When British Airways and Marriott International received massively discounted General Data Protection Regulation (GDPR) fines from the U.K.’s data regulator, critics said the decisions sent the “wrong message” to companies that penalties levied under the privacy law could be challenged effectively.
