GDPR Shows its Teeth – UK Pursuing Record Fines for Data Breaches, Emphasizes Accountability

July 11, 2019 | David Krebs

If there was any question as to the willingness of EU data protection authorities to pursue significant monetary penalties for violations of the European General Data Protection Regulation (“GDPR”), this past week has surely put those uncertainties to rest. The UK Data Protection Authority (“ICO”) is pursuing record fines for data breaches, emphasizing the importance of safeguarding personal data, accountability, as well as the importance of due diligence in M&A transactions.

Earlier this week, ICO announced it will be pursuing a fine of £183M for a 2018 British Airways data breach and then just one day later on July 10, it released a statement that it will also be seeking nearly £100M for a breach that affected Marriott Hotels customers. Both companies will make representations, along with input from other affected European data protection authorities (“DPAs”) before ICO will make its final determination, respectively.

Under the GDPR, DPAs have the ability to impose fines of up to 4% of a company’s global annual turnover (or up to €20M, whichever is higher) for breaches of the Regulation, including the failure to maintain adequate security standards. In contrast, in Canada, the Federal Privacy Commissioner (“OPC”) can pursue fines of up to $100,000, but only for a limited number of infractions under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), including the failure to adequately report or record a data breach. This limited ability, among other concerns related to the OPC’s enforcement powers, is currently being highlighted by Commissioner Therrien in his calls for necessary changes to PIPEDA. In its “Digital Charter” document released in May ‘19, the federal government also signaled that changes to PIPEDA would likely need to include additional enforcement powers for the OPC, referring to the gaps that exist in relation to the GDPR in this regard.

The British Airways and Marriott Hotel Breaches

In the Mariott breach, the number of affected individuals was staggering, estimated at over 300,000,000 customers. The issues apparently stemmed from gaps in security standards at Starwood hotels, which Mariott had acquired in 2016. The compromised systems were not discovered until 2018.

The British Airways incident affected far fewer individuals, 500,000, but is alleged to have occurred due to more severe security failures than was the case at Marriott Hotels. A fraudulent site posing as British Airways had syphoned customer data, including payment information and reservation information, for a period of months.

In making the announcement of the Marriott fines, ICO Commissioner Denham emphasized the importance of accountability and due diligence in M&A transactions, noting:

The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected [emphasis added].”

In the case of British Airways, the proposed fine represents approximately 2% of its global annual turnover, which means it could have potentially been even higher. British Airways is of the view that the fine is excessive but given the dearth of comparable precedent under GDPR it, along with the fine being pursued for the Marriott Hotel breach, are in a sense setting a benchmark for other DPAs. The ICO noted that both organizations were cooperative during the investigation.


  • It is apparent that DPAs are willing to pursue significant fines for breaches of GDPR, even where companies have been willing to cooperate.
  • Appropriate due diligence in M&A transactions is a way to potentially mitigate privacy-related risk for purchasers.
  • Fines will not only take into account the number of affected individuals but also the circumstances that led to the breach and the significance of the data at issue.
  • These fines will not go unnoticed in Canada, adding context to the current debate about additional enforcement powers for OPC.

The Miller Thomson privacy and cyber security team will continue to monitor these along with other cases in the EU and elsewhere that may have an impact on Canadian organizations.


This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.