UK privacy watchdog threatens British Airways with 747-sized fine for massive personal data blurt The UK Information Commissioner's Office has warned British Airways it faces a whopping £183.39m fine following the theft of customer records from its website and mobile app servers. The record-breaking fine - more or less the lower end of the price of one of the 747-400s in BA's fleet - under European General Data Protection …
"BA and the other regulators now have 28 days to make representations to reduce the fine."
Why would the other regulators want to reduce it?
On the wider issue I can imagine a few penny-pinching manglements and boards having this report thrust in their faces by their underlings this morning.
come November the UK Data Protection rules might drop the level for fines.
There's no reason to think so.
If UK businesses want to continue to do business with EU companies they will have to maintain GDPR-level data protection after Brexit, just as other non-EU states like the US have to.
Before GDPR the UK already had higher maximum fines (£500,000) than either France or Germany (€300,000), indeed UK consumer protection legislation is consistently better than the EU minimums.
If UK businesses want to continue to do business with EU companies they will have to maintain GDPR-level data protection after Brexit, just as other non-EU states like the US have to.
.
Who says the British will WANT to do business with EU people after Brexit ? The whole point is to stride bravely forth into the Atlantic, casting all ties behind, and having nothing to do with those dodgy foreigners and their beastly regulation.
.
Aside from that I can easily see Boris impulsively having a bonfire of all regulations in an excess of Bullingdon Daily Telegraph libertarian zeal, not even noticing what this one was for. This is a person who, after all, deliberately lied about EU regulations in his columns, as he cheerfully admitted, in order to stir up dislike and have fun.
"If UK businesses want to continue to do business with EU companies they will have to maintain GDPR-level data protection after Brexit, just as other non-EU states like the US have to."
Don't be so sure on this. Most of the US-based SMBs have laughed/scoffed/ignored the EU directives on collection of VAT and will likely do the same with GDPR. Don't get me wrong, large multinational corporations will probably comply. But the 29.7 million small businesses here will likely politely tell the ICO to stuff it.
Why are you comparing minimum fines with maximum fines. That's like saying my boss pays me well, I'm on £5 an hour, he's on £100 a second.
Also £500,000 is a tiny fine for any moderately sized business. The point should be to make the fine high enough to cause damage, whilst low enough to not make the company go bust, as you cannot learn from mistakes that kill
In any case it's valuing the impacted at < £500 per-person.
Several factors to consider here.
Firstly< offences committed after GDPR applied up until 31st Oct will presumably have to be dealt with under GDPR, just as offences committed pre-GDPR but dealt with after GDPR applied were fined under the old regulations.
Secondly, if HMG wants to avoid problems for businesses which need to process data of EU residents then they'll need to achieve equivalence which means keeping GDPR-equivalent regulation in place. Whether such sanity will prevail is anybody's guess.
Thirdly, the current DPA implements GDPR so if the numpty in residence, whoever he may be, doesn't like that he'll have to replace it or repeal it.
Fourthly, post-Brexit, I presume any fines won't be shared with other EU countries so they may be less to take into account of fines which an EU regulator might apply. Alternatively the maximum sum of EU & UK fines could be 8%. That should make boards think.
It's been made pretty explicit that the UK will maintain compliance with the GDPR in order to keep exchanging data with the EU.
That might change over the few years as the USA gradually takes us over.
It's actually great that a company is really getting hit with a real stinker of a fine. It'll sharpen up practices across the board I hope.
come November the UK Data Protection rules might drop the level for fines.
Your statemant implies we are imposing higher fines as an EU requirement , how could you then possibly discard that requirement and still "maintain equivalency of regulation"
if that was negotiable we could drop them now , and who wants them lowered anyway?
I imagine quite a few large buinesses who hold huge quantities of personal information on systems and services that have been deliberately starved of resources to maintain them adequately will be very keen to see fine watered down.
I'm sure Boris will be keen to help since that naughty EU was hardly a friend to business. Much rather we have a US style system where privacy is largely illusary unless you have money to take everyone to court making citizens a resource and a commodity increasing GDPR.
Why? I'm sure that I read that American 3-letter agency and general 'we own the world' attitude meant that Safe Harbour was dead and no-one would deal with the US corporate data harvesters because it was now illegal. My arse! All I have seen is an unremitting wave of business to AWS and Microsoft cloud.
Oh and by the way, stop correcting 'harbour' to the incorrect 'harbor' . I am still on the side of the pond that can spell proper (like).
