Will it ever end? Now Marriott wins further GDPR delay

Just days after British Airways said it was expecting a 90% reduction in its proposed £183m GDPR fine, Marriott International has managed to secure yet another extension to its legal wranglings with the Information Commissioner’s Office.

The ICO issued two “notices of intent” to fine BA £183m and Marriott £99m within 24 hours of each other in July last year, but 13 months later and the regulator seems no closer to levying the penalties.

In May this year, the fines were kicked into touch for a third time, to this month, with Information Commissioner Elizabeth Denham blaming the coronavirus pandemic for the fresh delay.

However, Marriott has now secured an extension to September 30, although there is no news about a similar move from BA.

An ICO spokeswoman confirmed: “Under Schedule 16 of the Data Protection Act 2018, Marriott has agreed to an extension of the regulatory process until 30 September. We will not be commenting until the regulatory process has concluded.”

Earlier this week, BA’s parent company, IAG Group, said it had set aside just €22m (£19.78m) to pay the proposed £183m penalty.

In response, Mishcon de Reya data protection advisor Jon Baines said: “The effect of Covid-19 on the global travel sector was almost bound to lead the ICO to review the matters.

“It is notable that IAG talk about ‘any penalty’. Given the length of time which has elapsed since the original trigger hacking incident, and since the ICO announced its intention to fine, it must be far from certain that, ultimately, a fine of any sort will be issued.”