In July 2019, the UK Information Commissioner’s Office (ICO) issued a notice that it intends to fine Marriott International, Inc. £99,200,396 for infringements of the General Data Protection Regulation (GDPR). The fine arose as a result of a compromise of the Starwood Hotels Group IT systems that occurred in 2014, two years before Marriott acquired Starwood’s operations in an M&A transaction. It appears that the compromise of customer information was not identified in the acquisition due diligence undertaken by Marriott in 2016 and was only discovered by Marriott in 2018. That compromise was notified to the ICO by Marriott in November 2018.
Besides being important for acquirers in Australian M&A transactions, the Marriott case is useful to highlight emerging issues in Australian privacy law. Here are the main takeaways.
Do we need to worry about this in Australia?
If you operate a business in Australia, the GDPR won’t apply to you unless you offer goods or services to EU-based individuals or monitor the behaviour of EU-based individuals. An example of monitoring would be if you track an EU-based individual’s online activities to analyse or predict her personal preferences, behaviours and attitudes. If you need advice about whether the GDPR applies to you, please contact us.
Even if the GDPR does not apply to your business in Australia, you will be subject to the Australian federal Privacy Act 1988 (Cth) if your annual turnover has exceeded A$3 million in any year since 2001 or if you have a lower annual turnover but are nonetheless a regulated organisation under the Privacy Act. If you need advice about whether you are a regulated organisation, please contact us. If you are subject to the Privacy Act, you must take reasonable steps to protect personal information you hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure (Data Security Obligation).
In addition, from February 2018, if you suffer an ‘eligible data breach’, that is:
- there is a loss, or unauthorised access or disclosure of personal information that you hold; and
- that is likely to result in serious harm to the affected individuals,
you are required to investigate and notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable (the Data Breach Notification Obligation).
Are Australian fines likely to be this high?
The data security failure by Marriott affected 339 million guest records globally, of which around 30 million records related to residents in the EU and 7 million related to UK residents.
If there was a comparable breach of a Data Security Obligation governed by Australian law, the Privacy Act would permit the OAIC to seek civil penalties, but only if the breach represents a serious or repeated interference with privacy. If it does, each contravention could attract a penalty of up to A$2.1 million if the offending organisation is a body corporate. Multiple contraventions may attract a single penalty order, but that order cannot exceed the sum of the maximum penalties that could be ordered if a separate penalty order was made for each of the contraventions. The OAIC’s Guide to Privacy Regulatory Action and Privacy Regulatory Action Policy set out the principles that the OAIC will apply where it seeks civil penalties for serious or repeated interferences with privacy. These civil penalty provisions – and the principles set out by the OAIC – have not yet been tested. On paper, however, if there is an interference with the privacy of 7 million individuals, there could be 7 million separate contraventions. Those contraventions could lead to the contravening company having to pay a penalty that is many times the maximum civil penalty of $2.1 million per contravention. However, if a court considers that the result of the aggregation of multiple penalties is excessive, the court may moderate the penalty imposed in respect of each contravention to achieve what it considers to be a just result.
In March 2019, the federal Attorney General announced proposed amendments to the Privacy Act. Among other things, those amendments will increase penalties from the current maximum penalty of $2.1 million per contravention for serious or repeated breaches to whichever is the greater of:
- $10 million; or
- three times the value of any benefit obtained through the misuse of information; or
- 10 percent of a company’s annual domestic turnover.
In addition, amendments are proposed to give the OAIC new infringement notice powers backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals, for failure to cooperate with efforts to resolve minor breaches. These recommendations were endorsed by the Australian Competition and Consumer Commission in its Digital Platforms Inquiry – Final Report released on 26 July 2019, not just for digital platforms but across the economy. Watch this space.
Marriott notified the ICO of the data breach and then got fined for breaching GDPR data security obligations. If you make a data breach notification to the OAIC, are you admitting that you have breached your Data Security Obligation?
No. You may suffer a data breach without you having breached your Data Security Obligation. For example, you might have state-of-the art IT security but your IT system may nonetheless be compromised by an extremely sophisticated hack.
You need to issue a data breach statement to the OAIC, and notify the affected individuals, as soon as practicable after you have reasonable grounds to believe that you have been subject to an eligible data breach.
Data security expectations are constantly evolving
Even though you may suffer a data breach without necessarily breaching your Data Security Obligation, you should be aware that the requirements of the Data Security Obligation are constantly evolving. What may have been a permissible data security measure 24 months ago is not necessarily permissible today, as more data security breaches occur and information about new data security risks becomes known. As the OAIC notes in the Notifiable Data Breaches Scheme 12-Month Insights Report published in May 2019, regulated organisations should prioritise investments in improving their data security in line with known security risks. This includes taking reasonable steps to ensure that the necessary people, processes and technology are in place to prevent breaches.
The bigger your organisation, the greater the expectations as to the adequacy of your data security measures.
The tangled web of multi-party breaches
The OAIC’s Notifiable Data Breaches Scheme 12-Month Insights Report observes that in the 12 months to May 2019 there were 11 multi-party notifications, with between 2 and 60 notifications for the same data breach.
How do multi-party breaches arise? Unlike the GDPR, the Australian Privacy Act does not distinguish between ‘controllers’ and ‘processors’ of personal information. Nonetheless, one or more organisations might physically hold personal information while another organisation has legal control of that information. For example, a company might outsource data storage to a provider of cloud services, or a company may store job applicants’ personal information in the IT systems of an online recruitment organisation. In these instances, both the physical holder of the personal information as well as the legal controller of that information has a Data Breach Notification Obligation. As noted by the OAIC in the Notifiable Data Breaches Scheme 12-Month Insights Report:
In general, compliance with the [Notifiable Data Breach Scheme] by one entity will also be taken as compliance by each of the entities that hold[s] the information … [T]he [scheme] leaves it to the entities to decide which of them should do so … The OAIC suggests that, in general, the entity with the most direct relationship with the individuals affected by the data breach should notify them of the data breach.
Where you outsource the handling of personal information, or you hold personal information for other organisations, you should ensure that your contracts cover:
- who is responsible for assessing whether an eligible (notifiable) breach has occurred;
- how that responsible party will gain access to the information that it needs to make that assessment; and
- all other things needed by the responsible party to facilitate assessment, notification and remediation of notifiable data breaches.
M&A due diligence – millions of reasons for caution
Given the proposed increase in civil penalties for serious or repeated privacy breaches in Australia, and the approach taken by the ICO in the UK in the Marriott case, M&A lawyers should ensure that their acquisition due diligence processes pay more attention to privacy exposures. The issues to be considered include whether:
- the target has suffered notifiable data breaches in the past and, if so, whether these were caused by malicious or criminal attacks, system faults or human error;
- the target’s systems and processes suggest that the target has taken reasonable steps to protect personal information that the target holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure; and
- the target has commissioned reports on data security or IT security more generally and, if so, the conclusions reached in those reports.
For further information please contact the author or any member of our Fintech, Privacy & Emerging Technologies team.
This article is general commentary on a topical issue and does not constitute legal advice. If you are concerned about any topics covered in this article, we recommend that you seek legal advice.