ICO Mega Fines: Why The Delay With BA?
I have received numerous emails from clients and contacts asking if there was any news on the mega-fines issued by the ICO last year. The ICO was due to finalise its decision by the end of March 2020, but that deadline has come and gone and, as obvious as it sounds, COVID-19 has arrived. Now the deadlines have moved back to May and June 2020.
In July 2019 the ICO issues 2 notices of intent to fine as follows:
- £183m to British Airways as a result of a serious cyber incident that resulted in the loss of approximately 500,000 customer details over a period of 3 months. Personal data included card payment terms and travel details. The ICO’s initial investigation found poor security practices in place at the airline.
- £99m to Marriott hotels due to a serious cyber incident which occurred in a company acquired by Marriott (called Starwood hotels). The breach started in 2014; Marriott acquired Starwood in 2016; the breaches were not discovered until 2018. The number of affected data subjects is huge1, but for our purposes 7 million of the affected data subjects were UK nationals.
What happened next
The notices of intent from the ICO received a lot of press attention and were strenuously defended by both British Airways and Marriott. The ICO should have concluded proceedings and issued final monetary penalty notices at the end of January 2020 but instead it granted extensions to the end of March 2020.
That deadline has passed, but it would appear the ICO is no closer to concluding matters and has said that the regulatory process is still ongoing. It now appears that British Airways has agreed an extension to 18 May 2020 and Marriott has agreed an extension with the ICO to 1 June 20202.
It seems incredibly likely that the COVID-19 crisis has an impact on both business’ ability to deal with this regulatory issue. Both have reported significant downturns in revenue, but will that have a bearing on the ICO’s final decision? On the 15 April 2020 the ICO said, in a statement, that it would regulate “for the times we are in now”, acknowledging that many business are finding it hard with reduced turnover and resource.
What is likely to happen?
It's extremely hard to predict what happens next. Many commentators believe the ICO reacted too severely and that the fines will be reduced or possibly even fail to appear. There are alternative academic opinions and privacy campaigners who expect to see big corporations punished and are pushing hard for the fines to stick.
It seems likely that whatever the fines end up being, they will be appealed. And let’s not overlook that both are also subject to class-style actions in the UK arising from the breaches. In these uncertain times, only one things certain: we are going to be left waiting a while longer before the ICO delivers the next instalment.
If you would like to discuss any of the issues raised in this article, or need any advice, please contact Matthew Holman.
 Total affected data subjects was 339 million guest records, of which 30 million related to EEA countries.
 Politico, 31 March 2020