Information Commissioner Elizabeth Denham has found herself in hot water for the second time this week after she used a conference address to reveal the intended GDPR fines for British Airways and Marriott International – totalling £282m – have been pushed backed a third time to August, over a year the publication of the “notices of intent”.
Perhaps unsurprisingly, the move has sparked further criticism of the regulator which earlier this week was accused of “chickening out” of investigating the adtech industry despite expressing serious concerns about the sector’s abuse of personal data in June last year.
While there has been no official line on the new delay, Denham also hinted that neither company will be facing the original penalty.
Denham added: “When it comes to an airline and…a hotel chain that are both significantly hit with the results of the pandemic, there will have to be a reexamination of the financial case of each of those companies.”
In a blogpost, Mishcon de Reya data protection advisor Jon Baines said: “Only one fine has as yet been issued by the ICO under GDPR in the two years it has been in place. This is in notable contrast to some of the ICO’s peer supervisory authorities (Germany and Spain have issued more than 20, for instance, while France and Italy have each issued around ten).
“One would expect news of this significance to be made openly and transparently, in line with the ICO’s statutory duty under GDPR to promote public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data, and its own communications policy which says that it aims to be an ‘effective, open and transparent regulator’.”
Baines goes on to point out that while “regulatory forbearance is understandable during this time of pandemic” it is important for all organisations who must comply with GDPR to understand how the ICO will assess the sanctions for infringements.
He added: “At the time the intended fines were announced questions were asked about whether the proposed sums were sustainable, and until there is some finality to these investigations, uncertainty will prevail. It seems clear that any fines which eventually emerge from this protracted process are likely to be considerably lower than ICO initially envisaged.”
‘Chicken’ ICO kicks adtech investigation into long grass
BA and Marriott block £282m GDPR fines – yet again
Hotel hell: Fresh Marriott data breach hits 5.2 million
BA and Marriott to escape GDPR mega fines…for now
2019 Review of the Year: Why it’s crunch time for GDPR
ICO issues first GDPR fine, but it’s not BA or Marriott
Marriott sets aside £104m just in case GDPR plea fails
Now Marriott takes a £99m battering for GDPR failings
BA faces record £183m GDPR fine for data meltdown