GDPR fines: can third party service providers be fined for the privacy lapses?
In the space of just two months, the UK’s data watchdog, the ICO has dished out nearly £40m in personal data breach fines to some of the country’s best-known companies - British Airways, Marriott International and Ticketmaster. Whisper it quietly but the ICO’s burst of penalty decisions, coming after significant delays, goes some way to countering mutterings that the regulator lacked the will to take on large and well-resourced opponents.
But as the dust settles and the ICO waits for the cheques to arrive, the companies - and their shareholders - may be wondering how much they are ‘on the hook’ for, and whether any of the fines or the costs of dealing with the regulatory action can be recovered from others.
Those poring over the terms of insurance policies are likely to be disappointed. While it is not entirely settled, case law suggests regulatory penalties are probably uninsurable on public policy grounds, and the small print of insurance contracts may even include ‘clawback’ provisions for the legal costs paid out whilst defending regulatory action where an insured is ultimately found liable.
Next up for consideration, third party contractors and suppliers, often for smaller entities with fewer resources, caught up in the data breaches. Pre-GDPR, such third parties could point out they were data processors, avoiding data protection liability. GDPR upended that, imposing both regulatory and private law liability on processors too. In each of the three cases before the ICO, BA, Marriott and Ticketmaster (data controllers) sought to varying degrees to offset their own liability by pointing to the contributory negligence of such third parties.
In many respects, data controllers and processors face the same risk of GDPR liability: both are required to implement appropriate security measures for personal data, each is subject to the panoply of ICO enforcement powers, and aggrieved data subjects are entitled to seek compensation from controllers and processors as a result of regulatory infringements, subject to an exemption where they can show they were not in any way responsible for the breach.
Crucially, though, it is controllers which retain ultimate responsibility for personal data processing undertaken on their behalf. After all, it is they which assess whether a third party has sufficiently guaranteed security to take on the outsourced processing role. One of the key lessons of the BA, Marriott and Ticketmaster penalty notices is that responsible data controllers should not simply slough off responsibility to processors, then sit back and relax. They have ongoing security duties which the ICO will rigorously enforce - remaining vigilant, verifying a processor’s ongoing compliance with obligations, and acting promptly on warning signs. Finger pointing at processors will get data controllers no-where if they have failed to abide by these duties.
However, data processors do not escape scot-free. Though their data security obligations differ from those of a controller, they too are obliged to implement appropriate technical and organisational measures to protect the personal data they hold, and they are obliged to notify controllers 'without undue delay' when they become aware of data breaches. (In practical terms, data processing contracts often require that processors notify immediately upon learning of a data breach). Like data controllers, processors can also be in line for swingeing penalties for GDPR breaches where the regulator finds them at fault, and data subjects can bring civil claims against them for material damage and distress.
In the event that the ICO imposes a regulatory fine on a data controller for a security breach, it would be contrary to public policy to allow the controller to ‘handball’ it to the processor regardless of what the data processing contract says. That said, processors who breach their agreements with controllers could still be liable for breach of contract.
However, if the ICO has already dismissed arguments that the processor was to blame and instead found the controller liable for GDPR breaches, the data controller may struggle to persuade a court to award damages against the processor when they themselves have been weighed and found wanting by the ICO. Nevertheless, this is a developing area and those drafting processing agreements will doubtless seek advantage for their respective clients to the extent that the law permits in the event that disputes occur.