From: IAG GBS Communications <iaggbs.communications@iaggbs.com>
Sent: 21 June 2019 14:48
To: DG IAG GBS Global Operations <DG.IAGGBS.Global.Operations@iaggbs.com>
Subject: ★ IAG GBS MC Update ★
IAG GBS MC Update
Dear IAG GBS Team,
You will have seen the announcement today from Willie announcing the new IAG CIO appointment of John Gibbs, who joins IAG on September 2nd from Rolls Royce.
This is a new direction for IT and shows how critical IT strategy is across the Group. The emphasis of bringing all IT activities under one area including Digital is the next step in the evolution of Group IT.
Bill Francis made it clear to me at the end of 2018 that he planned to retire at the end of 2019 and hence why we commenced a recruitment process. I would personally like to thank Bill for all his dedication and determination to get us ready for the future. Bill has done a fantastic job ensuring we are ready to transition to the cloud, whilst exploring and utilising the latest technologies.
Bill said “After 40 years in the travel industry, with 22 of those at BA and more recently IAG, I have thoroughly enjoyed my time working with all colleagues across the Group.
Change and transformation have always been at the top of my agenda, and whether that was introducing the new mixed fleet cabin crew for BA or creating Group IT within IAG, I hope that I have been able to make a positive difference”.
Regards,
Steve Gunning
Director of IAG GBS
Is it me or does that note read like the outgoing head of Group IT was an Airline Ops guy, not an IT guy?
Reading between the lines it seems like a Ops transformation guy was put in charge of creating/transforming Group IT?
Anyone wiser in the ways of IAG care to comment?
"Is it me or does that note read like the outgoing head of Group IT was an Airline Ops guy, not an IT guy?"
Should it surprise anyone? It's the management attitude that a good manager doesn't need to know anything about what they're managing. That's why we get to call them manglement.
a good manager doesn't need to know anything about what they're managing
As long as they have good people that do know and that the manager trusts then they really don't. Good management isn't (generally) about knowledge - it's about people skills and process skills.
(Of course, people skills are probably the reason why there are very few good IT people in senior management since good IT skills and abilities seem to be the opposite of skills required to reach senior management..)
"...good IT skills and abilities seem to be the opposite of skills required to reach senior management..."
I don't know about that. Try working on a site that has the ability to blow the nearby town into the next county, with process operators more interested in keeping the place safe than why the computer won't do what it needs to do and is thus pretty upset with IT and the IT department in general and is in no mood to wait or be fobbed off.
I did that as a desktop support person and believe me a having a 17 stone Scot raging at you as to why you can't fix the computer NOW needs a lot of people skills. If you had said skills most of the guys were fine once you explained what needed to be done and what you proposed to do about it. Same with senior management. The trouble was with the middle layers. Noisy, demanding and cursed with a minuscule amount of "computer literacy" those were the ones to avoid if at all possible. Dealing with them meant you really got a "people skills" workout as well as developing techniques for controlling blood pressure, temper etc.
So yes, you don't get to develop arse-licking and back-covering but that again this is top brass we are talking about and I reckon those skills would only qualify you for a middle level job.
How often have you met an IT director who knows much about IT? They're either parachuted in from another area or they're former devs /admins who - after suitable brown nosing ground work - were promoted out of harms way and managed to continue that for years.
well, that's why it is REDUCED (and going to be watered down more and more until the public lose interest, and in 5 years time, they'll have reduced it to 1 million, it'll be quietly paid). But hey, they had to write SOMETHING in the meantime. They're disappointed.
My wife was one of the cards compromised - to be honest BA were quicker to respond than the bank. They advised us to cancel the cards after a day or so, at which point the bank asked us why we were needing replacements. Then the bank got in touch a couple of weeks later to say if we hadn't already, we should get them replaced.
BA also provided a 12 month subscription to one of the credit reference agencies for free as well.
> BA also provided a 12 month subscription to one of the credit reference agencies for free as well
and paid you for the privilege I hope since they now get to grab even more of your data. What happens if somebody you want to borrow from happens to use only the _other_ credit reference shits instead ?
Not quite sure how using the credit reference agencies helps BA grab more data?
Those agencies don't operate for free, and if you're not paying them someone else must be. That someone else will want to get something in return. Your data is the obvious coin.
