While the problem is clear, the solution may be less so. Different companies use different IT setups, they have different data usage policies, they use different data formats, and they have to follow different operating procedures. Many use outdated legacy systems, with updates either too time-consuming to consider or too costly to complete. Billions are spent annually on CRM and ERP solutions that may help an organization streamline internal processes, but even these systems run into a brick wall the moment they have to interact with a different system used by an outside party.
This is where the LTO Network promises to revolutionize the way the world does business.
The LTO Network facilitates trustless and automated B2B interaction and collaboration between different parties regardless of the underlying tech infrastructure of the participants. Using decentralized Live Contracts that act as workflows for whatever tasks or processes a business wants to carry out, each party participating in the system can validate actions [not just their own but those of their business counterparts as well], secure their submissions, and interact with other participants in a safe, private, and even GDPR-compliant manner if needed.
The LTO Network does this by running a global public chain that timestamps and anchors data and event. With the global chain acting as an overarching main chain, smaller, customizable ad-hoc sidechains are used exclusively between specific participants or companies to execute Live Contracts, share information, and collaborate on a strictly private and need-to-know basis.
LTO Network has been recognized by many, including Torque Ventures – a high-profile blockchain company – as a groundbreaking innovation in the B2B and blockchain and data space that will accelerate blockchain adoption in the corporate and enterprise fields.
Despite the potential of this blockchain revolution in the business sphere, there are still obstacles to growth and liquidity facing participants in this ecosystem. High exchange listing fees, the ICO boom creating hype for projects that lack real utility, and a lack of transparency all have dealt significant blows to blockchain projects that were actually in advanced stages of development and were ready for public consumption.
To overcome these issues, LTO Network has partnered with BitMax.io [BTMX.com] for its primary listing. Recognized as a leading 3rd-generation digital asset exchange, BitMax.io has grown its user base to over 70,000 since its mid-August launch. With 50 active trading pairs of highly-selective crypto tokens, it provides a broad range of products and services to global retail and institutional clients. This platform not only relentlessly focuses on transparency, reliability, and quality of execution and client services, but also leads the industry offering of innovative trading service. Therefore, it has been steadily moving up the ranks in the competitive exchange space. With BitMax.io commitment to listing only high-quality projects, this strategic partnership is a strong testimony to LTO’s proven track record of development and noticeable potential in the B2B blockchain automation space.
The strategic significance of the partnership between LTO Network and BitMax.io goes beyond simple listing. Both two organizations are considered as pioneers in their respective fields: LTO Network was selected as the winner of the Blockathon held by the Dutch Ministry of Justice and Security, while BitMax.io has established itself as a clear leader in the crypto trading and exchange space. Founded by a group of Wall Street veterans, BitMax.io has built up the team with extensive experience in capital markets, technology, high-performance quant trading and token economics. The depth and breadth of those experiences are the key drivers to its high-performance trading platform as well as its transformational approach to crypto trading. Furthermore, with its industry LOWEST transaction fees at 0.04%, FASTEST transaction rates at 400k TPS, and the very FIRST “transaction-mining & reverse-mining” mechanism, BitMax.io has proved LTO’s selection of BitMax.io as its primary listing partner to be an optimal decision
SEC charges ICO Ratings provider for failing to disclose earnings from publicizing digital asset offerings
U.S. Securities and Exchange Commission [SEC], today released a statement saying that it has charged icorating.com, an ICO rating website. The regulatory body reported that the ICO Research and Rating provider violated Section 17 [b] of the Securities Act, since it did not disclose any revenue it had generated from ICO reviews.
During the market’s bullish momentum between 2017-18, the website carried out activities such as offering research reports, ratings and social-media posts, publicizing offerings of blockchain-based digital assets, while billing the respective entities in return,
According to the detailed report, icorating.com was paid $100,572 in total, directly or indirectly, by certain parties whose ICO projects were rated and publicized on the Russian firm’s website. The SEC alleges that the website failed to report the revenue generated from these activities, during the aforementioned time period.
