Are we going to see a Ticketmaster GDPR fine given that at least some victims of their data breach had their information exposed after the May 2018 legislation change?
There are a few thing to look at when considering which legislation will apply; i.e. the old or the new. The breach actually spans across the deadline because some information in this breach was exposed both before and after the GDPR legislation came into force.
So, which will apply? Will the test be that the information was initially exposed before the deadline, meaning the old rules apply, or are we saying that the data being exposed after the deadline means GDPR will apply?
Arguments in favour of a Ticketmaster GDPR fine
The arguments in favour of a Ticketmaster GDPR fine are hard to ignore. Victims’ data was exposed after the deadline, and there will have been some customers who purchased tickets on the platform after the deadline and before the breach discovery on the 23 June 2018, meaning their data exposure is limited only to the post-GDPR period.
Surely, the Information Commissioner Office (ICO) cannot apply the old legislation to a data breach that clearly takes place solely after the deadline.
Does the overlap mean we will see both a Ticketmaster GDPR fine and an “old law” fine?
There is an overlap, so we could see bosses t the ticket-purchasing platform trying to say the old rules apply in order for a huge fine that could amount to £17m or 4% of their turnover being avoided.
But, given that the company was warned about a breach in April and failed to identify it, and given the fact they were using code they shouldn’t have been using which led to the information exposure, a Ticketmaster GDPR fine seems like it would be a justified approach.
ICO currently considering whether or not to issue a Ticketmaster GDPR fine
The ICO are reportedly deliberating over whether or not to issue a Ticketmaster GDPR fine. With some 40,000 victims of the Ticketmaster data breach here in the UK, this is a big breach, and this may well be the test in terms of how the new law is to be applied.
An interesting factor would be whether GPDR is going to apply based on when a breach was discovered. If this is the case, we could see the Dixons Carphone data breach also having the GDPR rules applied as they discovered the breach almost a whole year after it took place, and the discovery was after the deadline.
An applicable data breach must be reported to the ICO and victims must be told within 72 hours of breach discovery, according to the new rules; something Ticketmaster failed to do. The breach was at least discovered after new rules came into force, so why didn’t Ticketmaster alert people sooner?
We are representing a number of people affected by the Ticketmaster data breach, so please feel free to contact the team for help and advice about claiming for data breach compensation.