Julian Hayes and Guevara Leacock discuss GDPR fines for privacy lapses by third-party service providers – Startups Magazine

Julian Hayes and Guevara Leacock discuss GDPR fines for privacy lapses by third-party service providers – Startups Magazine

BCL partner Julian Hayes and legal assistant Guevara Leacock‘s article titled ‘ GDPR fines: Can third party service providers be fined for the privacy lapses?’ has been published by Startups Magazine.

Here’s an extract from the article:

“In the space of just two months, the UK’s data watchdog, the ICO has dished out nearly £40m in personal data breach fines to some of the country’s best-known companies – British Airways, Marriott International and Ticketmaster. Whisper it quietly but the ICO’s burst of penalty decisions, coming after significant delays, goes some way to countering mutterings that the regulator lacked the will to take on large and well-resourced opponents.

But as the dust settles and the ICO waits for the cheques to arrive, the companies – and their shareholders – may be wondering how much they are ‘on the hook’ for, and whether any of the fines or the costs of dealing with the regulatory action can be recovered from others.

Those poring over the terms of insurance policies are likely to be disappointed. While it is not entirely settled, case law suggests regulatory penalties are probably uninsurable on public policy grounds, and the small print of insurance contracts may even include ‘clawback’ provisions for the legal costs paid out whilst defending regulatory action where an insured is ultimately found liable.

Next up for consideration, third party contractors and suppliers, often for smaller entities with fewer resources, caught up in the data breaches. Pre-GDPR, such third parties could point out they were data processors, avoiding data protection liability. GDPR upended that, imposing both regulatory and private law liability on processors too. In each of the three cases before the ICO, BA, Marriott and Ticketmaster (data controllers) sought to varying degrees to offset their own liability by pointing to the contributory negligence of such third parties.

In many respects, data controllers and processors face the same risk of GDPR liability: both are required to implement appropriate security measures for personal data, each is subject to the panoply of ICO enforcement powers, and aggrieved data subjects are entitled to seek compensation from controllers and processors as a result of regulatory infringements, subject to an exemption where they can show they were not in any way responsible for the breach.”

This article was originally published by Startups Magazine on 8/12/20. You can read the full version on their website.

Julian Hayes advises companies and individuals in the rapidly developing field of data protection, especially in the context of data breaches and law enforcement investigations, where necessary litigating to ensure that the actions of state authorities are properly constrained. A partner at BCL for three years, he has vast experience of all types of criminal inquiries, including the unlawful obtaining of data and computer misuse offences. He is well-known and highly regarded commentator on cybersecurity and privacy issues. He advises telecommunications operators on their obligations under UK investigatory powers legislation and provides practical guidance on how to handle demands placed upon them, including in establishing systems that work to ensure legal compliance and protection for the operator.

Guevara Leacock is a legal assistant specialising in all aspects of white-collar crime; corporate investigations; dispute resolution; mutual legal assistance and regulatory law. He has been involved in matters concerning the FCA, HMRC, SFO, private prosecutions, directors’ liability and extradition. Guevara takes a keen interest in data protection and information law, and has recently worked on cases involving legal professional privilege in the context of privacy-related matters.