The first major GDPR penalty notice appeal – Ticketmaster UK Ltd v Information Commissioner (EA/2020/0359/FP) – has been stayed by order of the First-tier Tribunal until 28 days after the handing down of judgment in civil litigation brought against Ticketmaster by some 795 Ticketmaster customers: Collins & Others v Ticketmaster UK Ltd (BL-2019-LIV-000007).

In June 2018, Ticketmaster discovered that a chatbot used on its website had been infected with malicious code which scraped the personal data and payment card information of a significant number of Ticketmaster customers. The chatbot was provided to Ticketmaster by a third party – Inbenta Technologies Ltd – under contract, and it was hosted and served from Inbenta’s servers. The attack did not affect Ticketmaster’s own systems (i.e. this was a supply-chain cyber-attack). This context was set out in the evidence of Ticketmaster for the appeal and the skeleton argument of the ICO, quoted in detail at [6]-[7] of the FTT’s judgment. As noted below, Inbenta was not a party to the appeal and so the FTT judgment’s does not set out Inbenta’s account of the factual context. It is apparent that there is a very considerable dispute as between Ticketmaster and Inbenta which is part of the ongoing civil litigation.

In November 2020, the ICO issued a penalty notice for breach of Articles 5(1)(f) and 32 GPDR in the sum of £1.25m. Ticketmaster appealed that penalty notice, on the basis that there had been no breach of the GDPR, that alternatively it was inappropriate to impose a penalty, and that in any event the sum was excessive.

A core aspect of Ticketmaster’s defence is that it relied on, and was entitled to rely on, allegedly incorrect assertions made by Inbenta as to the security of the service it was providing. The civil litigation against Ticketmaster – which commenced before the penalty notice was issued – strikingly includes Part 20 proceedings brought by Ticketmaster against Inbenta, and indeed Part 20 proceedings between Inbenta and Ticketmaster. The civil claim is likely to go to trial in the autumn of 2022.

The role played by Inbenta in the civil litigation is noted here because it was important to the reasoning of the FTT in acceding to Ticketmaster’s application for a stay pending the High Court judgment; the FTT agreed that it would be important to the issues on the appeal that the High Court had been able to make findings in relation to both Ticketmaster and Inbenta’s cases, whereas Inbenta were not a party to the appeal. The ICO is not, of course, a party to the civil proceedings but the FTT considered that a point of less weight in the circumstances.

The FTT emphasised that a stay would only be ordered if a good reason were shown, and that the test was effectively that of the overriding objective, phrased with an emphasis on expediency and the degree of material assistance provided by the other proceedings. It did not accept the ICO’s argument that Parliament had intended the statutory appeal process to the specialist FTT as the primary route, noting the extent to which data protection matters are heard before the High Court, and that the High Court’s ruling on various issues of law and fact would be of at least material assistance to the FTT. There would be a material overlap of issues between the proceedings, particularly by reference to the question of breach.

The delay to the appeal was a factor which weighed against the stay, but the length of time it had taken from the discovery of the breach to the issue of the penalty notice was also relevant in this context, as was the limited impact which the delay would have on the ability of the ICO to present its evidence and case. Ticketmaster had established a specific funding source to pay the penalty if it was required.

The FTT emphasised the highly fact-specific nature of its decision, seeking to guard against any sort of assumption that civil litigation arising out of data breaches would routinely warrant the stay of the regulatory appeal proceedings. Given the current swathe of such claims, that is an important caveat, as it is likely that other cases will face the same difficulty of either having to ride two litigation horses, or trying to persuade one race to be suspended. In the meantime, guidance from the FTT as to the proper approach to penalty notices under the GDPR remains awaited.

Anya Proops QC and Robin Hopkins acted for Ticketmaster.

Timothy Pitt-Payne QC and Stephen Kosmin acted for the ICO.

Christopher Knight