BA and Marriott get GDPR fine reprieve

Multimillion-pound fines issued to British Airways and Marriott International by the UK’s Information Commissioner’s Office (ICO) under the European Union (EU) General Data Protection Regulation (GDPR) have again been deferred pending the completion of further investigations.

The fines of £183m and £99m, respectively, were imposed in the summer of 2019 following data breach incidents that unfolded at BA and Marriott during 2018 and, if successfully levied, will be by far the largest fines issued under GDPR laws to date.

In a brief statement, an ICO spokesperson confirmed that “the regulatory process is ongoing in both BA and Marriott”, but offered no further information.

Under the rules, the ICO would normally have six months from giving notice of intent to fine organisations, during which it can issue a penalty notice to levy a fine. Both BA and Marriott have already received one initial extension back in January 2020. These were due to expire at the end of March.

The latest extensions appear to have been granted to give the ICO more time to conduct further investigations, consider the companies’ representations regarding the fines, and seek the views of other EU data protection regulations authorities.

In its annual report, BA parent IAG said the six-month period had now been extended to 18 May 2020, while according to Politico, which was first to report the story, Marriott’s deferral will be to 1 June 2020.

Even if the fines are levied within this time, both organisations will be able to lodge further appeals.

In addition to the ongoing representations, BA and Marriott are both currently suffering extensive losses due to the almost universal curtailment of business and leisure travel during the developing Covid-19 coronavirus pandemic.

Although there is no indication from any party involved that the pandemic is a factor in the latest extensions, Chad McDonald, vice-president of customer experience at Arxan Technologies, said the decision to defer the fines further made sense in the current circumstances.

“BA and Marriott happen to be in two of the hardest-hit industries,” he said. “I think it’s a reasonable expectation that the ICO will delay penalties until either industry begins to bounce back.

“The alternative is that the hundreds of millions in penalty payments could drive additional layoffs at BA and Marriott. At a time like this, I don’t think that benefits anyone. While travel has largely stopped globally, both organisations still hold consumers’ personal data and require resources to help protect it.

“Pushing them to pay penalties now after they’ve already been bludgeoned by coronavirus doesn’t seem to support that goal.”

Marriott is also dealing with the fall-out from a second – albeit much smaller – breach of customer information that was first disclosed at the beginning of April 2020.

The latest breach of its systems is understood to have unfolded after cyber criminals used the compromised login credentials of two Marriott franchise employees to access data on 5.2 million customers.

Marriott said the breach took place between January and February 2020. The firm has established a self-service online portal for affected customers and is also offering an option to take up a 12-month subscription to Experian’s IdentityWorks data monitoring service for free.