A new piece by me on the Mishcon de Reya website – BA’s parent company’s latest financial filings indicate it’s planning for (at most?) a E22m fine.
Category Archives: monetary penalty notice
Yet more delays to proposed ICO BA and Marriott fines
I have this piece on the Mishcon de Reya website. More than a year since they were first proposed, ICO has still not converted its notices of intent into actual fines. Will it ever?
COVID-19 and ICO’s proposed fines for BA and Marriott
I have a piece on the Mishcon de Reya website, questioning whether the Coronavirus might fundamentally affect the likelihood of BA and Marriott receiving huge GDPR fines.
Why the big pause? ICO delay agreed re GDPR fines
On the Mishcon website: ICO agrees delay over GDPR fines with both BA and Marriott
€9.5m GDPR fine to German telco for insecure customer authentication
Another post by me on the Mishcon de Reya website – federal telecoms regulator issues fine for Article 32 failings after callers could give customer name and d.o.b. and obtain further information.
Filed under Data Protection, Europe, GDPR, monetary penalty notice
The Cost of Enforcement
I wrote recently, on the Mishcon de Reya Data Matters blog, about whether BA and Marriott might actually avoid the fines the Information Commissioner’s Office (ICO) intends to serve on them. In that piece, I said
one has no doubt whatsoever that BA and Marriott will have had lawyers working extensively and aggressively on challenging the notices of intent.
With that in mind, it is interesting to note that, in commentary on recent management accounts, the ICO warns that
Legal expenses…are tracking at much higher levels than budgeted and are expected to be adverse to budget for the full financial year
Indeed, the ICO’s legal spend for this year is forecast to be £2.65m, against a budget of £1.98m. These sound like large sums (and of course they are), but, compared with the likely legal budgets of BA, or Marriott, or indeed, many other of the huge companies whose processing is potentially subject to enforcement action by ICO, they are tiny. Any large controller faced with a huge fine will almost inevitably spend large sums in challenging the action.
Query whether ICO can, realistically, actually afford to levy fines at the level GDPR envisages?
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Whither the ICO fines for BA and Marriott?
I have a new post on the Mishcon de Reya website, asking what is happening regarding the notices of intent served some months ago on BA and Marriott Inc.
Farrow & Ball lose appeal for non-payment of data protection fee
I have a new post on the Mishcon de Reya website, drawing attention to the first (and unsuccessful) attempt to appeal an ICO monetary penalty for failing to pay the statutory data protection fee.
ICO – no GDPR fines in the immediate pipeline
FOI request reveals ICO has served no “notices of intent” to serve fines under GDPR. A new piece by me on the Mishcon de Reya website.
ICO – “we’re very sorry we fined you”
***Update, 3 September. ICO have now published their apology – although scant on details it does state that “there were significantly fewer complaints than previously evidenced” and that this information led to the withdrawal of the MPN.***
It’s not unusual for the recipient of a monetary penalty notice (MPN) to appeal to the Information Tribunal. It’s not entirely unusual for such appeals to be settled by consent of the parties (normally when one of them concedes that its case is not tenable).
It’s much rarer, however, for a consent order to have attached to it a requirement that the Information Commissioner’s Office should apologise for serving the MPN in the first place. But that’s exactly what has recently happened. A consent order dated 25 September 2018 states that, by consent, the appeal by STS Commercial Limited is allowed, and that
The Commissioner will publish [for four weeks] on the Information Commissioner’s Office website in the section “News, blogs and speeches”, the following statement:
On 6 July 2018 the ICO announced that the Information Commissioner had imposed a fine of £60,000 on STS Commercial Ltd for allowing its lines to be used to send spam texts. STS Commercial Ltd appealed that penalty and upon considering the grounds of appeal, the ICO accepts that the appeal should be allowed and no monetary penalty should be imposed. The ICO apologises to STS Commercial Ltd.
Already, most of the traces of the MPN have been removed from the ICO’s website (and Google returns broken links), although the apology itself does not appear to have yet been uploaded.
Section 55B(5) of the Data Protection 1998 provides for the right of appeal, in respect of MPNs served by the ICO under section 55A for contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003. And paragraph 37 of the Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 provides that the Tribunal may
make a consent order disposing of the proceedings and making such other appropriate provision as the parties have agreed
One wonders what on earth occurred that has led not just to the appeal being disposed of, but such contrition from the ICO!
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 