UK data watchdog kicks £280m British Airways and Marriott GDPR fines into legal long grass
The UK Information Commissioner’s Office has kicked £280m in data breach fines against British Airways and US hotel chain Marriott into the long grass.
As spotted by City law firm Mishcon de Reya, the ICO has extended the time before it will fine the two companies what it claimed would be a total of £282m, split between BA’s £183m and Marriott’s £99m.
In a statement the UK’s data protection regulator said: “Under Schedule 16 of the Data Protection Act 2018, BA [and Marriott] and the ICO have agreed to an extension of the regulatory process until 31 March 2020. As the regulatory process is ongoing we will not be commenting any further at this time.”
When the ICO announces a “notice of intent” to fine companies, this is not the same thing as actually handing out the penalty. Companies (and individuals) targeted for fines like this can then, in the jargon, “make representations” about the size of the punishment.
The ICO threatened British Airways with the jumbo-sized fine after the airline suffered the breach of 380,000 people’s personal and financial details between August and September 2018.
As for Marriott, the ICO bared its fangs at the American hotel chain after 383 million customer booking records went AWOL in 2018.
Mishcon’s data protection adviser, Jon Baines, told The Register that he suspected both companies had deployed similar legal arguments to Facebook when it fought back against a Cambridge Analytica-linked fine.
He said: “It’s important to note that the extension could only be by agreement with BA and Marriott (they could have just said ‘no’). One does wonder in what way an extension was seen by them, therefore, to be a favourable outcome, and, on the information available, I’m struggling to see any way in which they would have agreed to an extension without some quid pro quo.”
While it is possible, in Baines’ view, that “that the delay is solely because it’s jolly difficult to deal with all the necessary administrative requirements within a six-month window,” he pointed The Register to a blog post discussing exactly what legal arguments Facebook deployed to get an ICO fine watered down.
He opined: “It’s worth remembering the ICO is a relatively small regulator (although large compared to its European counterparts) with a limited legal budget.”
According to the ICO’s published management accounts (PDF), its legal budget is a smidgen over £2m per year.
“Assuming,” continued Baines, “that BA and Marriott decided they should not simply accept the intended fines, they will have no doubt put whatever they think is an appropriate legal budget towards making representations – when threatened with a fine in the tens of millions of pounds, such a budget might well dwarf the ICO’s.”
British Airways declined to comment. Marriott had not responded to our request for comment by the time of publication.
There is nothing obliging the ICO to publish the final outcome of its negotiations with BA and Marriott, though The Register will be asking again nearer the due date.