德恒律所 | GDPR 新动向 | 数据保护合规风险正在上升

GDPR 新动向 | 数据保护合规风险正在上升

2019-07-22

2019年1月，谷歌因未履行GDPR规定义务，被法国监管机构国家信息与自由委员会（CNIL）处以5000万欧元罚款。7月8日，英国信息专员办公室ICO因数据泄露事件，对英国航空公司处以2.04亿欧元的罚款处罚。7月9日，国际知名酒店万豪集团因泄露客户信息，将面临ICO1.11欧元罚款……数据合规进程任重而道远。

NON-COMPLIANCE RISKS ARE RISING

On 21 January 2019, the French data protection authority, CNIL, imposed a fine on Google of €50 million for various breaches of the GDPR, and the first fine imposed by CNIL.This was to biggest fine to-date by far imposed by any DPA pursuant to the GDPR.

In early June, at DeHeng GDPR seminars in Beijing and Shanghai, I predicted that the risks of non-compliance with GDPR would rise rapidly before the end of this year. I suggested that by year-end, the €50 million fine imposed on Google in January this year might seem rather low. We do not need to wait until the end of this year for things to get more complicated for infringers.

As for Google, it is now facing a consumer class action in France for its GDPR infringement found in January by the French data protection authority, the CNIL. As you will recall, the CNIL found that Google browser users were not given a sufficient opportunity to provide an informed and unambiguous consent to Google’s privacy policy. This could raise Google's total exposure for that GDPR infringement to well over the initial €50 million fine.

Two days ago, the UK data protection authority, the ICO, announced that it will fine British Airways under GDPR a total of €204 million for a data breach involving some 500,000 BA customers. The ICO found that BA's data security system was legally insufficient for the purposes of the GDPR. More specifically, the ICO found that BA had failed to protect customers' names, addresses, email addresses, credit card information and log-in passwords.

For data breaches under Article 32 of the GDPR, BA could have been fined a maximum of 2% of its global group turnover, or a total of €280 million.

As you will see, the ICO's fine on BA was close to the ceiling allowed under GDPR. This is a very disturbing development because it suggests that fines will rise much higher. For infringements other than data breaches, such as the failure to obtain the informed consent of an individual to the processing of his data, the maximum fine is 4% of the company's global group turnover. Clearly, if the national data protection authorities are now considering the imposition of the maximum fine (unlike what happened to Google in January), companies much larger than BA could be in for some very serious pain if they are the target of a GDPR investigation.

As for BA, the ICO fine is just the beginning. BA will now face any number of follow-on collective lawsuits by customer groups.

And then yesterday, the ICO announced that it will fine Marriott a total of €111 million for a massive breach of its data security involving customers.

Obviously, the stakes are rising fast for companies. As I explained in early June, Chinese companies exposed to GDPR who continue to be indecisive about compliance are doing so at their peril.

本文作者：

微信图片_201903041540501.png

Dr. Frank Fine

德恒布鲁塞尔办公室

国际反垄断业务主管

Head of International Antitrust and Data Protection, DeHeng Law Offices (Brussel) Executive Director, China Institute of International Antitrust and Investment Visiting Professor of Law, China University of Political Science and Law(Admitted to practice in England & Wales, California and District of Columbia)

中国国际反垄断和投资研究中心担任执行主任，中国政法大学法学院国际反垄断与投资研究所访问教授。（拥有英格兰、威尔士、加利福尼亚和哥伦比亚地区执业资格。）

E-mail：frank.fine@dehenglaw.com

Disclaimer：

This article was written by the lawyer of DeHeng Law Offices. It represents only the opinions of the authors and should not in any way be considered as formal legal opinions or advice given by DeHeng Law Offices or its lawyers. If any part of these articles is reproduced or quoted, please indicate the source.

声明：

本文由德恒律所律师原创，仅代表作者本人观点，不得视为德恒律所或其律师出具的正式法律意见或建议。如需转载或引用本文的任何内容，请注明出处。

相关律师

Frank FINE

相关搜索

手机扫一扫