The Information Commissioner’s Office has once again failed to deliver the GDPR killer blow to both British Airways and Marriott International – and fines of £183m and £99m respectively – after being forced to defer the rulings for the second time.
The landmark rulings were made within 24 hours of each other in July last year, and, under GDPR, the regulator only had a six-month window in which it could levy the monetary penalties.
However, the legal wranglings were still ongoing when the first deadline came, in January this year, with all parties signing an 11th-hour agreement to extend the “regulatory process” for another three months.
This period was due to expire early next week but, according to Politico, the annual report of BA’s parent company IAG states that the period for issuing the fine “has been extended through to May 18, 2020″.
Meanwhile, Marriott has released a statement which said: “We mutually agreed with the ICO to an extension of the regulatory process until June 1, 2020.”
Both companies have strenuously denied any wrong-doing. BA said it planned to make representations to the ICO and “take all appropriate steps to defend the airline’s position vigorously”; Marriott siad it would “vigorously defend its position”.
These new delays are a huge embarrassment for the once-bullish ICO, which would have wanted the fines to make a huge statement about its no-nonsense approach and to send a warning over the need for robust data security.
Of course, since the notices of intent were published, both companies have been decimated financially by the coronavirus pandemic.
The IAG share price has plummeted from a high of 684p in January to around 201p now, slashing its market capitalisation from £12bn to £4bn.
Marriott’s share price has fallen from $150.78 in February to $74.81, halving its market cap from $50bn to just under $25bn. The company has also furloughed tens of thousands of its workers amid a swathe of hotel closures and this week has been hit by a second data breach.
Perhaps unsurprisingly, the regulator has not published anything on its website about the matter, but has since confirmed that “the regulatory process is ongoing” in both cases.
Hotel hell: Fresh Marriott data breach hits 5.2 million
BA and Marriott to escape GDPR mega fines…for now
2019 Review of the Year: Why it’s crunch time for GDPR
ICO issues first GDPR fine, but it’s not BA or Marriott
Marriott sets aside £104m just in case GDPR plea fails
Now Marriott takes a £99m battering for GDPR failings
BA faces record £183m GDPR fine for data meltdown