This summer's announcements by the Information Commissioner's Office (the "ICO") that it has issued notices of intention to fine both British Airways and Marriott International in respect of data breaches, have highlighted how sharp the ICO's new GDPR teeth are.
Given the much higher stakes, with the maximum penalty sitting at £17 million or 4% of global turnover, it is very possible that we will see more instances in which fines awarded by the ICO are appealed, than under the previous Data Protection Act 1998 when the £500,000 cap meant that fines were arguably small enough for many large businesses to simply take them on the chin.
The beleaguered BA and Marriott will no doubt be busy making representations to the ICO, in an attempt to reduce the amount of the penalties which the ICO eventually decides to set, and based on any mitigating factors or arguments against the aggravating factors which the ICO would have had to have set out in its notices of intent (the actual notices of intent have not been published by the ICO). They must be given at least 21 days in which to do this, and the ICO has 6 months from the date on which it submitted notice of each fine, to issue a final penalty notice (though it cannot do so within the period which it sets for making representations).
But what happens if, despite the chance to make representations, BA or Marriott still want to dispute the final penalty amounts, and they feel that they have further grounds on which to appeal? Appealing GDPR fines is new territory, and we consider in this article how a business which has been issued with a penalty notice in relation to a data breach can go about doing this, from both a procedural point of view and substantively. At this stage of GDPR implementation, and until the ICO gets round to fulfilling the requirement set by the Data
Protection Act 2018 (the "DPA") to issue guidance on how it will exercise its enforcement functions (including how it will determine the amount of penalties), much in terms of possible grounds of appeal, is speculative, and we can only really go on what is set out in the GDPR and the DPA and any guidance produced by the former Article 29 Working Party (replaced by the European Data Protection Board), and draw analogies with similar regulatory regimes such as Competition.
The process
The DPA provides rights of appeal against decisions made by the ICO, and it is the First-tier Tribunal (General Regulatory Chamber) which is the first port of call for handling such appeals. Whether the First-tier Tribunal, (to which jurisdiction to hear appeals from decisions of the Information Commissioner was transferred in 2010, when the previous Data Protection Act 1998 was in place), will be able to cope with the potential complexity and the number of appeals which GDPR might now generate, is something which only time will tell. However there is scope in the Tribunal Procedure Rules for cases to be transferred straight to the Upper Tribunal where this is considered appropriate.
The process appears to be a relatively straightforward one – see the box for further details.
Appellants have 28 days to appeal after the ICO has sent them its penalty notice, though there is scope to ask for more time (at the discretion of the Tribunal).
The Tribunal process is as follows:
- A form is completed in the initial instance;
- ICO has 28 days to respond;
- You can write back with further evidence/arguments within 14 days;
- You can ask to have the appeal decided based on the documents in the case or at a hearing where you can put your case in person;
- The hearing is attended by a judge and sometimes two other tribunal members, a representative from the ICO you and your representative;
- There is recourse to appeal a decision of the First-tier Tribunal to an Upper Tribunal, provided that you do so on a point of law, not fact.