BA, Marriott privacy fines will hinge on GDPR's 'one-stop shop'
15 July 2019. By Vesela Gladicheva.
When British Airways and Marriott International heard that the UK's privacy watchdog planned to hit them with fines totting up to 282 million pounds ($350 million), they got a taste of its ambition to punish companies for poor security practices and breaches that led to the exposure of customers' data.
But they would also have known that their cases are far from decided and remain wide open, with changes possible and even likely if data-privacy watchdogs elsewhere in the EU disagree with the findings of the Information Commissioner's Office. That process could go on until October.
If the fines are upheld, they would be the biggest sanctions so far for a security breach under the EU's strict General Data Protection Regulation.
— Fine examples —
Last Monday, the ICO accused BA of having "poor security arrangements" that led to data belonging to 500,000 customers being exposed last year, including details of log-ins, payments, bookings, names and addresses. BA had also experienced IT system failures earlier in the year.
The next day, the watchdog said Marriott had lacked due diligence when it acquired Starwood Hotels and its computer network in 2016, which was hacked in 2014. Marriott "should have done more to secure its systems," the ICO said. In the 2014 breach, which was discovered only in 2018, personal data in around 339 million guest records worldwide were compromised, with 7 million related to UK residents.
It proposed a fine for BA of 183 million pounds — 1.5 percent of its annual global sales for 2017 — and for Marriott of 99 million pounds, which represents 2.5 percent of its annual global sales for 2017. BA and Marriott each have 28 days to defend their position before the ICO.
The fines set the tone for the ICO's expectations of the security of corporate systems and databases, including in upcoming decisions on high-profile data breaches affecting Ticketmaster and Dixons Carphone Warehouse, for which the ICO has ongoing investigations.
More widely — and more importantly — they also pave the way for much heftier sanctions under the GDPR, which allows for maximum penalties of 4 percent of annual sales. If confirmed, both fines would dwarf the previous record, of 50 million euros ($56 million) against Google by France's privacy regulator in January.
— EDPB process —
The ICO could well decide to tweak its final decision based on the companies’ representations in coming weeks.
But of more significance is that its findings will then be further scrutinized by privacy regulators in other EU member states where citizens fell victim to the two breaches.
Under the GDPR's "one-stop shop" mechanism for cross-border cases, other national watchdogs act as "concerned authorities.” That means the regulator in the country where international companies have their headquarters leads the investigation — in the BA and Marriott cases, the ICO — with input from regulators in other EU countries that also have skin in the game.
Should national authorities fail to agree on how to address the cases, an EU-level umbrella group of national privacy watchdogs, the European Data Protection Board, or EDPB, would have the power to issue binding decisions.
This input and resolution mechanism will kick off as soon as the ICO has submitted its findings to the EDPB. At the moment the ICO retains exclusive authority while it gives the companies a chance to address its concerns.
The ICO updated its counterparts about the two fines at a regular meeting of the EDPB in Brussels last week, a spokeswoman for the regulator told MLex. It explained that it had published its draft decisions — which normally remain confidential under the cross-border procedure — because UK financial rules obliged BA and Marriott to disclose the amounts of the upcoming fines.
— Regulators' interest —
Last December, the regulators from Cyprus and Denmark told MLex that they were ready to take part in a bloc-wide investigation, while those in Ireland and Italy said they would follow the case closely. Some of these watchdogs subsequently received complaints about the Marriott breach.
Shortly after the ICO announced the draft fines, the Norwegian data-privacy watchdog said that both cases affect Norwegian customers, and that the authority would have the chance to comment on the final decision, including the level of the fine.
Speaking to MLex on the sidelines of a conference* in Brussels last week, UK Information Commissioner Elizabeth Denham said that all other European data-protection regulators are affected by the two breaches, but that it was hard to tell which would take up the opportunity to comment on her decisions.
The regulators will be able to react once BA and Marriott have had their 28 days to defend their position before the ICO. The resulting fine will be divided up between the various national data-protection enforcers.
Should the EDPB issue a decision in the event of disagreements between the ICO and other domestic regulators, that would be binding on the ICO.
But BA and Marriott would be able to contest the validity of that decision, and their challenge would end up before the EU Court of Justice, as long as the court's jurisdiction still extends to the UK, given the current uncertainty of the Brexit process.
That would prolong even further the outcome of the cases, delaying clarity for all companies about how their responses to data breaches should be judged.
— Litigation threat —
On top of massive looming fines, BA and Marriott are both facing the threat of group litigation in the UK, which, if allowed to continue, could expose them to millions of pounds in damages claims.
In group litigation against BA led by SPG Law, which currently amounts to 5,500 people, the claim would see the participants get around 2,000 pounds in damages on average.
Hayes Connor Solicitors is also leading action against BA and Marriott on behalf of 500 clients.
* With additional reporting by Matthew Newman in Brussels.