French hotel chain Accor had its initial fine for cross-border data privacy violations increased sixfold after one data regulator involved in the decision-making process complained an original penalty of 100,000 euros (U.S. $99,900) was too low.
The company, which owns hotel chains Novotel, Ibis, and Mercure, now faces a fine of €600,000 (U.S. $599,000) after the European Data Protection Board (EDPB), the European Union’s overarching regulator for infringements of the General Data Protection Regulation (GDPR), was forced to intervene following a lack of agreement between France’s CNIL and the Polish data protection authority (DPA).
The ruling, published Aug. 17, marks the second time the EDPB has substantially increased a fine in a cross-border case. In December 2020, the regulator played part in raising the Irish Data Protection Commission’s original suggested GDPR fine against Twitter from between €135,000 and €275,000 to €450,000 (then-U.S. $547,000).
Between December 2018 and September 2019, the CNIL received complaints regarding the way Accor used customer data for marketing purposes. Another complaint related to the company’s holding customer bank data to make room reservations.
As Accor’s lead data supervisor, the CNIL agreed to investigate on behalf of complaints raised by five other EU data regulators: Spain, Ireland, Poland, and the German federal states of Saarland and Lower Saxony.
During its investigation, the CNIL found individuals making a reservation directly with Accor, or one of the brands within its group, were automatically added to a list of recipients for its commercial newsletter and loyalty program through a pre-ticked consent box but were unable to opt out due to a “malfunction” in the unsubscribe option. Further, customers were sent adverts and promotional offers from partner companies without their consent.
The CNIL sent its draft decision to the EDPB and the five other DPAs in December 2019, following the company’s assurances it had already taken steps to comply with the CNIL’s recommendations.
The other data regulators complained about the leniency of the suggested €100,000 fine and highlighted the number of breaches, complaints, size of the company, and its revenues.
Accor has more than 3,000 hotels in the EU alone; the group reported revenue of approximately €1.73 billion (U.S. $1.728 billion) in the first half of 2022.
Even following the EDPB’s binding decision, the Polish DPA maintains the fine is too low. The disagreement is likely to fuel ongoing concerns GDPR enforcement remains fractured across the European Union, as well as raise fresh questions about what the EDPB’s role could—and should—be in resolving disputes among DPAs and finalizing cross-border decisions.
In an emailed statement, Accor said it “regrets that the cooperation mechanism between data protection authorities in Europe has led to the group being sanctioned more severely than the CNIL intended.” Accor pointed out it cooperated with the CNIL’s three-year investigation.
The company added, “The objections raised by the Polish data protection authority do not seem justified or detailed,” and said it will “examine the legal remedies at its disposal.”