The report also claimed that most of the web traffic over the website came from the United States. The website was hosted in the United States, with the help of a U.S-based provider. All the content was published in English, while all the figures were also quoted in U.S. Dollars. Moreover, the firm hosted and sent employees to attend conferences in the United States. The organization also did not take any proper measures to block Americans from accessing and viewing its website.
Post this ruling, the respondent is required to pay a disgorgement of $100,572, along with a pre-judgment interest of $6,426 and civil money penalty of $162,000. The Russian-based ICO is not the first to come under the radar of SEC. Previously, Kik came under the scanner and recently challenged SEC after the latter charged it for an allegedly illegal token sale. Kik responded by stating that the regulatory body twisted material facts.
New ICO? NULS Partners with Aleph to Raise $1.25 Million via a Staked Coin Output (SCO) Process
Staking is picking up in most projects as a way to secure the blockchain rather than the legacy proof of workmechanism. Well, NULS, one of the lesser known projects, is introducing a new way to get cryptocurrency projects running with the Staked Coin Output (SCO).
A PR announcement from NULS confirmed the team has partnered with Aleph, a cross-blockchain layer-2 network, to test the SCO method. The staked coin output allows investors to stake their NULS tokens and will subsequently receive tokens from projects building on the NULS blockchain. Most importantly, the funds are not sent directly to the wallets of the developers – as ICO processes do.
Speaking on the latest development, the co-founder of NULS, Reaper Ran praised the move as “a critical path for success” for his project. SCOs are expected to spur development across the cryptocurrency community and further grow the number of projects launching on NULS.
SCO switches from traditional fundraising capabilities – ICO, IEO and STOs – to allow users to put their staked rewards as collateral. Reaper assured investors of the benefits of the SCO process saying,
“The investor community isn’t risking anything because they are only sacrificing their staked rewards, not their principal.”
The developers of projects participating in the SCO process will also have a platform to broadcast successful projects, test their market depth and build better projects without public fundraising.
NULS/Aleph successfully test SCO on the platform
Aleph and NULS blockchain completed successfully the testing of the SCO method using 4 Aleph nodes to stake more than two million NULS tokens in less than 24 hours. The total amount of the staked coins rounds to $1.25 million USD currently.
To receive staking rewards, users are expected to stake at least 2000 NULS (~$820 USD) to validate the network.
Following the successful launch of the Aleph project on the platform, the blockchain is inviting more cryptocurrency projects to test the SCO process. Hena, a mobile advertising blockchain is poised to become the second crypto project to launch using the SCO process.
Should we be Surprised by the Latest ICO Fines?
Like many others in the data protection world I was initially taken aback by the size of latest fines proposed by the ICO. The idea of fining British Airways in excess of £183m and Marriott International nearly £100m for data breaches that in pre-GDPR days would have attracted fines of no more than £500,000, and probably substantially less, seemed extraordinary. Of course these are only proposed fines. They could be reduced significantly or even cancelled altogether following representations from BA and Marriott as well as, under the GDPR’s cooperation mechanism, from the other concerned data protection authorities. Nevertheless the proposals clearly demonstrate both a step change in the ICO’s approach to sanctions arising from data breaches and its intention to make use of the full ranges of administrative fines available to it under the GDPR.
Should we be surprised? Perhaps less so now that the ICO’s proposed fines have been put into perspective on a global scale by the US Federal Trade Commission’s record $5 billion settlement with Facebook. We need to bear in mind though that the Facebook settlement took place under a very different legal and regulatory system from that operating in the EU and for very different privacy shortcomings from those that are the focus of the proposed BA and Marriott fines.
Were the markets surprised? Perhaps surprised but apparently not shocked. We often hear about how major privacy failings can affect a business’s share price and there is some evidence that this has happened in the past, such as with the US retailer Target. In line with financial market reporting obligations both BA and Marriott had to inform their respective stock markets about the ICO’s proposed fines. We might therefore have expected a fall in share price as a result but this didn’t happen. Although there were small falls initially both sets of shares quickly recovered in value. And Facebook’s share price actually rose after its settlement with the FTC was announced, although this may have been because the settlement was extensively trailed in advance and so any adjustment in share price had already taken place with the market simply expressing relief that the final settlement was no more onerous than expected. Perhaps all this only serves to confirm the view that it is the loss of consumer trust and confidence resulting from privacy failures that is the real driver of share price and hence change in business practice rather than regulatory penalties, however high these might be. As even Elizabeth Denham herself has said recently, ”Fines are not what will change business models.”