As always, if you're not paying for the product, you are the product
According to this post on twitter - https://twitter.com/musalbas/status/1148145302328815617 - by the person who originally discovered the issue, BA sat on a GDPR request asking why personal details were being leaked for 30 days before responding, removing the dodgy tracking code on the same day. I bet your bank didn't sit on this for 30 days, did they?
It also explains why the ICO says the incident started at the end of June while BA told them it started in August.
I can almost guarantee the stolen card details were used.
One of our company credit cards was used fraudulently just after the hack period ended, having been used to make a purchase on the BA website during the hack period. It wasn't used to make purchases on many other sites and certainly none of the others looked to be breached.
Luckily Barclaycard flagged the transaction and we cancelled the card before any damage was done.
Can and have provided evidence to BA and Met police that 2 cards - my business credit card and my wife’s personal card - were cloned after having purchased flights from BA within the fraud timeline.
To date I have not received any offers of ‘credit worthiness tracking’ or compensation from BA and I only received the standard round-robin email that they sent out. Costs incurred were time on phone to card company plus having to arrange fast replacements when the fraud became apparent which I billed at 2 hours work. To date my invoice to BA for £350 + VAT remains unpaid.
"...had found no evidence that the stolen cards were used"
This kind of BS triggers me everytime !
Of course, genius, whoever uses those cards numbers is not gonna put it in the public press ! and eventhough it is reported, you can always feel free to look the other way.
FFS, why even is this nonsense reported ?
Oh that'll be a nice bit of compensation for the customers whose data was taken due to security failings.
Doesn't help with the amount of anguish knowing you are just a moment away from being the victim of identity theft and having to once again change your card details and keep constantly vigilant for unauthorised loan applications. However £378 goes a little way towards easing the pain.
...wait, what was that?
You're saying the people whose data got stolen don't get any of it and the money all goes into the general taxation pot?
Well that sucks.
"The companies just carry on regardless, the government fines them, and the public are shafted."
Yes...the government adds the fines to their big pile of money and never release it back to pay for any services used by taxpayers.
Is it fair for those directly affected? Probably not but at the same time proving they were affected may be difficult based on the stories of affected people with banks blocking transactions and a significant number of the cards being replaced quickly.
The company fine goes towards the "public good" and those directly affected benefit more than if they employed lawyers to go after the company directly. Which is good for everyone but the lawyers...
You would hope that fines such as these would help companies quantify the cost of gathering the information they "have to have" on their marketing activities.
However, I suspect the typical response will be to sack a few developers who were required to provide the tracking, then sack a few more who refuse to take on the future responsibility, then carry on exactly as before. As in the crypto "debate", the ability of people in power to demand two mutually-exclusive things simultaneously shows no sign of faltering.
I'd like to think they'll also evaluate their policies re opt-in/opt-out.
E.g. this morning I tried to phone Hotpoint spares. Their pre-recorded rigmarole was that we might spamyou with post or phone unless you opt-out. That's a breach of GDPR right there. I didn't get as far as opting out, however; I gave up on their appalling ACD.
"Their pre-recorded rigmarole was that we might spamyou with post or phone unless you opt-out"
Every so often I send heads-up emails about such things to the ICO. Apart from the canned responses nothing gets done and I'll invariably find that the same message is on the phone system when calling several months later.
The group is believed to have exploited third party scripts, possibly modified JavaScript, running on BA's site to gain access to the airline's payment system.
Noscript rulz!
When a website doesn't work with noscript on because it uses 3rd party javascript then I try to find an alternative. and the original website looses a customer.
"If a sufficient number..."
Which is highly unlikely to ever happen. Ever asked a non-techie to use NoScript? Hard enough convincing them to use unique passwords and patch their shit which is of far greater benefit. Blocking scripts, while interesting and useful in some cases, is not a workable solution.
no, blocking scripts is not a workable solution for certain scenarios, and I hate to say this, because I use half a dozen (or more) ad blockers, on top of scrip-blocking. But when I buy (not search for!) an airline ticket, or any other product or service online, I go to the old ugly IE. I just don't have time / patience to chase my bank or shop over the phone, when my payment, put through well-defended firefox, comes up with an "oops, something went wrong" page.
We live in a place where we pick what we like to be exposed to and what actions we do that will affect our lives, like what to eat, who to meet, and which javascript to load.
Unlike the common people like you who just blindly put their trust on random strangers and hope you don't get F*cked and Gripped, when in reality real people are getting F*cked and Gripped for the very same mistake.
Bonuses - hell no.
