[BreachExchange] UK data watchdog kicks £280m British Airways and Marriott GDPR fines into legal long grass

[Destry Winant]

https://www.theregister.co.uk/2020/01/13/ico_british_airways_marriott_fines_delayed/

The UK Information Commissioner's Office has kicked £280m in data
breach fines against British Airways and US hotel chain Marriott into
the long grass.

As spotted by City law firm Mishcon de Reya, the ICO has extended the
time before it will fine the two companies what it claimed would be a
total of £282m, split between BA's £183m and Marriott's £99m.

In a statement the UK's data protection regulator said: "Under
Schedule 16 of the Data Protection Act 2018, BA [and Marriott] and the
ICO have agreed to an extension of the regulatory process until 31
March 2020. As the regulatory process is ongoing we will not be
commenting any further at this time."

'World's favorite airline' favorite among hackers: British Airways
site, app hacked for two weeks

READ MORE

When the ICO announces a "notice of intent" to fine companies, this is
not the same thing as actually handing out the penalty. Companies (and
individuals) targeted for fines like this can then, in the jargon,
"make representations" about the size of the punishment.

The ICO threatened British Airways with the jumbo-sized fine after the
airline suffered the breach of 380,000 people's personal and financial
details between August and September 2018.

As for Marriott, the ICO bared its fangs at the American hotel chain
after 383 million customer booking records went AWOL in 2018.

Mishcon's data protection adviser, Jon Baines, told The Register that
he suspected both companies had deployed similar legal arguments to
Facebook when it fought back against a Cambridge Analytica-linked
fine.

He said: "It's important to note that the extension could only be by
agreement with BA and Marriott (they could have just said 'no'). One
does wonder in what way an extension was seen by them, therefore, to
be a favourable outcome, and, on the information available, I'm
struggling to see any way in which they would have agreed to an
extension without some quid pro quo."

While it is possible, in Baines' view, that "that the delay is solely
because it's jolly difficult to deal with all the necessary
administrative requirements within a six-month window," he pointed The
Register to a blog post discussing exactly what legal arguments
Facebook deployed to get an ICO fine watered down.

He opined: "It's worth remembering the ICO is a relatively small
regulator (although large compared to its European counterparts) with
a limited legal budget."

According to the ICO's published management accounts (PDF), its legal
budget is a smidgen over £2m per year.

"Assuming," continued Baines, "that BA and Marriott decided they
should not simply accept the intended fines, they will have no doubt
put whatever they think is an appropriate legal budget towards making
representations – when threatened with a fine in the tens of millions
of pounds, such a budget might well dwarf the ICO’s.”

British Airways declined to comment. Marriott had not responded to our
request for comment by the time of publication.

There is nothing obliging the ICO to publish the final outcome of its
negotiations with BA and Marriott, though The Register will be asking
again nearer the due date. ®