TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Europe Data Protection Digest | Notes from the IAPP Europe Managing Director, 2 April 2021 Related reading: Dutch DPA issues 450K euro fine over breach reporting

rss_feed

""

""

Greetings from Brussels!

The Dutch data protection authority has imposed a fine of 475,000 euros on one of the largest hotel booking platforms — Booking.com — for failing to report a major data breach to the regulator in a timely manner. The fine was imposed by the Dutch DPA as the company’s global headquarters are legally established in Amsterdam. The Netherlands is an important EU jurisdiction in the privacy world serving as a home to several important tech companies, such as Uber and Netflix.

For context, the concerned data breach dates from December 2018, when cybercriminals were able to obtain the login details of employees from 40 hotels in the United Arab Emirates through the deceptive practice of voice phishing, more commonly known as vishing. Having gained access to the company’s internal reservation system, the cybercriminals were then able to access reservation data, including the names, addresses, contact information and booking details of more than 4,100 customers. They also managed to access payment card information, including, in some cases, the credit card security codes. Moreover, the adversaries then attempted to phish the credit card information of other customers by posing as Booking.com employees over the phone or by email.

The online travel company formally learned of the data breach 13 Jan. 2019 but only notified the Dutch DPA the following month on 7 Feb. As per GDPR provisions, the incident should have been notified within 72 hours. Impacted customers were notified by the company 4 Feb.

I spoke with Jeroen Terstegge, IAPP country leader for the Netherlands, to get his view on the enforcement ruling. One of the main lessons, in this case, he said, is that controllers may already have information about a security incident and data breach that constitutes “awareness” as a very early stage as defined in Article 4(12) of the GDPR. Booking.com was initially alerted by email 9 Jan. 2019 by one of the concerned UAE hotels to suspicious activity following a customer complaint about a call regarding their reservation. In itself, this isolated incident alone did not necessarily constitute awareness of a breach. However, when Booking.com received a second email 13 Jan. over a similar incident from the same hotel, the company should have realized that it had an issue on its hands. The Dutch DPA concluded that the company should have been “aware” of a breach as of 13 Jan.

Booking.com, however, took the position that it had to conduct an internal security investigation in a first instance to conclude that a breach had, in fact, occurred. That investigation was concluded 4 Feb. The notification to the Dutch DPA followed 7 Feb., and in doing so, Booking.com was of the view that they fulfilled their obligation within the 72-hour time frame. However, in their notification filing, they stated they had become aware of the incident 10 Jan. — this is what triggered the regulatory investigation.

In a statement by the Dutch authority, Vice President Monique Verdier said, “This is a serious violation, a data breach can unfortunately happen anywhere, even if you have taken good precautions, but to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time.” Terstegge added that in accordance with the DPA's fining policy, the standard fine for violation of Article 33(1) of the GDPR is 525,000 euros. Booking.com got a 50,000 euro discount for having taken action to reduce the impact on the data subjects, including the reimbursing of any financial loss. Notably, Booking.com will not object or appeal against the fine issued by the DPA.

My concluding take is this: Data controllers should file their initial notification as soon as possible to avoid being on the receiving end of expensive and arguably avoidable repercussions.

3 Comments

If you want to comment on this post, you need to login.

  • comment Jeroen Terstegge • Apr 2, 2021
    Probably the most interesting part of this case is why both the AP and Booking believe that Booking is the controller for the breached reservation data that Booking sends to hotels via its extranet. One could also argue that the controller having the breach was the hotel in the UAE, to which the GDPR does not apply. The AP’s conclusion is based on the fact that Booking controls the security features of the extranet and requires hotels to inform Booking if unauthorized access has occurred. But as art. 33 GDPR is part of the Accountability chapter 4, is could be questioned whether Booking should be held accountable for a breach of personal data that are stored in a communication system used by both Booking and the hotel and where the breach happened on the part of the hotel. Unfortunately, Booking does not contest the fine, as this would have been an excellent case to build jurisprudence about the scope of a controller’s responsibility in ‘third party transfer’ data processing operations using online tools, such as extranets.
  • comment Jeroen Terstegge • Apr 2, 2021
    (continued) In Dutch civil law, Booking would likely not be liable for this breach. And as Dutch courts apply Dutch civil law rules to art. 82 GDPR, nor would Booking likely be liable under art. 82 GDPR. But for no apparent reason, Booking must notify this breach to the Dutch DPA. A notification, which -if done properly within the time frame of art. 33 GDPR- would not have had any consequences for Booking. Yet, they are slapped with a fine for late notification of a breach, that most likely wasn’t their responsibility in the first place. To me, that sounds like a perverse consequence of the application of the GDPR.
  • comment Jeroen Terstegge • Apr 2, 2021
    (continued 2) Another important part of the AP’s reasoning that Booking is the controller is that Booking actually notified the breach, where if it wasn’t the controller responsible for the breach, Booking would not be required to notify the breach to the AP. Yet, Booking stated in its reaction to the draft fining decision that it wasn’t the controller for the hotel’s breached reservation data in its extranet. It is the age-old argument I keep having with risk-averse company lawyers and privacy officers: “You cannot have it both ways”. You cannot notify a breach as a controller and later say that you weren’t the controller. Although your own views on the matter do not constitute controllership, it is an important factor in how a supervisory authority will treat you. If Booking would have taken its (defensable) ‘we are not the controller’ position in February 2019, this fine would not have happened...