Here we examine the biggest compliance news stories in 2019, from major data breaches and discrimination awards to billion-dollar fines.
For the third time in two years, Google was fined €1.5 billion by the European Commission for anti-competitive practices.
Prosecutors accused Google of abusing its dominant position (it enjoys more than 90% of the search market) by preventing its rivals from placing online adverts on its search results pages.
EC commissioner Margrethe Vestager said, "Google has cemented its dominance in online search adverts and shielded itself from competitive pressure by imposing anti-competitive contractual restrictions on third-party websites. This is illegal under EU antitrust rules."
This latest fine brings Google's total fines to €9 billion since 2017. However, critics argue that these fines have actually done little to change the tech giant's dominance. Instead, they suggest that behavioural remedies - such as being forced to divest DoubleClick or Waze might have more of an impact.
The UK Information Commissioner's Office signalled its intention to fine British Airways a record £183 million (around 1.5% of its global turnover) over its data breach in 2018. This dwarfed the previous record fine of £500k handed to Facebook under the DPA by a considerable margin (367 times higher).
In summer 2018, when customers booked flights via the BA app or website, they were instead redirected to a fake website that harvested their personal data. It was only reported by BA in September 2018.
Andrew Dwyer, an Oxford University cyber-security expert, explained: "The ICO fine shows how serious some of BA's failings were with its payment processing both on its website and its app."
In another first, the ICO acted as the lead supervisory authority on behalf of other EU data protection authorities whose citizens were also affected by the hack.
"People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That's why the law is clear - when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
Elizabeth Denham, Information Commissioner
UniCredit Bank is to pay $1.3 billion in penalties after it admitted processing "hundreds of millions of dollars of transactions" on behalf of sanctioned Iranian entities through the US financial system. For ten years, the bank moved $393 million through the US financial system and also conspired to conceal restrictions.
When the bank introduced an automated 'embargo tool' to flag transactions likely to violate sanctions, its compliance department issued an instructional guide - effectively providing a workaround to enable employees to dodge red flags and process transactions in an "OFAC-neutral" way, according to the regulator.
Swedish telecoms company Ericsson had agreed to pay two US regulators over $1bn for a "years-long corruption campaign" and numerous bribes, slush funds and gifts across its operations.
It will pay the Securities and Exchange Commission (SEC) $540 million - the second biggest FCPA fine after Petrobras - and the US Department of Justice over $520 million, after paying bribes across five countries "to solidify its grip on the telecommunications business".
The Justice Department said, "Ericsson's corrupt conduct involved high-level executives and spanned 17 years and at least five countries, all in a misguided effort to increase profits."
It had slush funds that were used to pay corrupt officials in Djibouti, China, Vietnam, Indonesia and Kuwait. Payments were made via agents intermediaries, using fake invoices for non-existent consulting services.
In addition, the firm did not receive full credit for cooperating with the DOJ, having failed to disclose allegations of corruption regarding two matters. It was also late providing information requested by the regulator and failed to "take adequate disciplinary measures" against those involved.
"Ericsson conducted telecom business with the guiding principle that 'money talks.' Today's guilty plea and surrender of over a billion dollars in combined penalties should communicate clearly to all corporate actors that doing business this way will not be tolerated."
Geoffrey S. Berman, US Attorney of the Southern District of New York
The National Crime Agency (NCA) successfully froze over £100m after being granted Account Freezing Orders (AFOs) on eight bank accounts.
The money - thought to be the proceeds of overseas bribery and corruption - is the largest amount ever frozen since the powers were introduced under the Criminal Finances Act 2017. The NCA now needs to establish whether the funds are derived from unlawful conduct.
It was not the first time these powers had been used. Around £20m was similarly frozen in December 2018. And, separately, seizures were made from the son of Moldova's prime minister and the niece of the Syrian President, Bashar al Assad.
A spokesman said, "…the NCA has used new powers such as Unexplained Wealth Orders and Account Freezing Orders to target suspected illicit assets, and we are already seeing some far-reaching impact of this activity".
Crown dependencies of Jersey, Guernsey and the Isle of Man finally agreed to introduce public registers, establishing the real owners of faceless shell companies registered in their jurisdictions ... albeit by 2023!