So should we still be surprised despite the Facebook settlement and the market reaction? Yes, but on considered reflection perhaps not quite as surprised as we were initially. Although we are unlikely to get a full understanding of the ICO’s reasoning in these cases, at least until we see the final penalty notices and perhaps not until any appeals are heard, there could be some sound reasons why the ICO is taking such an apparently punitive approach.
Does the Statutory Guidance Give us any Clues?
Section 160 of the Data Protection Act 2018 obliges the Commissioner to publish guidance on how she proposes to exercise her functions in connection with penalty notices, including how she will determine the amount of any penalties. This statutory guidance forms part of the ICO’s Regulatory Action Policy. It sets out the mechanism through which penalties will be set as:
|Step 1. An ‘initial element’ removing any financial gain from the breach.Step 2. Adding in an element to censure the breach based on its scale and severity, taking into account the considerations identified at section 155(2)-(4) of the DPA.Step 3. Adding in an element to reflect any aggravating factors.Step 4. Adding in an amount for deterrent effect to others.Step 5. Reducing the amount (save that in the initial element) to reflect any mitigating factors, including ability to pay (financial hardship).The guidance also says that, generally, the amount of any penalty will be higher where:• vulnerable individuals or critical national infrastructure are affected;• there has been deliberate action for financial or personal gain;• advice, guidance, recommendations or warnings (including those from a data protection officer or the ICO) have been ignored or not acted upon;• there has been a high degree of intrusion into the privacy of a data subject;• there has been a failure to cooperate with an ICO investigation or enforcement notice; and• there is a pattern of poor regulatory history by the target of the investigation.|
On the face of it there is little clue in the Guidance as to why the proposed fines are so high. It is hard, for example, to see how there can have been any financial gain for either BA or Marriott from the breaches. It also seems unlikely that the factors which might generate a higher penalty would be applicable, with one possible exception as we don’t yet know for certain whether the ICO is suggesting that there might be any advice, guidance, recommendations or warnings that were ignored or not acted upon. Nor do we know how the ICO has assessed the considerations referred to in Step 2 above, which largely mirror those set out in Art 83 of the GDPR, including, for example, the degree of responsibility of the controller, taking into account the technical and organisational measures they have implemented.
All that we can reasonably conclude at this stage is that the ICO is satisfied that, even though both BA and Marriott were the victims of criminal activity, the nature, gravity and duration of their underlying security shortcomings and the degree of their responsibility as data controllers means that the fines have to be set at the high levels proposed in order to meet the overriding requirement of being effective, proportionate and dissuasive.
What Might be The ICO’s Thinking?
So why might the ICO believe that fines of £100m and more are required to be effective, proportionate and dissuasive in addressing the security infringements behind large data breaches? Perhaps the starting point is to take a step back and look at what the GDPR was intended to achieve. Elizabeth Denham is amongst those, including the European Commission, who have described the coming of the GDPR as heralding a new era for data protection and used terms such as “game changer”. Maybe the ICO wants to send a message that we are indeed in a new era and that the game has now changed. Data protection authorities, including the ICO, have been given the power to impose fines of up to 4% of global annual turnover and they are likely to argue that the architects of the GDPR had a clear intention that they would deploy the full range of these powers.
The approach could even be as simple as an infringement that would have attracted a fine of X% of the way up the old scale of £0- £500,000 will now attract a fine of X% of the way up the new scales of either 0% – 2% or 0% – 4% of annual turnover, depending on the nature of the infringement. Assuming that in the current cases the infringement in question is simply a breach of the security requirements of Art 32 of the GDPR, the maximum fine would be 2% of turnover. This would put the BA fine of 1.5% of global annual turnover three quarters of the way up the scale and the Marriott fine, which appears to be 0.5% of turnover, a quarter of the way up the scale. Under the previous regime this would have meant a fine for BA fine of £375,000 and a fine for Marriott of £125,000. From what little we know of the facts these figures don’t seem unreasonable but if this is indeed the ICO’s approach it might ring some alarm bells for businesses given how many of the fines imposed by the ICO in recent years were well up the old scale.
