The decision to appeal a regulatory finding is never taken lightly. By the time a regulator has completed its investigation and notified a company of its intention to fine, the company will have invested significant time and money in responding to the regulatory investigation. As such, there is a real temptation to accept the fine and the accompanying statement from the regulator and move on.
However, in the case of recent regulatory findings, fines and intentions to fine issued by the UK's Information Commissioner's Office (the "ICO") against British Airways, Marriott and Dixons Carphone, all three companies have appealed or indicated an intention to appeal despite the significant difference in the levels of the fines/intentions to fine. In our view, this is related to the spectre of an emerging class action litigation culture in the UK that increases the stakes for any company facing negative regulatory findings.
In this UK-focused blog we explore the potential motivation behind these decisions to appeal, why we expect to see more companies taking this approach in the future, and the steps to be taken in order to appeal decisions by the ICO and we also consider whether the companies that have failed to appeal and are now facing class actions made the right decision when they elected not to appeal.
A change in the legal landscape
On 25 May 2018, the UK's data protection regime fundamentally changed with the coming into force of the General Data Protection Regulation (the "GDPR") and the Data Protection Act 2018 ("DPA 2018"), which supplements the GDPR in the UK. Among the headline-grabbing provisions of the GDPR was the regulator's ability to issue fines of up to Euro €20 million (approximately USD $22.4 million), or up to 4% of an organisation's total global turnover (whichever is higher) for severe breaches of the GDPR. Of perhaps equal significance was the enhanced private right of action for any person who has suffered material or non-material damage as a result of an infringement of the GDPR and the right to compensation for the damage suffered. Interestingly, these legislative changes occur against the backdrop of an evolving landscape on representative actions in the English courts with cases like Lloyd v Google looking to pave the way for "opt-out" (U.S. style) class action litigation as opposed to the "opt-in" group litigation approach traditionally favoured by the English courts.
There is now a greater awareness of the impact of regulatory decisions on private rights of action and the associated risks faced by respondents. In July 2019, the ICO, the regulator responsible for enforcing data protection laws in the UK, notified its intention to fine British Airways ("BA") GBP £183 million (approximately USD $237 million) and Marriott International, Inc. ("Marriott") GBP £99 million (approximately USD $128 million) in respect of breaches of the GDPR. Due to the level of the intended fines, both BA and Marriott were required to issue stock markets announcements, causing significant falls in both their share prices. Both companies publicly committed to pursuing any necessary appeals (as set out in detail below). It is unclear if the ICO was prepared for details of the intended fines to become public.
Given the comparatively low level of fines under the pre-GDPR regime (a GBP £500,000 maximum, or approximately USD $646,000), one would be forgiven for thinking that organisations who were facing regulatory action from the ICO and were "lucky" to be captured by the old regime would be less likely to appeal even the maximum level of fine. However, in recent weeks we have seen Dixons Carphone plc ("Dixons Carphone") confirm that it will be appealing its maximum fine under the DPA 1998. This poses the question: What is the rationale for these appeals?
The devil is in the detail
Under Article 83 of the GDPR, fines are intended to be effective, proportionate and dissuasive. Guidance published under the DPA 1998 stated that the fines must be "sufficiently meaningful to act both as a sanction and also as a deterrent to prevent non-compliance of similar seriousness in the future by the contravening person and by others." The ICO's notices of intentions to fine in the BA and Marriott cases certainly garnered press attention. In the week following the announcement of the proposed fines on BA and Marriott, there was a surge of interest in cyber insurance, cyber security and legal advice: a cyber security firm in London reported a 32% spike in the number of visitors to its website the day after the BA announcement. To better understand the factors that influence a company's decision to appeal, it is worthwhile considering recent high-profile cases and the decisions taken by British Airways, Marriott, Dixons Carphone and Equifax.
British Airways / International Airlines Group ("IAG")
On 8 July 2019, IAG (the parent company of BA) made a market announcement to the London Stock Exchange that British Airways "had been notified by the UK Information Commissioner's Office (ICO) that it intends to issue the airline with a penalty notice under the UK Data Protection Act. The ICO has indicated that it proposes to impose a penalty of £183,390,000 (1.5 per cent of British Airways' worldwide turnover for the financial year ended 31 December 2017)." The ICO published a statement in response setting out that its position is that "poor security arrangements" allowed hackers to steal hundreds of thousands of customers' log-in, payment card and travel-booking details as well as names and addresses when user traffic to the BA website was diverted to a fraudulent site.
