Those who predicted that British Airways and Marriott International might never have to pay the record fines – totalling £282m – for breaches of GDPR will be raising a wry smile following confirmation of an 11th-hour agreement to extend the “regulatory process” for another three months.
The Information Commissioner’s Office issued its first GDPR notice of intent to fine BA on July 8 last year, with the company facing a £183.39m penalty for the 2018 data breach, which saw the personal data of hundreds of thousands of customers compromised.
A day later, the regulator issued another notice of intent, this time to Marriott International over a proposed £99.2m penalty for flouting the regulation. The fine relates to a cyber incident that Marriott self-reported in November 2018, which exposed about 339 million guest records globally, of 7 million relate to UK customers.
The law gives the regulator a strict six-month period from serving a notice of intent to confirming the monetary penalty, meaning that the ICO only had until this week to serve both fines.
However, the legislation does allow the period to be extended if the regulator and the offending company agree to an extension.
The ICO has yet to publicly confirm an agreement but issued a statement to law firm Mishcon de Reya which reads: “Under Schedule 16 of the Data Protection Act 2018, [both BA and Marriott] and the ICO have agreed to an extension of the regulatory process until 31 March 2020. As the regulatory process is ongoing we will not be commenting any further at this time.”
Quite how the process has evolved is anyone’s guess as all parties have been tight-lipped since July. Any notice of intent starts a process in which those accused of breaches can submit representations to the ICO in response to the penalties.
This process lasts a minimum of 21 days, with the representations covering how the breaches occurred, mitigating information, what actions the companies have taken, and details of any further remediation steps. The representations may also put forward arguments as to why the ICO should not take regulatory action, and request a reduced penalty.
In the only other case the ICO has brought under GDPR, published just before Christmas, London-based pharmacy Doorstep Dispensaree secured a major reduction in its fine from £400,000 to £275,000 following its own “representations” to the regulator.
Both BA and Marriott have strenuously denied any wrong-doing. In July, BA said it planned to make representations to the ICO and “take all appropriate steps to defend the airline’s position vigorously”.
Meanwhile Marriott confirmed its intent to “vigorously defend its position”, although according to its results – published just weeks after the notice of intent was issued – the hotel giant has set aside $126m (£104m) just in case.
The pressure is on the ICO to get these fines through, although recent “procedural issues” have raised more than a few eyebrows.
Many data protection experts are still questioning how Facebook managed to get the regulator to agree that it was not liable for Cambridge Analytica scandal, despite coughing up the £500,000 fine.
An appeal tribunal had already raised questions about the “procedural fairness and allegations of bias on the part of the ICO” and demanded regulator should be required to “disclose materials relating to its decision-making process”.
And, at an appeal against fines issued to Eldon Insurance and Leave EU last month, the ICO’s legal counsel was forced to admit that its own standards had fallen “well below” expectations following “procedural errors”.
While a decision on the Eldon Insurance and Leave EU fines is expected in the next few weeks, it seems that the industry will have to wait many more months for the final BA and Marriott rulings – and anything up to a year if they both decide to appeal.
2019 Review of the Year: Why it’s crunch time for GDPR
ICO issues first GDPR fine, but it’s not BA or Marriott
Marriott sets aside £104m just in case GDPR plea fails
Now Marriott takes a £99m battering for GDPR failings
BA faces record £183m GDPR fine for data meltdown
Facebook finally pays ICO fine but accepts no liability