Last year Ticketmaster were saying ‘Help!’ having been handed down a £1.25 million fine by the ICO. The ICO ruled that Ticketmaster had failed to implement appropriate security measures in relation to a third-party chatbot that was being used on certain Ticketmaster websites. Hackers had injected the chatbot with malicious code, allowing them to scrape personal data directly from users’ browser sessions. Almost 10 million customers across Europe were affected. To Ticketmaster’s credit, and after a hard day’s night, the chatbot was promptly disabled upon discovery of this breach, and potentially affected customers as well as the ICO were notified on the same day. However, as the ICO considered that third-party JavaScripts such as the chatbot were “known security risks at the relevant time”, and they alleged that Ticketmaster did not put in place suitable measures to negate those risks, the Commissioner saw it necessary to take action by issuing a Penalty Notice in November 2020.

Ticketmaster has appealed the level of the fine to the First Tier Tribunal – they did not want to let it be. In submitting the appeal to the Tribunal, Ticketmaster first denied that it had breached its GDPR obligations. In the alternative, it argued that the attack was unforeseeable and resulted both from the chatbot’s third-party provider Inbenta failing to maintain appropriate security and also providing “false and misleading assurances as to the security of its software”. Ticketmaster also argued that any contraventions by Ticketmaster did not justify a monetary penalty, or if they did, that the penalty that was awarded was excessive.

Having submitted the appeal to the Tribunal, Ticketmaster became aware that 795 data subjects who had been affected by the breach were taking the long and winding road to High Court litigation. The High Court action also involves a Part 20 Claim against Inbenta, the provider of the hacked chatbot, which has also counterclaimed against Ticketmaster. Faced with two separate strands of litigation, an appeal against the fine in the Tribunal and a class action case in the High Court, Ticketmaster applied for a stay of proceedings in the Tribunal until 28 days after the High Court action had concluded.

Judge O’Connor considered the application, and last month granted the stay on the appeal proceedings. The Judge considered that the High Court decision would be of material assistance in resolving the issues before the Tribunal. While he noted that the granting of a stay in proceedings is the exception rather than the rule, the stay was granted because of the “substantial overlap” in the factual and legal building blocks of both cases. In reaching this conclusion, the Tribunal found that they would benefit from the fact that Inbenta would have to come together with Ticketmaster as a party to the High Court proceedings (whereas Inbenta are not a party to the Tribunal proceedings), so the Tribunal could consider the wider range of evidence and submissions heard by the High Court in order to make its decision, and the minimal risk of prejudice to the ICO in granting the stay (given a delay would be preferable to two conflicting judgments).

It will now likely be a very long time before the outcome of Ticketmaster’s appeal is reached (assuming Ticketmaster and the data subjects cannot work it out) – probably not for another couple of years. Whilst this delay in enforcement action, which comes after the significant reductions in fines for BA and Marriott, is unfortunate for the ICO and highlights the potential vulnerability of its fines to challenge, it is better news for data controllers looking to avoid fighting on multiple fronts.