BA's chairman and chief executive stated that the company was "surprised and disappointed" by the ICO's initial findings and that BA had been quick to respond to the data theft. The chief executive of IAG confirmed that the company would "take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals". As of the date of this article, the airline is awaiting the ICO's decision and will presumably be hoping that the representations it has made will convince the ICO to impose a more lenient penalty. In any case, given the magnitude of the proposed fine and the strong words of IAG's chief executive, an appeal is very likely to be pursued.
A day after the BA notice, Marriott International, Inc. ("Marriott") stated in a filing with the U.S. Securities and Exchange Commission that "the UK Information Commissioner’s Office (ICO) has communicated its intent to issue a fine in the amount of £99,200,396 against the company in relation to the Starwood guest reservation database incident that Marriott announced on November 30, 2018." The proposed fine represents about 3% of the company's global turnover in 2018. Marriott's share price fell by 5.7% in the wake of the news.
The ICO published a statement in response, confirming its intention to fine Marriott in relation to a vulnerability in the security systems of the Starwood hotels group in 2014, which was bought by Marriott in 2016. Marriott did not discover the exposure of customer data until 2018. The ICO's investigation found that the American hotel chain had "failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems" post-purchase.
Marriott's statement mirrors that of BA, asserting its disappointment with the notice of intent and signalling its intention to contest the ICO's findings. The company clarified that it has the right to respond before a final determination is made and confirmed that it intends to "vigorously defend" its position. Like BA, the final penalty notice has not yet been published and, if the company's representations do not significantly alter the ICO's decision, it looks likely that it will appeal.
On 9 January 2020, DSG Retail Limited ("DSG"), a subsidiary of Dixons Carphone, received the maximum fine under the DPA 1998 following a cyber-attack between July 2017 and April 2018 that allowed hackers to access customer data from cash registers at Currys PC World and Dixons Travel Stores. The ICO stated that but for the statutory limitation of GBP £500,000, a higher penalty would have been reasonable and proportionate. The ICO found that the company had contravened data protection principle 7 of the DPA 1998 in relation to technical and organisational methods against the unauthorised and unlawful processing of data, stating that "there were a number of distinct and fundamental inadequacies in the security arrangements for DSG's systems" which were "multiple, systemic and serious." The ICO specifically quoted a statement given by DSG's chief executive that "the protection of our data has to be at the heart of our business, and we've fallen short here" and claimed this demonstrated the company's awareness that this contravention was of a kind likely to cause substantial damage or substantial distress.
Dixons Carphone issued a statement that it was "disappointed in some of the ICO's key findings which we have previously challenged and continue to dispute" and confirmed that it was considering its grounds for appeal. It has subsequently been reported that Dixons Carphone has indeed decided to pursue an appeal.
Naturally, the level of the intended fines against BA and Marriot would be cause for concern for both organisations and would influence any decision to appeal. However, given the level of fines faced by Dixons Carphone, it perhaps would have been reasonable for Dixons Carphone to have elected to pay the GBP £500,000 fine and bring these matters to an end rather than face additional negative publicity and further costs. The primary driver behind the decision to appeal may not be the monetary values but the statements that accompany them.
Equifax Ltd ("Equifax")
Equifax, a major credit reference agency in the U.S., was fined the maximum penalty under the DPA 1998 on 20 September 2018 following a cyber-attack in 2017 that exposed 146 million customers' personal information globally. Whilst the company stated that it was "disappointed in the findings and the penalty," it took the "commercial decision" to pay the fine rather than to appeal. Perhaps Equifax decided that the fine from the UK regulator was insignificant compared to the $575 million–$700 million settlement it reached in the U.S. in relation to the data breach. However, given the class action that has followed (discussed further below), they may now be regretting that decision.
Sticks and stones and class actions
There is a growing trend towards class actions for data breaches in the UK. The Court of Appeal judgment in Lloyd v. Google provided a huge step towards "opt-out" style class actions in the UK.
