In the transportation and energy sector, 7 DPAs (+1 in comparison to the ETR 2020) have so far imposed 30 fines (+13 in comparison to the ETR 2020) totalling more than EUR 34 million (+22 million in comparison to the ETR 2020). Disregarding 1 fine above EUR 20 million by the British ICO and 2 fines in the millions by the Italian authorities, the fines are relatively moderate, ranging from low 4-figure to low 6-figure fines, with an average of round about EUR 39,000. This average figure is only slightly lower than the corresponding figure for 2020, which was approximately EUR 43,000. In this respect, it is questionable whether this is also due to declines in the annual turnover of the companies as a result of the Covid-19 crisis, which are, among other aspects, the basis for the calculation of fines pursuant to Art. 83 GDPR.
As in 2019, the majority of the fines in the transportation and energy sector in 2020 were based on either an insufficient legal basis (13 cases) or insufficient data security measures (19 cases), with the latter having increased significantly.
Let's take a closer look:
- The heaviest fine imposed in 2020 had already been announced in 2019: the British ICO imposed a fine of EUR 22 million on the airline British Airways (ETid-58) based on insufficient technical and organisational security measures. In 2018, British Airways had been the target of a major cyberattack (personal data of around 500,000 customers including login, payment card and travel booking details, as well as name and address information). The ICO's investigation came to the conclusion that poor security measures were at least one reason why the attack was successful and why it had remained undetected for two months. Originally, in 2019, the ICO had planned to impose a fine of EUR 214 million. In 2020, the authority explicitly announced that one of the reasons for reducing the fine was the economic impact of the Covid-19 crisis on the airline industry. The further course remains to be seen. Brexit, which has come into force in the meantime, will most likely have no effect, since - at least for the time being - the (high) standard of the GDPR will continue to apply.
- The Italian Data Protection Authority imposed 2 separate fines totalling EUR 11.5 million on the gas and electricity supplier Eni Gas and Luce (ETid-186 & ETid-187) based on unlawful promotional phone calls without the data subjects' consent or despite the data subjects' objection to receiving promotional calls, or without triggering special procedures for checking the public opt-out register (EUR 8.5 million) and violations resulting from the conclusion of unsolicited contracts for the supply of electricity and gas (EUR 3 million). One reason for the high amount of the fines is a certain degree of intent that the authority saw in the controller's actions.
- In contrast to these isolated but rather high fines, it seems that the Spanish Data Protection Authority still imposes more, but relatively moderate fines. However, it should be also noted that the data protection violations in cases dealt with by the Spanish authority were less serious in terms of the number of people concerned and the severity of the violations. The Spanish authority has also been seen to impose multiple fines against a company as soon as they are on their radar for possible violations (14 fines imposed on 10 companies).
It is also worth mentioning that a moderate 4-figure fine was imposed by the Spanish authority for insufficient cooperation with the supervisory authority (ETid-291).
- In the category of insufficient fulfilment of data subjects' rights, the fines were rather moderate. However, the Finnish authority imposed a 6-figure fine for the first time in 2020 for direct marketing even though subjects had requested the deletion of their data (ETid-279).
The fines imposed in the transportation and energy sector illustrate – as they do in other sectors – that companies have to ensure sufficient technical and organisational measures (TOMs) and thus data security, especially when it comes to processing high volumes of customer data and/or sensitive information. Even though most of the fines imposed for violations of the TOMs were below EUR 10,000, the British Airways example shows that large-scale violations may trigger an enormous risk of extremely high fines. There must also be an appropriate legal basis for any data processing. Here, the prerequisites of consent under GDPR and national data protection law must be observed. Otherwise, there is a risk of heavy fines, particularly but not exclusively in the UK and Spain, with Spain being accountable for all fines imposed due to an insufficient legal basis in this sector in 2020.
As expected, the severe impact of the Covid-19 crisis on parts of the transportation (and energy) sector has also (partly) affected – or better reduced – the fines in this sector. This trend will most likely continue, at least with regard to companies that have been hit hard by the crisis. This is not only due to possible leniency in the context of the Covid-19 crisis on the part of the DPAs, but mostly due to the fact that the amount of the fine is calculated as a percentage of total worldwide annual turnover for the preceding financial year (Art. 83 GDPR), which will be drastically lower for many companies in this sector.