Record-setting proposed penalties announced by the U.K. Information Commissioner’s Office (ICO) last year against British Airways and hotel chain Marriott for violations of the European Union’s General Data Protection Regulation may continue to linger amid the ongoing coronavirus pandemic.
The ICO press office confirmed Monday that “the regulatory process is ongoing” for both cases, adding that most enforcement efforts have been put on hold in light of the pandemic. The two GDPR fines, initially announced in July 2019, were each delayed for the first time earlier this year, and British Airways and Marriott have confirmed second extensions granted in their latest, respective annual reports.
In recently issued guidance, the ICO said, in part, that it “may give organizations longer than usual to rectify any breaches that predate the [coronavirus] crisis, where the crisis impacts the organization’s ability to take steps to put things right. All formal regulatory action in connection with outstanding information request backlogs will be suspended.”
Moreover, fines may ultimately be reduced. “As set out in the Regulatory Action Policy, before issuing fines we take into account the economic impact and affordability,” the ICO stated. “In current circumstances, this is likely to mean the level of fines reduces.”
In September 2018, British Airways notified the ICO of a cyber-incident that, in part, involved user traffic to the British Airways Website being diverted to a fraudulent site, allowing hackers to compromise and harvest the personal data of approximately 500,000 customers. The breach is believed to have begun in June 2018, a month after the GDPR took effect in the European Union.
The ICO said its initial investigation against British Airways “found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details, as well name and address information.” As a result, the ICO hit British Airways with a record £183.4 million (U.S. $230 million) penalty.
A second fine issued by the ICO in July 2019 resulted from a data security incident announced by Marriott in November 2018 involving unauthorized access to the Starwood reservations database, which is no longer used for business operations. The incident ultimately resulted in the ICO proposing a fine of £99 million (U.S. $124 million) against the company.
In both cases, the ICO initially had six months from issuing the notices of intent within which it could issue a penalty notice, which would have been by January. Since that time, both companies have announced in their annual reports that extensions have been agreed upon.
“We mutually agreed with the ICO to an extension of the regulatory process until June 1, 2020,” Marriott said in its annual report for the fiscal year ended Dec. 31, 2019.
International Airlines Group, the parent company of British Airways, announced an extension as well. “British Airways made extensive representations to the ICO regarding the proposed fine and has complied with various further information requests,” the company said in its annual report. “As part of its procedures, the ICO will seek the views of other EU data protection authorities.”
As a result, an extension has been made “through to May 18, 2020, to allow the ICO to fully consider the representations and information provided by British Airways.” The company added that, if a penalty notice is issued, “it is British Airways’ intention to vigorously defend itself in this matter, including using all available appeal routes should they be required.”