ICO’s Mega BA and Marriott Fines Delayed Again

Huge GDPR fines set to be levied by the UK regulator against British Airways and Marriott International have been delayed again as it considers representations from the multi-nationals.

BA owner the International Airlines Group (IAG) claimed in its Annual Report for last year that it has made “extensive representations” to the Information Commissioner’s Office (ICO) following its notice of intent to fine last July.

“As part of its procedures, the ICO will seek the views of other EU data protection authorities,” it continued.

“The ICO initially had six months from issuing the Notice of Intent to British Airways within which it could issue a penalty notice, which has been extended through to May 18 2020, to allow the ICO to fully consider the representations and information provided by British Airways.”

Unsurprisingly, the airline’s directors believe any fine should be “considerably lower” than the original £183.4m.

Meanwhile, a statement issued by Marriott cited by a leading data protection lawyer revealed: “We mutually agreed with the ICO to an extension of the regulatory process until June 1 2020.”

The hotel group was due to be fined £99m after a breach of 339 million customer records first notified in November 2018, while BA was on the hook for a Magecart attack which compromised 500,000 customers’ financial information.

The same legal expert, Mischon de Reya data protection advisor Jon Baines, argued that the current COVID-19 crisis may mean those fines never now materialize, given that the ICO’s own guidance is for an erring company's “ability to pay” to be considered when calculating a fine.

“As a public authority, the ICO has a general public law duty to take into account relevant factors when arriving at decisions. It is strongly arguable that if it failed to take into account the current effect, and the likely future effect, of COVID-19 on BA’s and Marriott’s finances, then any decision to issue a fine would be vulnerable to appeal or a successful application for judicial review,” he added.

“When the ICO announced its intent to serve these fines last year, some commentators questioned whether they would ever be served in the amount proposed, given the huge sums involved and the likelihood that the controllers would make strong representations against. No one could have predicted, however, that a public heath pandemic would come to be a major factor in deciding the issue.”

What’s Hot on Infosecurity Magazine?