AQUILAW | View firm profile
Sucharita Basu, Partner, AQUILAW
Ankit Chhaparia, Associate, AQUILAW
Data protection and privacy issues have a major impact on all business and industry sectors, across the globe. Privacy laws are continuously evolving, vary by jurisdiction, and are interpreted unpredictably. Even a well-meaning company can make a false step as it captures, accesses, uses, transfers, and/or discloses personal information. In a follow-up to the General Data Protection Regulation, 2018 (“GDPR”), which was made effective on 25 May 2018, the national Data Protection Authorities (“DPAs”) in the European Union, have levied significant fines inter alia on body corporates for breach of their obligations under the GDPR. Few illustrations of the fine(s) levied by the DPAs in the month of October are provided herein below:
Lapses in data security
The Information Commissioner’s Office (“ICO”) imposed a fine of approximately 18.4 million Euros, dated 30 October 2020, on Marriott International Inc. for its failure to detect and prevent unauthorised access and attack on the system of the Starwood Hotels and Resorts Worldwide Inc. which is estimated to have effected 339 million guests’ records worldwide. Similarly, ICO imposed a fine of approximately 20 million Euros, dated 16 October 2020, on British Airways for processing a significant amount of personal data without adequate security measures in place, leading to a cyber-attack on its system, which is estimated to have effected more than 4 lakh customers of British Airways.
Processing employee’s private personal information
The Hamburg Commissioner for Data Protection and Freedom of Information imposed a fine of approximately 35.3 million Euros, dated 10 October 2020, on H & M Hennes & Mauritz Online Shop A.B. & Co KG., for unwarranted collection of the details and activities of the private lives of their employees (working in the service centre in Nuremberg), and using such personal information for inter alia taking measures and making decisions in regards to their employment.
Processing personal information without consent
The Spanish Data Protection Authority imposed a fine of approximately 36 thousand Euros, dated 10 October 2020, on Vodafone Espana S.A.U., for processing personal data of the claimant without their consent.
Similarly, ICO imposed a fine of approximately 250 thousand Euros, dated 29 October 2020, on Reliance Advisory Limited (Greater Manchester) (“RAL”), for making millions of calls in relation to claims management services to people, without their specific, free and informed consent to receive them, in violation of RAL’s data protection obligations and Privacy and Electronic Communications Regulations.
How does it concern the body corporates in India?
India is at the cusp of adopting a comprehensive data privacy regime. In 2019, a new draft of the personal data protection framework was announced, namely, ‘Personal Data Protection Bill, 2019’ (“Bill”). The Bill has been referred to the Joint Parliamentary Committee for further action. From a business’ perspective, the Bill proposes to impose nuanced obligations on organisations, similar to the GDPR, to process personal data lawfully, it mandates defined rights for the data principal and establishes a data protection authority for its enforcement and oversight. Any deviance thereto is proposed to attract gargantuan penalties.
Going forward, businesses will need to look at their internal capacity to manage risks related to data breach, data theft, and data loss, as well as devote considerable resources towards information governance. Early movers in this regulatory convergence worldwide will ensure that their organisations stay ahead in the complex and shifting data policy landscape.
From a perusal of the privacy breach notice(s) and the order(s) imposing the fines as above mentioned, it appears that in order to decide the quantum of compensation for incidence(s) of privacy breach, the DPAs consider myriad factors, including, a) organisational and technical practices, policies and measures, b) organisational awareness and c) data breach response and mitigation mechanism. In other words, organisations will need to ensure that data protection becomes part of their regular functioning and compliance, rather than remaining an ad hoc consideration.
Where do the body corporates begin?
It is indispensable that organisation(s) look at personal information not as a statutory or regulatory compliance mandate but approach it from a governance model to harness the value that it will bring to them. To begin with, solely as an illustration, organisations shall do the following:
- To be able to govern personal information, an organisation should first know the data it processes during the general course of business and the potential data sources;
- To be able to devise a roadmap for data governance, an organisation shall understand the maturity level in terms of compliance readiness at which they currently stand;
- Based on the assessment as aforesaid, an organisation shall draft an information governance policy which is in sync with its business objectives, subject to its conformity with the applicable law;
- To be able to drive information governance, an organisation shall strive to build a data protection culture in the organisation;
- In the event that there is a data breach/loss incident, an organisation shall have a response plan to be able to mitigate the negative externality (both commercial and reputational) that may flow from it.
It is critical that the data ecosystem is looked at holistically by the business organisations. In the context of COVID-19, as we forcibly transition, into workplaces and everything digital, organizations need to be able to demonstrate transparently how they are protecting data and ensuring privacy to earn the trust of their customers, users, partners and employees. In addition, through efficient data management practices and templated access protocols in place, a company can leverage its existing data ecosystem to venture into new areas and protect existing information securely.