Other Authors      Ellen Hepworth, Trainee Solicitor, Mayer Brown

Following an international investigation in cooperation with other European privacy regulators, on 31 March 2021 the Dutch data protection authority ("Autoriteit Persoonsgegevens - AP") released its decision (available here in Dutch) to impose a fine of €475,000 on Booking.com (incorporated in Amsterdam) arising from their delays in reporting a data breach incident (the "Breach").

Breach

The Breach arose from a December 2018 incident, where staff members at several hotels in the UAE were persuaded to reveal their log-in details for their Booking.com system accounts to telephone scammers. Subsequently, over 4,000 customer records were accessed by the scammers during the Breach, which included credit card information of nearly 300 customers. The AP said there had been a high risk to affected customers because of subsequent phishing attacks undertaken with the information.

Notification

Booking.com received several emails in January 2019 (on 8 January 2019, 13 January 2019, and 20 January 2019) from its customers reporting that they had been the victim of phishing attacks by third parties who tried to obtain their credit card details on the basis of reservation information from Booking.com. Booking.com asserted that they immediately commenced an internal investigation on the basis of those emails.

The Booking.com internal investigation was finalised on 4 February 2019, at which time Booking.com notified its customers of the Breach. It was not until 72 hours later, on 7 February 2019, that Booking.com notified the AP of the Breach. Booking.com asserted that without this internal investigation, they would not have been in a position to provide the AP with any useful information in relation to the Breach.

The fine

The AP decided that the emails of 8 and 13 January 2019 contained sufficient information in relation to the Breach and that, as a result, Booking.com should have been aware at the latest on 13 January 2019 that in all likelihood the Breach had occurred. Therefore, Booking.com should have notified the AP within 72 hours from 13 January 2019 that the Breach had taken place. Contrastingly, Booking.com reported the breach on 7 February 2019, 25 days from 13 January 2019. The AP also considered that the General Data Protection Regulation 2016/679 ("GDPR") allows for staged notifications in circumstances where immediate information of a potential breach is lacking.

Despite the high risk to customers and possible security failings deriving from the Breach itself, the fine was issued because of Booking.com delays in notifying the AP of the Breach within the 72 hour statutory time period. The date from which that time period commenced was 13 January 2019 due to the sufficiency of the details concerning the Breach which were contained in the email to Booking.com of that date. The AP described the Booking.com failure to notify as a "serious violation" of the GDPR and emphasised the importance of fast responses to data breach incidents.

Conclusion

The AP noted that Booking.com had a high level of responsibility towards customer data because of the size of the company and value of personal data being handled by it. The enforcement action from the AP further reinstates that, as well as implementing sufficient security measures, multinational companies must have an appropriate data beach incident response plan in place to respond to breaches should they occur. Moreover, identifying the appropriate relevant supervisory authority for any notification requirements should be an important factor which multinational companies must pay close attention to when putting in place their data breach response plans.

The AP's decision follows recent decisions from other European regulators who have issued fines for organisations failing to comply with European data protection legislation. See for example, recent fines in Spain and Germany.