The ICO might also be sending a message about security breaches based on the deterrent effect to others covered in Step 4 above. Successful cyber attacks that put personal data at risk have become all too common but must not be accepted as the norm. The ICO might well argue that businesses need to be ever more vigilant and invest even more in protecting against such attacks. They could be trying to send an even clearer message than before that, given the extent of the threat, businesses generally need to have state of the art security measures in place and those that do not run a real risk of multi-million pound fines. The message could even be that simply relying on the current state of the art to protect against cyber attacks is no longer sufficient to secure personal data appropriately and that substantial investment in upping the state of the art is required. How far this is a realistic objective must, though, be open to doubt, and would appear to go beyond what is contemplated by Recital 83 of the GDPR which, consistent with the previous legislation, seems to allow a balancing of state of the art/costs of implementation and consideration of the risks.
Then there might simply be a desire to build the reputation and ensure the continuing relevance of a regulator whose mission is to protect the information rights of individuals. For the ICO it is almost certainly more comfortable to be seen to be proposing high penalties for serious infringements, albeit that these might attract criticism from the business community, than to be seen proposing lower penalties that might attract criticism from those representing the public and their interests, particularly given the clear public messages on effective enforcement associated with the introduction of the GDPR. Better from the ICO’s point of view to be perceived by the public as a tough regulator than a weak one and easier for the ICO to come down from high fines to lower ones if forced to do so through the appeals process than to try to move upwards from a low base in response to public criticism.
Some Unanswered Questions
The Article 29 Working Party said in its Guidelines on Administrative Fines (subsequently endorsed by the EDPB) that implementation of the GDPR across the EU should lead to the imposition of equivalent sanctions. Whilst it is hard to disagree with this statement it remains unclear just what is meant by an “equivalent” sanction. Should similar infringements by different businesses and in different countries attract similar levels of fines in absolute terms or should the levels of the fines be calculated to have a similar impact on the businesses even though their monetary values might vary widely? Basing fines on a percentage of turnover would suggest a move towards the latter but even so a fine of say 1.5% of annual turnover might have a very different impact on one type of businesses than on another. What amounts to an “equivalent” sanction in this context? So far there have only been a handful of fines imposed by European data protection authorities for infringements of the security requirements of the GDPR but the highest, imposed by the CNIL, was for EUR400,000 and the remainder all came in at less than half this figure. Given the drive for equivalence, what might be the justification for the ICO’s proposed fines being in such a different league? To what extent could this be because of the cross border nature of the processing in question?
Regardless of the picture across Europe, the ICO still has to ensure consistency in its treatment of data controllers in the UK, or at least be able to justify any inconsistency in such treatment. Will other businesses that report data breaches of a similar nature to those at BA and Marriott, even if on a smaller scale, all face “equivalent” fines? If so, given the number of data breaches being reported to the ICO, the resource implications are likely to be considerable particularly if, as seems likely, higher fines lead to significantly more appeals. Or is the ICO focussing on what it sees as the big players and using these to set an example? If so can it justify this approach if put to the test in any appeals? And what about public sector data controllers? Will they face equivalent levels of fines given that, in the past, some of the most serious failures to secure personal data have been the responsibility of public sector bodies? Even if public sector fines are based on the maxima of 10m or 20m EUR rather than on their annual turnover a breach, equivalent to that at BA, could, using the methodology above, result in public sector fines approaching £7m or even £14m. How far is this sustainable?
