‘2019 is the year of enforcement’: GDPR fines have begun
This week, U.K. data protection authority the Information Commissioner’s Office levied major fines against British Airways and Marriott International for violating the General Data Protection Regulation. The move seemed to indicate the ICO is starting to ramp up the pain for those still violating GDPR, more than a year after it came into force.
On July 8, the regulator fined British Airways an eye-popping £183 million ($228 million) for leaking the personal data of 500,000 of its customers. Marriott International got slapped with a fine of just over £99 million ($124 million) for exposing a variety of personal data in 339 million guest records globally. BA and Marriott have 21 days in which they can make representations to fight their corner and try and reduce the fines.
The sheer size of the fines, while far less than the maximum allowed under GDPR, indicate that the ICO doesn’t intend to shy away from imposing major fines when a large volume of customer data has been leaked. Every single company that uses third parties to process customer data on their behalf is vulnerable to the same kind of security breach. Granted, the fines have been deemed proportionate to a cyber crime-level data breach, where the stakes tend to be higher than they may be for a company misusing cookies in order to target banner ads. But some ad executives have said the fines set a worrying precedent for the ad industry regardless. They maintain that the timing of the fines — coming just two weeks after the ICO’s warning shot to the ad tech sector — is no coincidence.
The ICO has stressed that the current use of personal data within programmatically traded ads, in particular via real-time bidding, needs user content. That means the way some ad tech businesses are still deploying it is illegal under GDPR.
“[The ICO] talks about the potential scope and impact of a data breach in RTB where you’re also talking massive scale,” said Gabe Morazan, director of product management at CrownPeak, parent company to privacy vendor Evidon. “If you look at the amount of data collected and passed through RTB networks and programmatic advertising, it is a large amount of consumer data and lends itself to that possibility to being similar in size and scope [of customers affected in BA and Marriott fines]. 2019 is the year of enforcement.”
If any ad tech partner along the digital ad supply chain hasn’t done enough to secure their own tech, hundreds of thousands of customers could be affected, with sensitive data leaked, he added. Perhaps not credit card data, as in BA’s case, but data that fits into GDPR “special category” rule such as health, ethnic background or political leaning. The ICO has flagged it is aware this kind of data is still being used within bid requests, without explicit user consent — unacceptable under GDPR. Ad tech businesses cannot use the legitimate-interest clause to justify the use of this kind of personal data, according to the ICO’s latest warning.
Some ad tech executives believe the BA and Marriott fines set a precedent for how the ICO means to proceed with the ad tech sector. “They [ICO] won’t be shy,” said Mark Bembridge, CEO of contextual ads firm Smartology. “Given the use of data in RTB, the fact the ICO has reacted with such a large fine for BA is worrying for RTB and programmatic players still using personal data with no consent.”
Part of the fallout from the BA and Marriott fines may lead to data controllers scrambling to renegotiate liability in contracts with their data processors, according to legal experts. Prior to GDPR’s enforcement, the maximum fine for any data protection violation was £500,000 ($624,000) — as Facebook experienced when it was fined that amount last July. That means that most contracts would have remained with that amount as a liability cap, even post GDPR enforcement. So a processor would only have been on the hook for a maximum of £500,000 should they inadvertently cause a data protection breach: A more manageable sum than the €20 million ($22 million) or 4% of annual global revenue allowed under GDPR. But this week’s fines change that completely, according to legal sources. “The [liability] negotiation table suddenly looks very different,” said Sarah Williamson, partner at Ashfords Solicitors and specialist in ad tech law.
“Because we hadn’t seen fines from the ICO like this before, the cap on liability was proportionate and based on risk born by both parties,” she added. “This announcement will now make people very nervous and could make negotiating liability clauses far trickier.”
The result: In order to protect themselves, data controllers may demand far higher liability caps that cover them in the case of a maximum GDPR fine. That puts data processors in the hot seat, and smaller ones, in particular, may face going under if they accept uncapped liability demands. Either that or they must consider walking away from partnerships if they’re unsuccessful in pushing back. Trusted relationships between data controllers and processors will be more important than ever.
Pernod Ricard thinks the Facebook advertiser revolt won’t be enough to curb hate speech online, so it’s developing an app to help
Pernod Ricard is developing an app that will let people flag hate speech they see online.
‘Hug them close and punch them in the nose’: How upstart Protocol, eager to get inside crowded tech beat, struggled and cut to survive
The company had an ambitious goal: To do for tech news coverage what Politico had done for politics coverage a decade earlier.
Member Exclusive‘Allow the creators to create’: EOS hands influencers the wheel to drive effectiveness of its TikTok campaigns
In the latest Digiday+ Talk, Soyoung Kang talked about EOS's relationship with TikTok's creative influencers and how her team has used its paid TikTok campaigns to drive organic growth on its own channel.
SponsoredWhy data clean rooms are a start, but not enough
Clean rooms are intended to be a “safe space” for brands to collaborate with walled gardens, but the greater opportunity for all brands is bringing together all of their data to create a single source of truth that they own and can continually enrich.
‘My white colleagues are looking to me for answers’: Confessions of a Black ad tech exec
While the ad tech has taken strides toward being more inclusive, it has also suffered setbacks, according to a senior Black exec.
‘It is important for us to take a leadership role’: How esports giant FaZe Clan is working to root out bad behavior in the gaming community
Lee Trink, CEO of the $240 million esports collective, on its expansion plans and no tolerance rule on divisive language.