Below is our highlight of the most relevant changes this month that could affect your business.
Data Protection – GDPR
ICO announces fine of £183million for British Airways breach of GDPR — On 8 July 2019 the ICO announced that it intends to fine British Airways (BA) £183.39million (which if imposed, will be a record amount in the UK for a breach of data protection law) for infringements of the General Data Protection Regulation (GDPR) ‘following an extensive investigation’ into a cyber incident that BA notified the ICO of in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site, where 500,000 customers personal data details including log in, payment card, and travel booking details as well name and address information, were harvested. The ICO found that BA’s poor security contributed to this but has said that BA has cooperated with the ICO investigation and made security improvements since the incident occurred in June 2018. BA will now have the opportunity to make representations to the ICO before it makes its final decision.
ICO intention to fine Marriott International £99.2million for a cyber incident —The ICO also plans to fine Marriott International £99,200,396 for infringements of the GDPR, where 339 million guest records held in Starwood hotels' guest reservation database have been compromised. Starwood was acquired by Marriott in 2016 (two years after Starwood’s systems were compromised) and Marriott only discovered the exposure of customer information in 2018 and notified the ICO then. The ICO investigation found that Marriott carried out insufficient due diligence when it bought Starwood and should have done more to secure its systems. Marriott has cooperated with the ICO's investigation, has made improvements to its security arrangements following the breach and no longer uses the Starwood guest reservation database. Marriott has advised the ICO that it intends to ‘respond and vigorously defend its position’ relating to this decision.
Government consultation on the extension of Statutory Sick Pay (SSP) — The government is looking at extending SSP to those who do not earn up to the current threshold of 14 hours per week on at least the minimum wage. This would also offer those workers covered by the ‘gig’ economy the chance to qualify for SSP. The government is also looking at how it can offer more help for those returning to work after sickness absence. Each year more than 100,000 people leave their job after four weeks or more on sick leave and so the government is looking at ways to avoid this, including employees continuing to receive SSP whilst having a phased return to work, and offering a rebate to small businesses who help employees return to work. To reduce sickness absence the government is even considering the right for an employee to request changes to working patterns to assist in their return to work.
Article 10 ECHR Freedom of Expression did not justify sharing of private information in breach of Article 8 ECHR Right to Private Life — A case earlier this month illustrates how limited the scope, under current case law is for justifying "kiss and tell" stories under Article 10 of the ECHR, the right to freedom of expression. The defendant in this case was liable for misuse of private information when publishing a book describing intimate details of the claimant and his relationship with her, and four photographs, which the claimant had taken and sent to the defendant in private social media conversations, infringing copyright. Instead, it was ruled that the claimant had a reasonable expectation of privacy under Article 8 of the ECHR when it came to information about his children, health, sex life and relationship and separation from his ex-wife. There was no public interest in publishing this information, but the publication of it did cause distress to the subject and so the balance in this case had to fall in favour of protecting the subject’s Article 8 rights as opposed to the right to freedom of expression under Article 10 of the ECHR.
*Please note that this update does not constitute formal legal advice and should not be relied upon as such. Always ask a solicitor if you are unsure of how the law relates to your business*