GDPR and COVID-19: Privacy Regulator Promises 'Flexibility'While Breach Notification Rules Still Apply, Expect Lower Fines
As the COVID-19 pandemic continues, Britain's privacy watchdog has signaled that although privacy rights and transparency remain paramount, it will take a more "flexible" regulatory approach.
"We see the organizations facing staff and capacity shortages. We see the public bodies facing severe front-line pressures. And we see the many businesses facing acute financial pressures. Against this backdrop, it is right that we must adjust our regulatory approach," says Elizabeth Denham, Britain's information commissioner, in a statement.
"A principle underpinning data protection law is that the processing of personal data should be designed to serve mankind. Right now, that means the regulator reflecting these exceptional times and showing the flexibility that the law allows," she adds (see: Privacy in the Era of COVID-19).
The Information Commissioner's Office notes that many organizations are facing serious operational challenges, including shortages of staff, reduced operations and massive financial constraints. In the healthcare, government and law enforcement sectors, meanwhile, staff members who are being redeployed are facing "severe front-line pressures."
The ICO, which enforces the EU's General Data Protection Regulation as well as Britain's Data Protection Act 2018, says it will take these circumstances into account via "an empathetic and pragmatic approach" for as long as the pandemic continues.
"This includes deciding how we exercise our enforcement powers, how we deliver technical advice and guidance to public and private sector organizations, how we continue to support transparency in public decision making and how we support the public in dealing with their complaints and queries," according to recently issued ICO guidance.
"It is important that we regulate for the time we are in now, but it is important too that we look to the future," Denham says. "Data protection can play a central role in promoting economic growth when we come out of this pandemic, encouraging public trust in innovation and supporting the U.K. as it steps forward in the global economy."
Breach-Notification Rules Still Apply
What does that mean in practice?
"It would be very difficult to think of a scenario where the ICO would take action against healthcare workers clearly trying to act to save lives within the backdrop of a public health emergency," according to the ICO's "data protection and coronavirus" data hub.
In the bigger picture, however, the ICO still requires organizations that suffer a data breach that involves personal information to report the breach within 72 hours of discovering it (see: 9 Cybersecurity Takeaways as COVID-19 Outbreak Grows).
But the regulator says that for now, it has ceased all audits. For organizations that it investigates, if the potential problem is a result of a situation caused or compounded by the pandemic, the ICO says it will take that into account, including by relaxing timelines for when information that it requires must be furnished.
All organizations that process data must continue to pay an annual fee to the ICO, although it says it will not prosecute any organization that does not do so if it can document that they are unable to pay, due to the current conditions.
In terms of investigations, for any organization that merits sanctions, the ICO expects to issue lower fines. In all enforcement actions, "before issuing fines we take into account the economic impact and affordability," the ICO says. "In current circumstances, this is likely to mean the level of fines reduces."
No 'Get Out of Jail' Card
As the stipulations make clear, the ICO continues to enforce GDPR and uphold Europeans' privacy rights.
"Although the ICO may appear to be adopting a more flexible approach to regulatory action because of COVID-19, despite the significant challenges that many organizations are currently facing, this doesn't mean that they should relax too much; the ICO's latest guidance is not a get-out-of-jail card," says attorney André Bywater, a partner at London-based Cordery (see: GDPR: Data Breach Class Action Lawsuits Come to Europe).
"Most notably, organizations should still aim to notify data breaches within 72 hours - and in the process also avoid risking sanctions for late notification - and also communicate breaches to affected individuals without undue delay; don't forget that there are also other issues at stake including reputation," he says. "Organizations should always bear in mind that guidance is only guidance - in a given matter the ICO might adopt a different approach, as also might a court. Finally, the guidance also serves as a reminder of the legal requirement for organizations to register with the ICO."
British Airways, Marriott Fines Could Get Modified
The COVID-19 pandemic may also have an impact on two major, as-yet-unresolved cases against British Airways and Marriott. Both suffered serious breaches and were investigated by the ICO, which published "notices of intent" to impose significant fines in both cases.
In July 2019, the ICO said in a notice of intent that it planned to impose a record-setting £184 million ($228 million) fine on British Airways after it suffered a September 2018 data breach that rerouted customers to a fraudulent site designed to steal their payment card data. About 500,000 customers were affected (see: British Airways Faces Record-Setting GDPR Fine).
Also last July, the ICO said in a notice of intent that it planned to impose a £99 million ($123 million) fine against hotel giant Marriott for its failure to more rapidly detect and remediate a data breach that persisted for four years. The breach, which Marriott disclosed on November 2018, exposed about 30 million related to residents of 31 countries in the European Economic Area and 7 million to U.K. residents. Marriott is contesting the fine (see: Marriott Faces GDPR Fine Over Mega-Breach).
Final fines, however, have yet to be set. "We're now expecting news of the BA investigation in May and the Marriott investigation in June," says attorney Jonathan Armstrong, a partner at Cordery. "Given the struggles both organizations face currently, as we've said previously, it might well be the case that we'll see significant reductions in the eventual fines for both companies from the headline figures in last year's notices of intent."