissioner (FDPIC) found that the Swiss-U.S. Privacy Shield does not meet the data protection standards set by the country’s Federal Act on Data Protection (FADP). READ MORE
In one of the world’s first test cases regarding the legality of the use of automated facial recognition and biometric technology, on 11 August 2020 the English Court of Appeal handed down judgment in R (Bridges) v CC South Wales. The court found that the use of this technology by the South Wales Police Force violated privacy, equality and data protection laws. READ MORE
Today’s decision by the Supreme Court to allow the appeal in WM Morrison Supermarkets plc v Various Claimants may on first glance look like a significant setback to privacy advocates. However, the court’s unanimous judgment should be viewed with some relief by those arguing for greater privacy protections. Whilst the Supreme Court ruled that, on the facts, WM Morrisons Supermarkets plc (“Morrisons”) could not be held liable for the actions of its rogue former employee, the court said that, had it been necessary to decide the question, it would have held that the statutory data protection regime did not exclude the imposition of vicarious liability on employers. Furthermore, the decision also provides no protection to companies who have been held to be at fault for a data breach, since data subjects will have a direct right of action against the company in those cases and will not be relying on establishing vicarious liability. READ MORE
We expect national and international privacy regulators to take a pragmatic and reasonable approach to helping organisations navigate data protection compliance during the current COVID-19 crisis. This week, both the European Data Protection Supervisor (the “EDPS”) and the UK’s Information Commissioner’s Office (the “ICO”) have shown that expected pragmatism. READ MORE
Over the past few days, commentators and, in some cases, government ministers have stated that the GDPR (and by association the Data Protection Act 2018) are preventing some organisations from providing a comprehensive response to the COVID-19 crisis. READ MORE
The decision to appeal a regulatory finding is never taken lightly. By the time a regulator has completed its investigation and notified a company of its intention to fine, the company will have invested significant time and money in responding to the regulatory investigation. As such, there is a real temptation to accept the fine and the accompanying statement from the regulator and move on.
However, in the case of recent regulatory findings, fines and intentions to fine issued by the UK’s Information Commissioner’s Office (the “ICO”) against British Airways, Marriott and Dixons Carphone, all three companies have appealed or indicated an intention to appeal despite the significant difference in the levels of the fines/intentions to fine. In our view, this is related to the spectre of an emerging class action litigation culture in the UK that increases the stakes for any company facing negative regulatory findings.
In this UK-focused blog we explore the potential motivation behind these decisions to appeal, why we expect to see more companies taking this approach in the future, and the steps to be taken in order to appeal decisions by the ICO and we also consider whether the companies that have failed to appeal and are now facing class actions made the right decision when they elected not to appeal.