On April 9, 2021, the First-Tier Tribunal of the General Regulatory Chamber stayed proceedings in Ticketmaster UK Limited’s (“Ticketmaster’s”) appeal against a fine issued by the UK Information Commissioner’s Office (“ICO”) until 28 days after a judgment in civil litigation brought by 795 customers against Ticketmaster. The group action, which relates to the breach for which Ticketmaster was fined by the ICO, is currently before the High Court in England. As a result of the stay in proceedings, the appeal likely will not be heard before the Tribunal until mid to late 2023.

The ICO levied the £1.25 million fine against Ticketmaster on November 13, 2020, after finding that Ticketmaster had failed to implement appropriate security measures to prevent a cyber attack, breaching the requirements of Articles 5(1)(f) and 32 of the EU General Data Protection Regulation (“GDPR”). The supply chain attack in question started in February 2018 after malicious code was injected into a chatbot included on Ticketmaster’s payment page, allowing the attacker to harvest payment data of Ticketmaster users. It did not affect Ticketmaster’s own systems, but those of the provider of the chatbot, Inbenta Technologies Ltd (“Inbenta”).

Ticketmaster appealed the fine on the basis that it had not breached its obligations under the GDPR, and that the cyber attack was an unforeseeable criminal attack on Inbenta, which failed to maintain appropriate security, and which made false and misleading assurances as to the security of its software. Ticketmaster argued that any failures by Ticketmaster did not justify a fine, and, alternatively, that the fine imposed was excessive. Ticketmaster has also brought a Part 20 claim against Inbenta seeking damages and indemnification or contribution, which will be tried and managed in conjunction with the group action against Ticketmaster. The trial is expected to take place in September 2022.

The Tribunal considered it likely that the appeal proceedings would be “materially assisted” by a substantive judgment in the High Court proceedings, due to the “substantial overlap in the fundamental factual and legal building blocks required to reach a resolution in each of the proceedings.” Fundamentally, the issues in both sets of proceedings relate to whether or not a breach of Article 5(1)(f) of the GDPR occurred.

The Tribunal also considered it highly relevant that Inbenta would be a party to the High Court proceedings and able to provide direct evidence, which may assist in establishing the underlying facts of the case, something Inbenta does not have the opportunity to do as part of the appeal proceeding in the Tribunal. Upper Tribunal Judge O’Connor commented that he had “no doubt that justice will be enhanced in the Tribunal by awaiting a judgment of the High Court that has considered Inbenta’s evidence and submissions.”

Judge O’Conner also emphasized that the stay was granted on the basis of the specific facts underlying the case and the conclusion reached on this point should not have any bearing on other appeals based on different facts.