Robert Lloyd, described by the Court of Appeal as a "champion of consumer protection" and former director of the consumer rights group Which?, is seeking to bring a claim against Google LLC ("Google") on behalf of more than 4 million Apple iPhone users. This case is in the context of Mr. Lloyd's application for permission to serve proceedings on Google out of the jurisdiction (a requirement under English Court rules), but several important legal issues were addressed at this interim stage.
One of the key issues in this case was whether the users had suffered "damage" under section 13 of the DPA 1998. At first instance, the High Court stated that the breach of the duty imposed by section 4(4) of the DPA 1998 (namely, to comply with the data protection principles in relation to all personal data with respect to which he is the data controller) "had caused neither material loss nor emotional harm, and had had no other consequences for the data subject." However, on appeal, the Court of Appeal ruled that personal data can be sold, giving examples showing that data, and consent to its use, has an economic value. If a person's control over their data has a value, then so too must the loss of that control.
On that basis, it was also much easier to argue that the iPhone users affected constituted a "representative class" for the purposes of the English civil procedure rules Part 19.6, which requires that the persons affected have the "same interest" in order for a claim to be brought by a representative. The Court of Appeal concluded that the potential class all had its data harvested by Google without its consent in the same circumstances and during the same period and consequently all sustained a loss of control over that data. Moreover, Google could not raise a defence to one user that would not equally apply to the other 3,999,999 or so. As such, the iPhone users had a common interest and a common grievance.
The case demonstrates a willingness by the courts to allow opt-out class actions for data breaches, which has not been seen before in the UK. Indeed the judge stated that "it seems to me that allowing a representative action in a case of this kind is not so much an exception to the rule […] but rather an application of the rule." However, the case did clarify that there is a "seriousness" threshold and that would undoubtably exclude a claim for damages for an accidental one-off data breach that was quickly remedied. The important factor here was that Google was deliberately and unlawfully misusing users' data for commercial purposes without their consent and in violation of their established right to privacy.
Although Lloyd v. Google was brought under the DPA 1998, the case is likely to be used as a precedent for future cases brought under the DPA 2018. In fact, Sir Geoffrey Vos referred specifically to the GDPR in his judgement. As there is no automatic right of appeal in the English courts, Google has sought the court's permission to appeal to the Supreme Court. A decision on this is pending.
Another representative claim in relation to the DPA 1998 was brought soon after the decision in Lloyd v. Google in relation to the Equifax data breach. The representative claimant is seeking GBP £100 million in damages (approximately USD $130 million) for, amongst other things, loss of control of personal data. Equifax is attempting to distinguish its case from Lloyd v. Google, arguing that the court should not exercise its discretion to allow the representative action as, whereas Google had "surreptitiously and unlawfully" taken data for the purpose of monetising it, Equifax was subject to a criminal attack by a third-party criminal or criminals, of which it too was a victim. Equifax argues that opt-out class actions should only be allowed when there is a statutory basis for such collective action.
A matter of two days after judgement was given in Lloyd v. Google, the High Court approved a group litigation order ("GLO") for those affected by the BA data breach. A GLO is a different beast to a representative action and is appropriate where there are several claims where more than one claimant has a cause of action raising common or related issues of fact or law to be grouped together and managed using specific procedural rules. Claimants have to specifically opt-in in order to join the claim and will be identified in the proceedings. This is different to a representative action where anyone with the "same interest" is automatically included in the claim unless they take positive steps to opt out. Those affected have until 17 January 2021 to sign up to join the claim. The court-appointed lead solicitors for the action are estimating that claimants could be awarded GBP £2,000 each in damages. In theory, if all 500,000 people affected were to join the claim, this could lead to a GBP £1 billion pay-out (although note that, as of October 2019, only 7,000 people had signed up to the litigation). This is significantly higher (nearly 4.5 times) than the GBP £183 million fine that the airline could face from the ICO.
