British Airways and Marriott International have agreed to cough up the combined £38.4m they owe in GDPR fines, although it will be “years” before the penalties are finally settled as they have both secured confidential payment plans.
The Information Commissioner’s Office issued both penalties last October following 15 months of legal wrangling; the ICO’s other GDPR fines, £1.25m against Ticketmaster’s and £275,000 for Doorstep Dispensaree’s are still both under appeal at the First Tier Tribunal.
The BA case dates back to September 2018, when the airline “self-reported” a cyber attack, triggering an ICO probe.
The incident in part involved user traffic to the BA website being diverted to a fraudulent site and the ICO’s investigation found a variety of information was compromised by poor security arrangements, including log in, payment card, and travel booking details as well name and address information.
The regulator then issued a “notice of intent” on July 8 2019 to fine the airline £183m; a day later it issued another notice of intent to fine Marriott International £99m for a cyber incident which exposed 339 million customer records globally, of which over 30 million were in the EU and 7 million in the UK.
In October last year, it was announced that BA had secured a reduction of nearly 90% to £20m, while Marriott had hammered down its penalty to £18.4m; however, there had been no word about whether they were going to appeal.
Confirming the arrangement, an ICO spokesperson told Decision Marketing: “The ICO agreed payment plans which both BA and Marriott for the fines to be paid in instalments over a number of years. Both companies have made payments to date in accordance with those payment plans.”
While ICO critics will no doubt see the payment plans as further evidence of what they claim is regulator’s toothless approach, the fact that both companies have agreed to pay will be welcomed by the ICO – and ultimately by the Treasury.
Non-payment of fines has been a major issue for the watchdog; in January, a Decision Marketing analysis revealed that of the £43.75m levied in penalties since January 2019 (including BA and Marriott’s £38.4m), just £1.2m had actually been paid.
At the time, ICO group manager of investigations Natasha Longson claimed that company directors were becoming increasingly aware of the ICO’s “robust strategy”.
In a blog post, she added: “They’re telling us that they want to avoid insolvency and other potential action such as disqualification; making more concerted efforts to pay company fines rather than shutting down their business via liquidation.
“There will always be those who will try to walk away from fines and we’re doing all we can to ensure they pay and limit the risks of further breaches and ultimately protect the public from abuse of their privacy rights.”
£42.5m in ICO fines unpaid due to appeals and rogues
Another fine mess? ICO still failing to get rogues to pay
Marriott hammers down GDPR fine from £99m to £18m
BA ‘humiliates’ ICO by slashing £183m fine to £20m
Fresh delay to Marriott and BA fines fuels ICO criticism
BA and Marriott block £282m GDPR fines – yet again
BA and Marriott to escape GDPR mega fines…for now
ICO issues first GDPR fine, but it’s not BA or Marriott
Ticketmaster preps band of lawyers to fight GDPR fine
Now Marriott takes a £99m battering for GDPR failings
BA faces record £183m GDPR fine for data meltdown