Just days after British Airways said it was expecting a 90% reduction in its proposed £138m GDPR fine, Marriott International has managed to secure yet another extension to its legal wranglings with the Information Commissioner’s Office.
The ICO issued two “notices of intent” to fine BA £138m and Marriott £99m within 24 hours of each other in July last year, but 13 months later and the regulator seems no closer to levying the penalties.
In May this year, the fines were kicked into touch for a third time, to this month, with Information Commissioner Elizabeth Denham blaming the coronavirus pandemic for the fresh delay.
However, Marriott has now secured an extension to September 30, although there is no news about a similar move from BA.
An ICO spokeswoman confirmed: “Under Schedule 16 of the Data Protection Act 2018, Marriott has agreed to an extension of the regulatory process until 30 September. We will not be commenting until the regulatory process has concluded.”
Earlier this week, BA’s parent company, IAG Group, said it had set aside just €22m (£19.78m) to pay the proposed £138m penalty.
In response, Mishcon de Reya data protection advisor Jon Baines said: “The effect of Covid-19 on the global travel sector was almost bound to lead the ICO to review the matters.
“It is notable that IAG talk about ‘any penalty’. Given the length of time which has elapsed since the original trigger hacking incident, and since the ICO announced its intention to fine, it must be far from certain that, ultimately, a fine of any sort will be issued.”
BA allots £20m for GDPR fine but may not pay a penny
Fresh delay to Marriott and BA fines fuels ICO criticism
‘Chicken’ ICO kicks adtech investigation into long grass
BA and Marriott block £282m GDPR fines – yet again
Hotel hell: Fresh Marriott data breach hits 5.2 million
BA and Marriott to escape GDPR mega fines…for now
2019 Review of the Year: Why it’s crunch time for GDPR
ICO issues first GDPR fine, but it’s not BA or Marriott
Marriott sets aside £104m just in case GDPR plea fails
Now Marriott takes a £99m battering for GDPR failings
BA faces record £183m GDPR fine for data meltdown
British Airways grovels as 380,000 hit by data breach