UK data watchdog having a hard time making GDPR fines stick: Marriott scores another extension, BA prepares to pay 11% of original £183m penalty

Updated British Airways expects the fine for its 2018 credit card data leak to be just 10.8 per cent of the original £183m proposed by the UK data watchdog – while US hotel chain Marriott has both halved and kicked its own data protection fine into the long grass once again, The Register can reveal.

Marriott has secured an extension for fine negotiations to 30 September, having secured two already; one from January to 31 March and a second that ran through May. On top of that, the company set aside $65m (£49.6m) to cover its fine, down from the Information Commissioner’s original intention to impose a £99m penalty.

In its Q4 FY2019 financials published in May, Marriot’s bean counters said [PDF]: “Based on the ongoing proceeding involving the UK Information Commissioner’s Office (ICO), in the fourth quarter the company also reduced to $65 million the non‐tax deductible accrual recorded in the second quarter of 2019 for the fine proposed by ICO in July 2019 in relation to the data security incident.”

That “data security incident” happened in November 2018 when 383 million customer records were stolen from Marriott brand Starwood Hotels’ servers, including guests’ names, passport numbers, dates of birth, postal addresses, dates of stays and more.

An ICO spokeswoman confirmed the latest extension of Marriott’s fine negotiation period to The Register, saying: “Under Schedule 16 of the Data Protection Act 2018, Marriott has agreed to an extension of the regulatory process until 30 September. We will not be commenting until the regulatory process has concluded.”

Sticky business

Jon Baines, a data protection law expert from City firm Mishcon de Reya, told The Register that the ICO appeared to be having problems imposing its fines before COVID-19 decimated the travel industry.

“It’s worth remembering that the process was already delayed before COVID hit, so clearly these were not going to be straightforward fines and ICO appears to have already had trouble ‘making them stick’,” he said. “What’s also notable is that, more than two years on from GDPR coming into application, there has only been one actual fine issued by ICO, against Doorstep Dispensaree, and which DD were reported to have appealed.”*

News that BA owner International Airlines Group (IAG), headquartered in Spain, had set aside just €22m (£19.8m) for its data protection fine was first broken by Bloomberg when IAG’s results were published on 31 July.

IAG’s accountants said in the firm’s financials for H1 FY2020 [PDF, 39 pages], referring to cash put aside for the fine: “The exceptional charge of €22 million represents management’s best estimate of the amount of any penalty issued by the Information Commissioner’s Office (ICO) in the United Kingdom, relating to the theft of customer data at British Airways in 2018. The process is ongoing and no final penalty notice has been issued.”

The sum is a 89 per cent decrease from the ICO’s originally mooted penalty of £183m. An ICO spokeswoman told The Register: “The regulatory process is ongoing and we will not be commenting until it has concluded.”

BA and its parent company have been battling through the shutdown of European air travel for several months. Though some flights have resumed, demand is so low that the airline is scrapping its Boeing 747 fleet and is proposing to make redundancies and slash contractual terms and conditions to cut its overheads.

Mishcon’s Baines pondered whether the amount of ICO effort devoted to the two cases had disrupted its other data protection enforcement work: “One wonders if the effect of the BA and Marriott investigations has also been to cause work on other enforcement action to be paused, or at least delayed,” he mused, referring to boasts from Information Commissioner Elizabeth Denham last year that she was about to announce more big GDPR fines.

Data protection fines across the European Union are generally increasing, though with Britain having issued just three fines since the EU regulation was enforced across the political bloc in 2018, it seems unlikely that we’ll be contributing to this trend. The current regulatory regime, enshrined in UK law as the Data Protection Act 2018, is expected to continue in force after Britain leaves the bloc in January. ®

Bootnote

Doorstep Dispensaree was said by the ICO in December to have left behind half a million pharmacy patient records in an unlocked cabinet at its premises in Edgware, northwest London. It was fined £275,000. The business appealed to the First-Tier Tribunal in March and the case, like all appeals against the ICO, is currently suspended.

Updated to add

A Marriott mouthpiece sent us the following statement: “Marriott and the ICO have mutually agreed to an extension of the regulatory process until September 30, 2020. The regulatory process is ongoing and we will not be commenting further at this time.”

READ MORE HERE