British Airways, Marriott expect cuts in UK GDPR fines, win more time to argue

30 Mar 2020 12:00 am by Vesela Gladicheva

British Airways and Marriott International are expecting dramatic reductions in the multimillion-pound fines proposed as a result of major UK privacy-breach probes, company filings show, with the final decisions now not expected until later this year.

Last July, the Information Commissioner's Office proposed fining the UK's flag-carrier airline 183 million pounds ($227 million) and the hotel group 99 million pounds ($127 million) for breaches of the EU's General Data Protection Regulation. The ICO said that poor security practices led to the exposure of customers' data.

The companies have already had nine months to argue the fines down, after the watchdog set a deadline of tomorrow to issue its final decisions and fines.

But it has now agreed with the companies to delay. BA has until May 18 and Marriott until June 1 to continue to press their case, the companies said in recent annual results filings.

In their filings, the two companies also showed a confidence in being able to bargain the fines down.

In its Feb. 28 report, BA said "it has not been proven that British Airways failed to comply with its obligations under GDPR and the UK Data Protection Act. Should any final penalty notice be issued, and having regard to the representations made by British Airways, the Directors consider that it should be for a considerably lower amount than the initial Notice of Intent."

In its own filing, Marriott said that it had specifically reduced the amount set aside for the eventual fine by the equivalent of $60 million.

"In the 2019 second quarter, we recorded an accrual in the full amount of the proposed ICO fine for this loss contingency, and in the 2019 fourth quarter, we reduced the accrual to $65 million based on the ongoing proceeding," Marriott said.

Breaches

In the BA data breach, which the ICO believes to have begun in June 2018, personal data of approximately 500,000 customers were compromised, including log-in, payment-card and travel-booking details as well as names and addresses.

In Marriott's case, personal data in around 339 million guest records worldwide were compromised, with 7 million of those related to UK residents. Marriott had lacked due diligence when it acquired Starwood Hotels in 2016, the ICO said last July; the chain's computer network had been hacked in 2014, leading to the breach.

Under the GDPR, EU privacy watchdogs can hand infringing companies penalties of up to 4 percent of their annual global revenue. The ICO's proposed fines represent just 1.5 percent of BA's global sales in 2017 and 2.5 percent of Marriott's.

Under UK privacy rules that implement the GDPR, the ICO has six months to turn its proposed decision to fine a company — a "notice of intent" — into a definitive fine. During this time, companies can provide evidence in their defense, which the ICO then needs to analyze.

The six-month period can be extended if both parties agree to it: That has already been the case once with BA and Marriott, as an original decision deadline of late last year was agreed by all parties to extend to March 31. Now each have agreed separate new extensions.

Neither update was published by the ICO, although MLex understands that the regulator is working to the deadlines mentioned by the companies.

EU process

When the ICO's decisions do come through, that won't be the end of it for the two companies.

Once the UK watchdog issues its reports, it will need to forward its decision to its counterparts elsewhere in the EU for review, meaning they can influence the final outcome of the cases.

Even though the UK left the bloc on Jan. 31, EU data-protection rules and procedures continue to apply until the end of the Brexit transition period on Dec. 31.

The review by EU regulators with an interest in the cases within four weeks of receiving the decisions is specified in the GDPR's "one-stop shop" mechanism, where the privacy regulator in the country where the company is based takes the lead on EU-wide investigations.

The Marriott and BA probes are seen as test cases for the one-stop shop procedure and cross-border GDPR enforcement.

The entire review process could take more than four months if other national regulators disagree with the ICO's decision, triggering a dispute-resolution mechanism by the European Data Protection Board, which groups together all the EU's privacy watchdogs. The EDPB would then have the final word on the case, following a vote.

Related Articles