Dividends - likely, though not included in the latest dividend (£700M paid today, by the way...) since nothing has been fined yet. If that £183M needs to be paid in a later day, it will affect the dividend and probably the stock price as well.
Year-over-year the stock has lost almost 40% of its value, which may make some investors tad nervous. This tanking probably has very little to do with this data blurt, but heads may roll in any case.
The data was stolen from BA. BA have been stolen from and now they will be fined for being the victim of theft. Cooperating with the investigation and the attackers seem to be known as a criminal group who do this.
Just reads a little odd. Maybe BA did bad. But I must have missed that bit.
Eh?
If a bank took your valuables, charged you for the privilege of having an account to store these things and then left the safe door open letting evreything be stolen one evening would you be thinking "aw poor bank they didn't mean it to happen, never mind about my precious things you look sad". I don't think so.
As someome else has pointed out if you do everything you should have done and data is still stolen from you then in all likelyhood you will not be fined by the ICO.
BA were incompetent and thoroughly deserve a multimillion £ kick in the nads. I'd also add IMHO they are bloody incompetent as an airline as well.
I understand the replies I am getting, that BA was to be responsible for the data. But the data can always be got to in some way or other and so anyone can be stolen from (physical or digitally) as proven every day.
I have no problem with a fine for BA if they didnt do the expected things to protect the data (and that might be the case here, I just didnt see it) but to be fined because you were stolen from, even if its other peoples property stolen from your possession, seems harsh.
I am not against strong protection of user data. But if we want users then data will be collected and there is always a possibility of compromise. All you can do is best practices.
It's negligence: British Airways failed to protect customers' personal data correctly.
GDPR makes it quite clear that companies that can demonstrate that they have followed the recommendations of the data protection regulators have little to fear. In essence, GDPR limits their exposure to cases brought as a result of their behaviour, as courts can point the settlement and say: dealt with.
By contrast look at some of the settlements across the pond. Boeing has set aside $ 100 million as compensation for the US victims of two plane crashes and Equifax is subject of at least one class action.
However, at the end of the day, the fine sounds worse than it actually is, because it is a charge that can be offset against tax.
By contrast look at some of the settlements across the pond. Boeing has set aside $ 100 million as compensation for the US victims of two plane crashes and Equifax is subject of at least one class action
It seems disproportionate to me. I don't know the details but it was not the case that BA took no security measures and once they knew there was an issue they did respons albeit that the measures and response may have been inadequate and/or tardy. The fine seems orders of magnitude more than reasonable and thsi is reinfirced by the comaprison with Boeing.
Boeings provision is half teh fine against BA. It is quite clear that they designed and manufactured an aircraft which was unsafe. The issue was ,even given allowance for hindsight, of such an obvious nature it should have been identified and there is evidence that the information given to the regulator was misleading and innacurate. Hundreds of people have died as a result of this and yet the provision made is only half the amount that BA have been fined as a result of being victims of a criminal attack for which they were not responsible and in which no one was injured or likely to be injured let alone killed.
There is a massive disconnect between these two numbers.
"The total proposed fine of £183.39 million would be the biggest penalty ever issued by the ICO.
It is the equivalent of 1.5% of BA's global turnover for the financial year ending December 31 2018."
Ref: https://www.standard.co.uk/news/uk/british-airways-fined-more-than-180m-for-customer-data-breach-a4184376.html
Pretty sure fines aren't tax-deductible...
Edit:
https://www.gov.uk/hmrc-internal-manuals/business-income-manual/bim42515
"Regulatory bodies
Where a trader incurs a liability to a regulatory body on revenue account that is broadly intended to cover the regulator’s costs of performing its duties in relation to the trading activities, such costs will normally be allowable even where the trader has committed a breach of regulations. However, should a regulatory body impose a penalty for breach of regulations, or should a penalty or fine become payable as a result of a prosecution for a trader’s breach of regulations, this will not be an allowable expense (see McKnight v Sheppard [1999] 71TC419)."
To get a car analogy in: If you replace your tires because they are worn below the minimum thread depth, the costs of the tires are deductible, regardless of whether you replaced time on time of to (way) late. However, the fine you get for driving with worn tires is not deductible. That seems remarkably in line with common sense...
Thank you for clearing that up, to many people here seem to think companies can just deduct fines where clearly the can't.
The article https://www.theregister.co.uk/2018/09/11/british_airways_website_scripts/ points out how attacks like this work.
