The two proposed penalties — Marriott at $130.4 million (£99.2 million) and British Airways at $241.1 million (£183.4 million) — came within a day of each other last July, but not much has been heard since then.
Well, it looks like we’re going to have to wait a bit longer to see how big a hit — if any — the two companies will face. The Information Commissioner’s Office (ICO) said that separately both British Airways and Marriott had “agreed to an extension of the regulatory process until 31 March 2020.”
The ICO added that in both cases, “the regulatory process is ongoing, we will not be commenting any further at this time.”
So, what should we read into this delay?
Heading for a Climbdown?
The decision to push for more time — and the agreement of both companies — points to some degree of conciliation.
Before the European Union’s new General Data Protection Regulation (GDPR) rules came into place, the maximum fine possible was $657,000 (£500,000), a figure Facebook agreed to pay following an investigation into the misuse of personal data in political campaigns, without admitting any liability.
Although the punishments handed out to both Marriott and British Airways were several orders of magnitude higher, it’s worth remembering that the headline amounts were only provisional figures. In both cases the ICO said it would “consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.”
Might the regulator now be preparing the ground for a significant climbdown?
“Although one is generally loath to make predictions, it is sometimes interesting to speculate. With that in mind, it would perhaps not be enormously surprising to find out that the proposed fines for British Airways and Marriott don’t materialize, or — at least — aren’t of the size they were initially proposed to be,” wrote Jon Baines, a data protection advisor for law firm Mishcon de Reya, in a blog last November.
Interestingly, Baines suggested that the whole procedure might have been unintentional. The ICO frequently serves notices of intent that are not made public, but because of the money now involved — thanks to the new beefed-up data laws — both Marriott and British Airways had to go public via stock market announcements, pushing the action into the public realm.
The regulator is now in a position where any significant reduction in the level of fine would make it look toothless — and therefore the higher level of fines allowed under the new regime pretty pointless.
“It’s standard practice for the ICO to issue penalties for security foul-ups — they did it for 10 years under the old Data Protection Act, so fines at some level is no surprise,” said Tim Turner, a data protection expert and director of 2040 Training.
“However, these would be the biggest data protection fines anywhere in Europe, and the ICO is uncharacteristically reluctant to go ahead, despite great fanfare for action on Facebook and other big companies.”
Why Were British Airways and Marriott Fined?
Marriott and British Airways were both reprimanded under the European Union’s new stricter data protection laws, which allowed much bigger fines.
In British Airways’ case, it was linked to a data breach in 2018 where around 500,000 customers had their personal data compromised. Hackers were able to access log-in, payment card, and travel booking details as well name and address information.
Skift asked British Airways about the extension and the fine. A spokesperson said: “I believe the ICO statement covers all the information, so we won’t be adding anything further. Both sides agreed (to) the extension. For your guidance, the fine was always a proposed figure and was never intended to be finalized or imposed until after the investigation as set out in the legislation.”
Marriott’s fine is related to a data breach at Starwood Hotels & Resorts, which it bought in 2016 for $13.3 billion. The company notified authorities in November 2018, but the vulnerability in Starwood’s IT systems went back to 2014.
A spokesperson for Marriott said: “The regulatory process involving the Information Commissioner’s Office (ICO) in the United Kingdom in relation to the Starwood Data Security Incident is ongoing, and we will not be commenting further at this time. And yes, Marriott and the ICO have agreed to an extension of the regulatory process.”