Another week, and Marriott International has secured yet another delay to its proposed GDPR fine, the fifth time its lawyers have managed to put off paying the £99m penalty since the hotel chain was slapped with a notice of intent by the Information Commissioner’s Office 15 months ago.
The ICO issued two notices to fine Marriott and British Airways a total of £282m within 24 hours of each other in July last year, but the latest delay means the regulator is no closer to levying the penalties.
Although the law only allows the ICO six months to confirm an intended fine, both penalties have been subject to repeated extensions.
Mishcon de Reya data protection advisor Jon Baines said: “This latest extension (no doubt as a result of robust defence of its position by Marriott, just as BA is no doubt defending its position) will be likely to add to concerns about the ICO’s ability, under the current regulatory scheme, to issue serious fines.
“Although GDPR allows for fines of up to 4% of global annual turnover, the only fine so far actually issued by the ICO under GDPR was one of £275,000.
“It is also important to consider whether this all might impact on any pending decision by the EU as to the ‘adequacy’ of the UK’s data protection regulatory regime post-Brexit.”
Last week it emerged that Germany has issued its 27th fine under the GDPR regime, bashing Swedish retail group H&M with a €35m (£31.9m) penalty.
Both the ICO and its Dublin counterpart, the Irish Data Protection Commission, have issued just one fine each since May 2018, but have scores of cases under investigation.
Germans issue 27th GDPR fine as H&M is hit for €35m
Marriott faces data loss claim – will it open floodgates?
Will it ever end? Now Marriott wins further GDPR delay
Fresh delay to Marriott and BA fines fuels ICO criticism
BA and Marriott block £282m GDPR fines – yet again
Hotel hell: Fresh Marriott data breach hits 5.2 million
BA and Marriott to escape GDPR mega fines…for now
ICO issues first GDPR fine, but it’s not BA or Marriott
Marriott sets aside £104m just in case GDPR plea fails
Now Marriott takes a £99m battering for GDPR failings
BA faces record £183m GDPR fine for data meltdown