In essence a js file hosted on BA's own domain was modified so it posted details to a third party domain. The fact the js file could be modified on their production server is in itself scary, but how can you protect against that?
An easy way is just to monitor the filesystem for changes to any .js file, say every hour. Perhaps diff it against the master copy in their version control. If there are differences email the entire development team as that safeguards against it being an inside job.
A couple of mins work, save several million quid in fines and pissing off a load of (lost) customers. Too simple perhaps?!
but how can you protect against that
One of the standard setting for any webserver is that its user cannot write to any of its files so that it exists in an effectively read-only file-system. This should be standard practice as it was the goto exploit in the days of CGI.
But that itself is not the reason for the size of the fine. There was systematic failure across the line, including on how the data was stored.
The GDPR wording talks about turnover of the Undertaking, which would extend to the whole of IAG, especially if IT systems are managed as a group resource.
this would allow the fine to grow
183m is a baby of a fine, and considering the circumsatnces, size of breach and the Blue Chip status of the BA name, not unreasonable.
So they spent their time and money trying to monetise personal data, rather than trying to secure personal data. And people are moaning that they've now had to pay a fine for all the damage it caused?
Serves them right for seeing personal data as an opportunity rather than a responsibility.
I'd probably sak them off, I'm sure a decent contract will allow that, and possibly recover charges if they are irresponsible. Although if they lost the data would they be the ones getting the fines? The thing I like about GDPR is that it makes companies think about data where they probably have not bothered before.
"... heavily outsourced IT... slips up ... major GDPR breach and fine..."
You are the data handler, therefore you get the fine. It is YOUR responsibility to ensure the outsourcer is secure.
This is not much different than a retailer's obligation on sale of goods, vs recovering costs from the suppliers.
Further litigation between you and the outsourcer over the issue may or may not come under the regulators' purview, depending on how the data was handled and the contracts setup, but you can be assured that if you didn't do your due diligence in the first place you're going to get doubletapped pretty hard by the regulators up front.
Fine not high enough. Besides, no one mentions the fact that BA has outsourced their ops to off shore with the penny pinching mindset so many have, yes it's cheap but it also comes with an army of mostly short skilled people who replaced those they once used to have in house. To their management, it's working well.
On the other hand, if BA do it again, the fine will be larger and negotiation won't be much of an option.
Most regulators work on the basis that the first bite is low value, but if they ever have to show up on your doorstep again then they're going to go over every inch of your business with a fine tooth comb and they won't be forgiving about what they find.
more or less the lower end of the price of one of the 747-400s
Not been made for a while, a good 14 years for the passenger version. A bit more up to date journalism gives the 787-8 list price (big airlines never pay this) as $248.3M (£198.64M), makes good copy but sadly way off the mark.
Anyhow anyone giving BA a good kicking always deserves a cigar in my book, luggage losing overbooking rude bastards.
This may not be popular here, but haven't we got cyber security backwards?
Why are we fining the organisation holding data for the fact someone stole that data? The following analogy may be over-simlipfied, however, if you report your car stolen, the police tend to try and find out who stole it, and go after them for punishment. They dont turn around and fine the victim of the theft, saying that they should have better protected the vehicle.
I know this gets a bit murky with it being other people's personal data, however hear me out... if the data was stolen from adequately protected systems, why is it the data holder (victim in this case) fault that data was stolen? They didnt steal it. They certainly didnt want it stolen.
They obviously have some level of basic security deterrents in place, all companies do. But in IT security, they are exactly that - deterrents. They will not stop anyone who REALLY wants to get in from getting in. That's a data security pipe dream.
Why are we not puttiing effort into identifying and punishing the perpetrators of the hack instead of the victims?
Not to be sticking up for BA specifically here, but this has been on my mind since they came up with this whole fine companies for data breaches thing. I assumed it was meant to catch stupid fuck ups, like leaving sensitive USB sticks lying around, or laptops unlocked etc. Just seems a little backwards and gives hackers more freedoms than anything.
"The following analogy may be over-simlipfied, however, if you report your car stolen, the police tend to try and find out who stole it, and go after them for punishment. They dont turn around and fine the victim of the theft, saying that they should have better protected the vehicle."
They didn't own the data, it was someone else's. If the 'we hold your possessions securely' storage company actually just lets anyone in and lets them take anything they want, they will be done as well.
"They obviously have some level of basic security deterrents in place, all companies do. "
Apparently, although I am not an expert in this, their safeguards were well below best practice, hence the fine.
