When the Privacy Watchdogs Bare Their Teeth
July 2019 brought an escalation in the enforcement of privacy infringements by companies around the world. The trend began with a press release published on July 8, 2019, of a fine in the approximate amount of GBP 183 million (about USD 230 million) that ICO, the British privacy protection regulator, plans to impose on the British airline company British Airways. The following day it was reported that same regulator was planning to impose a fine of about GBP 99 million (about USD 123 million) on the international hotel chain Marriott. These two procedures began after the companies reported to the regulator about cyber attacks that affected their systems, as required by the new European privacy protection legislation, the General Data Protection Regulations (GDPR).
Across the pond, the American Federal Trade Commission (FTC) approved a settlement agreement with Facebook, whereby Facebook will shoulder a fine of about USD 5 billion for privacy infringements revealed in the course of the Cambridge Analytica investigation.
These events underscore the trend that began with the GDPR taking effect and should lead any business entity coming across personal information (and almost all do) to several conclusions:
Privacy regulators around the world are quite aggressive in enforcing privacy infringements. The tools given to them by the GDPR are not meant to stay in the toolbox. In Europe, the fines imposed by the British ICO break the impressive record set by the CNIL, the French privacy protection regulator, in a fine it imposed on Google for EUR 50 million in January 2019. In the United States, the fine expected to be imposed on Facebook will be the heftiest fine ever to be imposed by the FTC for privacy infringements, with the current record being the USD 22.5 million fine imposed on Google in 2012.
Global companies should be concerned not only about the regulatory exposure they are expected to face in Europe, but also in the United States—thus far not considered a privacy protection superpower—which seems to have no hesitation about exercising its power against violators of privacy laws. In this context, it is important to mention the California privacy protection law, the California Consumer Privacy Act (CCPA), which will take effect on January 1, 2020. Additional states in the United States are also working toward strengthening the privacy protections in their own jurisdictions.
Since cyber events are out of the control of affected companies, they must be prepared for them in advance. Such events lead to an investigation by a privacy protection regulator, during which the affected company’s conduct prior to the event is being inspected. Hence, at any given moment, companies must be able to demonstrate that they are taking proper precautions to protect the privacy of those people whose information they maintain.
Though the GDPR are viewed as targeting internet, advertising, and big data giants, commercial companies, too, are on the radars of privacy protection agencies’ around the world.
Companies reporting cyber events are no longer considered “victims” of cyber-attacks, but as the immediate suspects in fostering the conditions that allowed the attacks and the harm caused by them.
For companies operating in Israel, we also note the horizontal supervision procedures taken by the Privacy Protection Authority. These were designed to identify companies that fail to meet the information security standards that took effect in May 2018. Unless they are prepared for them in advance, these proactive auditing processes are burdensome on business entities, and could also lead to sanctions for violations.
All the above require business entities to place great emphasis on the issues of privacy and information security in the course of their activity.