Finally, by way of comparison, in EU competition law cases, there is an established route to private damages where a follow-on claim relates to precisely the same facts as the infringement decision of a competition authority. UK and European legislation allow "follow-on" or "piggyback" litigation whereby the decision of the regulator is binding, meaning that anyone who chooses to bring a claim does not need to establish liability and can move straight to the questions of causation and loss. The question as to whether the courts will apply the same principle by analogy is a live issue. In its Defence to the representative action, Equifax argued that, to the extent that the ICO concluded otherwise in the penalty notice, "those conclusions are not binding in the Court and are in any event wrong." The company asserts that it made a commercial decision to pay the penalty rather than appeal and argues that it has not and does not admit the contraventions of the DPA 1998 "alleged" in the ICO's penalty notice. It will be interesting to see whether similar legislation is passed in the UK, given the amount of court resources likely to be consumed by private litigation following a data breach. As the threat of class action becomes more real in the UK, the decision as to whether or not to appeal regulatory enforcement action become more important.
Mounting an appeal
Given the considerations discussed above, a company faced with a notice of intent to fine from the ICO will need to think about its options carefully. The mechanism and timings of any appeal will depend on whether the organisation in question is facing a notice of intent to fine, a penalty notice or another type of enforcement notice.
A notice of intent must include the reasons for the proposed penalty notice, an indication of the level of fine to be imposed and any aggravating or mitigating factors. Under the DPA 2018, companies are entitled to make written representations for a period of not less than 21 days from the date of the notice. Exceptionally, oral representations may be made, and the notice will set out the arrangements in relation to this. Representations should challenge the basis of the ICO's findings, challenging any aggravating factors and emphasising points in mitigation. Often the ICO is prone to hyperbole, so any representations should attempt to tone down the language used and ensure that their words are premised on a clear factual basis. A final penalty notice will not be issued until six months following the notice of intent (and cannot be given during the period set for making representations), although this can be extended by agreement.
Companies have 28 days to pay the fine once the penalty notices are issued. Under the old regime, fines could be reduced by 20% if paid within 28 days (which is lost if the company chooses to exercise rights of appeal) but this practice no longer applies. Under section 162 of the DPA 2018, both the imposition of the penalty and the amount of the penalty can be appealed to the Tribunal. The timetable for the appeals process is as follows:
The Tribunal can then review any determination of fact on which the penalty notice or decision against which the appeal is brought was based. In addition, if the Tribunal considers (a) that the notice or decision against which the appeal is brought is not in accordance with the law, or (b) to the extent that the notice or decision involved an exercise of discretion by the ICO, that the ICO ought to have exercised the discretion differently, it must allow the appeal or substitute another notice or decision that the ICO could have given or made.
A decision made by the Tribunal can be appealed to the Upper Tribunal by making a written application to the Tribunal for permission to appeal within 28 days of the Tribunal's decision, but the grounds to do so are restricted to appealing a point of law. If the Tribunal refuses permission to appeal, companies have a right to make an application to the Upper Tribunal for permission to appeal. There are further avenues of appeal, but again, this would only be on points of law, and there would have to be important points of principle or practice or some other compelling reason for the appeal to be heard.
A waiting game
Following the introduction of the GDPR, the ICO has not shied away from using the full force of its powers. The penalty notices given to BA and Marriott (which are currently scheduled to be finalised in March 2020) will be eagerly awaited by security officers and data protection advisers as they will shed some light on what procedures the ICO deems to be appropriate to avoid cyber-attacks, or at least provide learnings as to how the companies fell short of the required standard. However, the penalty notices will also demonstrate the importance of the representations made by companies in response to allegations made by the regulator. In our view, it is unlikely that the ICO will significantly alter its position given the high-profile nature of these data breaches and the opportunity to use this as a deterrent to other companies. BA and Marriott will certainly be influenced by the level of the fines with which they are faced when deciding whether to appeal their respective fines. However, if recent trends in UK regulatory enforcement are anything to go by, the statements that accompany any fines will be of great interest to all named participants, claimant lawyers and company boards. We expect that the statements made within a penalty notice will be scrutinised and companies will likely ask themselves whether they can live with not just the fine but the statements that may invite potential litigation. As many companies are recognising right now, a "commercial decision" not to appeal the fine can being used against the company as evidence that it breached its obligations under data protection legislation. An appeal might be unappealing at first, given the costs and time involved, but those factors will only get worse should a class-action be brought.