While there is some concern about why it will take so long, the U-turn is being heralded as an important victory for transparency and a boost to efforts to combat tax evasion and money laundering.
The Tax Justice Network released their Corporate Tax Haven Index that ranks each country's tax system based on the degree to which it is complicit with and facilitates corporate tax avoidance.
It estimates that globally, around $500 billion in corporation tax is ducked each year by multinationals which - it also points out - is 20 times more than the UN's entire annual humanitarian aid budget.
"The era of secrecy is a thing of the past and other tax havens must now make their own moves to bring the real people behind anonymously owned companies out of the shadows. Any state failing to do so will be left behind"
Naomi Hurst, Global Witness
The UK Gambling Commission (UKGC) has fined Petfre Ltd (operating as Betfred) £322,000 for failing to carry out sufficient Source Of Funds (SOF) checks on one of its customers.
The customer deposited £210,000 and lost £140,000 over a 12-day period in November 2017. This led to a request to provide SOF, which the customer ignored, raising "significant concerns regarding the effectiveness of [its] policies and procedures" according to the UKGC.
In fact, the money that the customer spent with Betfred (and other operators) was stolen, and they have since been convicted of a £2m fraud.
Online and land-based operators need to ensure they are complying with their AML obligations.
Last month, the UKGC also fined Silverbond Enterprises £1.8m for social responsibility and AML failings at its Park Lane Club.
In November 2019 came news that the fast-food chain had fired its CEO, Steve Easterbrook, for a consensual relationship with an employee, a clear violation of company policy. An overreaction, some wondered, given the impressive results under his tenure, which saw a doubling of its share price?
Then, just one week later came news of a class-action lawsuit in Michigan by at least 50 of its workers alleging a "systemic problem" of harassment at the company - including by restaurant managers and with under-aged staff also targeted.
An attorney said the cases were "emblematic of a systemic problem of sexual harassment at McDonald's across the nation". As well as $5 million in compensation, workers want better policies with anti-harassment measures and a confidential channel for reporting complaints.
Now the firing makes sense. Sharyn Tejani of Time's Up Legal Defense Fund explains, "The fact that their own CEO is violating their policies gives you an idea of how un-seriously McDonald's take workplace sexual harassment."
The Financial Conduct Authority has fined Standard Chartered £102.2m for poor financial crime controls.
The bank had to set aside $900m further to cover US and UK probes into US sanctions violations and currency trading issues, effectively wiping out its profits for the last half of 2018.
Let's start with the big news of the month. On 21 January 2019, Commission Nationale de l'Informatique et des libertés (CNIL), France's data protection regulatory authority, fined Google a record fifty million (50,000,000) euros - the largest and most high-profile fine for violation of the General Data Protection Regulation (GDPR).
Although the size of this fine is eye-catching, what was more interesting for us is what exactly it is for and what can other companies learn from this for their own GDPR compliance.
The fine was purportedly for Google's lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation. The CNIL pointed out three key breaches:
The GDPR specifies eight individual rights, of which the first is the data subjects' right to be informed about the essential details of the data processing.
The CNIL noted that Google had dispersed essential information, such as the categories of personal data, the purpose of the processing, and the data storage periods for data used for ads personalisation across several web pages such that a user would have to click around several links to be able to get all the information. On this basis, CNIL concluded that the information was not easily accessible.
The first of the six principles of the GDPR is Lawfulness, Fairness and Transparency. Companies need to be clear, open, and honest with people about how they will use their personal data.
But the CNIL found that the information Google provided was not always clear or comprehensive, making it difficult or impossible for users to understand the content.
Under the GDPR, Consent, if chosen as a lawful basis, must be 'informed', 'freely given, 'unambiguous', and 'specific'.
Google states that it relies on consent as the lawful basis for ads personalisation, but the consent it had obtained was neither "specific" nor "unambiguous", nor was it sufficiently 'informed'. For instance, the "I agree with Google's terms of service" tick-box was presented to users ahead of boxes with more detailed options.
If you'd like to stay up to date with best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech, and RegTech news, subscribe to Skillcast Compliance Bulletin.
To help you navigate the compliance landscape, we have collated searchable glossaries of key terms and definitions across complex topics, including GDPR, Equality, Financial Crime and SMCR. We also track the biggest compliance fines, explaining what drives them and how to avoid them.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 60+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!