In recent months a great deal has been made of the massive increase in fines which the General Data Protection Regulation (GDPR) will bring in. Currently, the maximum fine the Information Commissioner’s Office (ICO) is able to levy in the UK is £0.5m. Once the GDPR comes into force in May 2018, the maximum fine will be significantly higher, either 4% of the offending organisation’s global revenue or €20m – whichever is greater.
However, this may not be the real cost to businesses which the GDPR brings in. Partially this is because the ICO is unlikely to apply the maximum fines, but mostly this is because compensation claims may present a more significant risk. We do not yet know what level of compensation for victims of a data breach will be deemed appropriate, and it will vary with each situation. However, in this piece I’ll suggest that if a company is deemed as responsible for a data breach similar to the Talktalk hack, then the figure could be around £500. When considering data breaches which affect hundreds of thousands, or even millions, of customers, this liability could present a much greater risk than the maximum fines for most companies.
How big will the fines be?
Will the ICO levy the maximum fines? Article 83 of the GDPR gives 11 different considerations to be taken into account when deciding the size of a fine. Factors to consider include past behaviour, whether the infringement was intentional and whether mitigating actions had been taken. Whilst some companies may be intentionally breaching the law, I think it safe to assume that most infringements are more likely to be due to a lack of preparedness as opposed to wilful bad practice. The ICO are currently able to fine up to £0.5m, but the ICO’s largest fine to date was for £0.35m, and in that instance, a lead generation company’s business model was making nuisance calls which breached consent rules. So, if the ICO deemed it appropriate to only fine 70% of the maximum possible fine when a company’s business model depended on breaking the rules, it is reasonable to assume that a first offence as a result of an honest mistake by a company is unlikely to receive the maximum fine.
It is also worth noting that the ICO is a practical organisation. I would expect that they will be more lenient initially in May 2018 as the GDPR comes into force and best practice is established.
So, based on the ICO’s previous approach, the administrative fines may not be as bad as they appear, but this doesn’t mean companies shouldn’t be concerned. In fact, any administrative fine may open the door for much costlier compensation claims.
The cost of compensation claims
The GDPR states that individuals can claim for compensation (from either the data processor or the data controller) if they’ve suffered damages as a result of infringement of the GDPR. Recital 146 states the bar for liability as, “The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage”. Meaning it seems likely that an organisation would also be liable for compensation claims, should they be fined by the ICO.
The GDPR allows for multi-party compensation claims. Significantly, by aggregating what may individually be quite small sums, a firm would be able to build a large case against a company if there was an infringement affecting large numbers of people. Whilst the UK is less litigious than the US partially due to views on champerty (third party funding of frivolous litigation) and the loser of a case being liable for the winner’s fees, these may fail to act as a deterrent if the ICO has already levied a fine and stated they think the defendant was responsible and at fault.
So how much would these compensation claims be? This is tricky to answer. Up until last year it wasn’t possible in the UK to make a claim relating to data protection without evidence of a financial loss. This changed with the Vidal-Hall vs Google case. The case established that a claimant could claim for compensation even when they had not experienced a financial loss. Instead their claim could be based on non-financial damages, known as moral damages, an example of which might be emotional distress. However, as it only took place last year, there aren’t yet examples of how much might be awarded in the case of something like a data breach. Until the GDPR comes into effect, we’re less likely to see cases of this type, precisely because the obligations on companies regarding data protection are less developed now than they will be under GDPR.
What compensation might look like – Talktalk as a case study
Whilst there are no direct examples to look at, we can look at analogous examples where the same principles have been considered. The Financial Ombudsman Service is responsible for settling disputes between consumers and financial services. The Ombudsman has five tiers of awards, ranging from ‘non-monetary’ to ‘extreme’, which are awards over £5,000. Which tier a claim fits in, and the value within that tier, is dependent upon the specifics of each case. It is perhaps easiest to look at a real case to get a sense of what type of compensation might be appropriate.
A good case study is the Talktalk hack from 2015. Cyber experts have said that Talktalk had failed to implement basic defence measures. Under the GDPR this could lead to them facing the lower tier of administrative fines of the higher of €10m or 2% of their global revenues. Talktalk’s global revenue in 2015 was £1,835m, 2% of which is about £37m. For now, based on the ICO’s previous fines, let’s imagine that the ICO exerted 20% of their maximum fine, which would be about £7.4m.
157,000 customers were affected by the hack. A data breach is also an appropriate example to take, as the GDPR makes breach notification compulsory, which will increase customer’s awareness, and so potentially compound the likelihood of claims. Some of those affected were subsequently victims of fraud, and so have suffered a financial loss which could be assessed separately. Those who didn’t suffer a financial loss may well still have been extremely worried by what happened. Perhaps they were concerned that the they would be victims of crime in the future or that money may have been stolen from their accounts. This may mean they had a case for moral damages.
The Financial Ombudsman’s ‘moderate’ tier is for fines of less than £500. An example of a case in this tier was where “The business mislaid paperwork the consumer had sent containing their personal information. The loss of the documents caused the consumer worry and distress”. This is similar in some ways, but omits the intention prevalent in the Talktalk hack. In the case of Talktalk, the data was deliberately stolen. It wasn’t that an attacker may have gotten hold of the data, it’s that they did and were trying (or another party was trying) to use that data to defraud customers. The tier above, ‘substantial’, is for £500-£2,000 and includes examples such as “The business wrongly advised the consumer that they would be exempt from inheritance tax – causing the consumer disappointment and inconvenience when their tax planning failed”, perhaps this level of distress better reflects the stress which Talktalk customers will have experienced.
To get a conservative estimate let’s take the meeting point of these two ranges; £500 for each of the 157,000 claimants. This would give Talktalk a bill of £78.5m; over ten times the imagined administrative fine, and over twice the maximum possible fine.
These examples are of course just guesses and would be an upper limit. In reality due to the opt-in nature of UK Group Litigation Orders, the multi-party case would not represent every single person affected by the breach, so the 157,000 figure would be significantly lower. Even so, to understand the full cost of non-compliance with the GDPR, companies should look carefully at their potential liability for compensation, as well as fines.