Of course a key question is whether the proposed fines are proportionate. Although we don’t know enough of the facts yet to make a judgement and, even when we do, there are likely to be different opinions, there must be at least some doubt over proportionality. Consistent with the ICO Regulatory Action Policy objectives, Elizabeth Denham has said previously that hefty fines will be reserved for those who persistently, deliberately or negligently flout the law. How far is this the case here and does it justify the level of fines proposed particularly given that, for the businesses concerned, the processing of personal data is only a secondary activity? Is it fair and proportionate that fines for failing to properly protect personal data should be based on a turnover that, in the case of BA, derives primarily from flying passengers and goods around the world and, in the case of Marriott, from renting out hotel rooms? Shouldn’t fines based on turnover take some account of the extent to which the turnover in question is derived from processing personal data and in particular from processing personal data improperly.
Here it is worth bearing in mind some of the thinking behind the high levels of penalties available under the GDPR and especially those based on annual turnover. When the GDPR was under development a parallel was drawn with the application of competition law with the need for GDPR penalties to be sufficiently high to address businesses that profit from the unlawful processing of personal data and enable such businesses to be deprived of their ill-gotten gains. This suggests that fines based on a percentage of turnover rather than the alternative scales with fixed maxima of 10m and 20m Euro were intended for use primarily against data centric businesses with business models relying on processing personal data improperly rather than the likes of BA and Marriott for whom processing of personal data is a secondary activity and who are unlikely to have profited from their supposed shortcomings.
The final question is simply, “Do these proposed fines feel right?”. When I was at the ICO, with responsibility for signing off our fines, we had a systematic approach to determining the level of any proposed fine. Nevertheless, at the end of this process, we always asked ourselves a simple question as to whether the level of fine felt right to us, taking into account everything that we knew about the nature of the breach, the circumstances of the data controller, the range of other fines imposed and the surrounding regulatory climate. Sometimes the proposed penalty was increased, sometimes it was decreased although usually it remained unchanged. The ICO’s penalty setting processes may well be more sophisticated these days and now appears to involve a panel of non-executive advisers, at least in setting the highest penalties, but it would be surprising if the ICO has not asked itself the same “feel right” question about the proposed fines for BA and Marriott. Despite this, and recognising that we are not yet aware of the full facts, there will doubtless be many who will take some persuading before they feel able to share the ICO’s view that, for the infringements at issue, the levels of the fines proposed feel about right.
What Comes Next?
We know that there are more GDPR fines in the pipeline. Elizabeth Denham has said recently that as well as the proposed fines for BA and Marriott there will be. “… around another dozen over the summer period.” Of course we don’t know yet whether these will be in anything like the same league as the BA and Marriott fines but once details start to emerge they should help us develop a fuller understanding of how the ICO intends to use its enhanced, GDPR fining powers and, in particular, whether multi-million pound fines will be the exception or become the norm.
We should also gain a deeper understanding when we learn more about the ICO’s thinking behind the proposed fines for BA and Marriott. Once the ICO has made its final decisions we can expect that the penalty notices will be published, unless, in either case, the ICO decides not to proceed with a fine following the representations received. Assuming that substantial fines are, in the end, imposed the signs are that they will be followed by appeals to the First Tier Tribunal (General Regulatory Chamber) and possibly beyond. From bitter experience I know that ICO witnesses are likely to be put under pressure at the Tribunal to justify the ICO’s reasoning and its decision making to a much greater degree than that required for the published penalty notice. As the Tribunal’s proceeding take place in public we may well learn more at this stage. Furthermore, whether or not the Tribunal upholds the ICO fines we can expect that the Tribunal’s own reasoning, as outlined in its published judgment, will both influence the ICO going forward and add further to our own understanding.
Meanwhile the Swedish data protection authority has announced that, along with its Dutch and UK counterparts, it will chair an EDPB working group seeking to produce a set of common EU guidelines on the harmonisation of penalties for similar breaches of the GDPR across the EU. The guidelines are supposed be completed and adopted next year, following which national guidelines will be revisited. On the face of it the creation of this working group can only be seen as a welcome step towards the desired goal of harmonisation in the treatment of businesses by the various EU data protection authorities. However any such welcome might be prove to be short-lived if the result of the working group’s endeavours is that the multi-million pound fines proposed by the ICO in the BA and Marriott cases become the norm throughout the EU. Of course it remains to be seen to what extent, if at all, the ICO will be permitted to continue to contribute to the activities of this working group after 31stOctober.