You would have a point, if the data was stolen from adequately protected systems. As it was, this is not the case. IMHO running unchecked 3rd party code on your payment pages is completely negligent. Personally I think the fine should be much bigger than this given BA’s unbelievably arrogant stance (“The details weren’t used for fraudulent transactions” - Err, yes they were, plenty of people who only used their card on BA having it cloned within the affected period) and the fact it will obviously be batted down through the process.
"if you report your car stolen, the police tend to try and find out who stole it, and go after them for punishment. They dont turn around and fine the victim of the theft,"
The victim owned the car and was responsible to the owner - himself. You can't sue yourself. (not sure about USA...)
"saying that they should have better protected the vehicle."
Oh, most plods, will state the obvious that to the victim...
"They obviously have some level of basic security deterrents in place, all companies do. But in IT security, they are exactly that - deterrents. They will not stop anyone who REALLY wants to get in from getting in. That's a data security pipe dream."
So... since nothing can be secured 100%, why bother at all with security?
The question here is whether there were reasonably good safeguards against data theft. The nature of theft has not been discussed but hopefully an inquiry into this will enlighten us whether BA had the equivalent of Fort Knox for customer information storage; if all data was stored in an unpatched XP in the cupboard, or something inbetween.
If the safeguards were adequate, encryption everywhere, hashed passwords, everything PCI DSS compliant etc, the fines may be lowered or canceled. They haven't been fine yet.
"Why are we not puttiing effort into identifying and punishing the perpetrators of the hack instead of the victims?"
Who says that no effort has been done to identify the perps? The problem with many digital heists is the lack of evidence if the perps have known how to hide their traces.
To continue the car example, there are two elements involved. One is liability in criminal law - that is only the responsibility of the car thief. The other would be civil liability. Again, that is the car thief's responsiiblity, but of course we know most thieves never pay for the cars they steal.
Therefore of course, we usually insure our cars against theft. The insurer will pay the value for the stolen car or its damages, but only if the insured hasn't been negligent or sloppy. If you leave it unlocked with the keys in then you won't get covered. But leaving it in a dark alley in a dodgy part of town is usually not grounds to refuse payment (I think - depends on the policy I suppose - foreign travel to some countries is excluded).
Taking this together, I agree with the original poster - this is like the police fining the car owner (or say the friend of the owner who was using the car) - I guess the question is, has the friend done the DP equivalent of leaving the keys in the ignition, or just parked it somewhere dodgy? I guess in the former case a fine is legitimate, BUT it still is (to me) a very blunt tool to set a liability.
In theory there is already negligence law which could allow an individual person to sue a data holder for negligently letting it leak out. But the victim would have to show some kind of loss. The scale of these fines suggests this link is absent (360 quid per person involved) - weird to set it by reference to the global revenue. Maybe one victim lost nothing, and another had 1,000s of pounds run up on their card. Each person should get their respective sum lost.
Is any realistic valid insurance cover available to all parties such as a British Airways to ensure information and intelligence breaches are not possible and preventable?
Failing that facility being ready for immediate secure supply, are not breaches and leaks not normal courses of action and fully to be expected rather than bizarrely penalised with fantastic fiat fines?
So who fronts and dons the Dick Turpin mask for such daylight highway robbery?
Watching the GDPR actually get used makes me uncomfortable. Besides the mental and ongoing costs of compliance, the actual enforcement seems to be an affront to basic principles of justice. BA's argument is a fair one, what is the harm done here - how does that link to the penalty awarded? That is a starting for damages awarded in normal civil claims in the common law world. And why does the regulator get to set the penalty? They act as rule maker (via guidance docs issued), prosecutor, and jury. Fine - this gets appealed to the proper courts, but usually this kind of right is granted only to police in fairly low level offences (e.g. speeding tickets). The scale of penalties creates vast power in a single regulator. And finally, it is essentially victim blaming - in most UK cases the data controller has been hacked, which is in fact a crime against them - imagine applying this logic to victims of sexual violence...
The answer to all of this is that this a European invention and this is how things go in civil law countries. Ok fine, but it doesn't sit well with the common law tradition. And as usual it seems to me the UK regulator enforces the "rights" rigorously and hands out swingeing fines, even against local UK companies (when the fines were in reality calibrated to hit FB, Google etc.) - whereas various contintenal counterparts get away with fairly limited fines, if they get fined at all.,
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
