First-tier Tribunal grants Ticketmaster stay of its appeal on an ICO fine pending a parallel group action

Can an appeal of an ICO fine be stayed pending the resolution of concurrent group action proceedings in the High Court?

The key takeaway

The case highlights the possibility of staying ICO actions where concurrent litigation is taking place in the High Court. It also provides practical pointers on contracting arrangements with third parties around the all-critical area of data security.

The background

Ticketmaster had contracted Inbenta Technologies Ltd (Inbenta) to provide a chatbot which Ticketmaster used on its website, including the payment page. The JavaScript code for the chatbot was hosted on Inbenta’s server. An attacker managed to infect the code with a scraper that collected users inputted personal data including names, payment card numbers, expiry dates, and CVV numbers.

Following this breach the ICO issued Ticketmaster a fine of £1.25m, as it found that the implementation of the code by a third party for the processing of personal data was a known security risk and that Ticketmaster was in breach of Articles 5 and 32 of the General Data Protection Regulation (GDPR). In the ICO’s view Ticketmaster had failed to adequately to address the security of the chatbot and its implementation into Ticketmaster’s own infrastructure, and to ensure on-going verification of security to an acceptable level.

Ticketmaster subsequently appealed the ICO’s decision to the First-tier Tribunal on several grounds, claiming, among other things, it had not breached the GDPR and that the attack was not foreseeable. However, Ticketmaster sought a stay in terms of its appeal in the light of ongoing group action proceedings in the High Court in relation to the same cyber-attack by a group of c. 800 customers who were affected by the data breach.

The development

In an unusual turn of events, the First-tier tribunal has stayed Ticketmaster’s appeal of the ICO fine pending the conclusion of the High Court case. The First-tier tribunal considered that on balance, the Tribunal would be materially assisted by a substantive judgment from the High Court proceedings, and that those proceedings would be likely to determine points on common issues of law. The stay was granted until 28 days after the High Court’s judgment is handed down. It is unlikely, therefore, that Ticketmaster’s appeal will be heard until late 2023.

Of separate, but equally important interest, the aspects of the High Court case which are relevant to Ticketmaster's appeal before the Tribunal include: Ticketmaster's vetting of Inbenta; each party's responsibilities for the security of the chatbox; Inbenta's awareness of the chatbox on Ticketmaster's payment pages; the reasonableness of the scope of Ticketmaster's integrity monitoring and so on.

Why is this important?

Although the stay in the case is very unusual, and companies involved in litigation with the ICO should not assume that this will happen in most cases, the decision does highlight the opportunity for organisations to delay enforcement action where this might be needed.

Any practical tips?

Should any fines be levied against you by the ICO for a major data breach, consider whether the ICO actions can be stayed if any concurrent High Court action has been initiated in order to minimise legal costs in the considerations of similar or the same issues by both the Tribunal and/or the High Court. The case also provides practical pointers on what to look for in your contracting arrangements with third parties, and being clear as to where responsibilities on such key aspects as data security.

Summer 2021