ICO bares its teeth with plans to issue over £280m in fines

Those in the travel sector would be forgiven for feeling rather nervous after the UK’s Information Commissioner’s Office (ICO) announced plans to issue major fines to British Airways and Marriott International following separate data breach incidents in 2018.

On 8 June 2019, the ICO issued a statement of its intention to fine British Airways £183.39m following a major cyber incident affecting the airline’s website and mobile app between August and September 2018. If confirmed, the fine would be the biggest so far issued under the GDPR, dwarfing the €50m fine imposed by the French data protection authority, the CNIL, on Google in January 2019. The following day, the ICO announced further plans to fine Marriott International £99.2m following a data breach affecting Marriott subsidiary Starwood’s guest reservation database.

Although the ICO does not usually publicise notices of intent, its policy on ‘Communicating our Regulatory and Enforcement Activity’ states that it may do so for reasons including financial market reporting obligations and it being necessary for the purposes of international regulatory cooperation. The ICO statements each came in response to filings made by the companies. International Airlines Group (IAG) made an announcement to the London Stock Exchange early on 8 July stating that it had been informed by the ICO of its intention to issue a penalty notice for £183.39m, which the company stated represents 1.5 per cent of British Airways’ worldwide turnover for the financial year ended 31 December 2017. This was followed by Marriott International’s filing with the US Securities and Exchange Commission that outlined the ICO’s £99.2m proposed fine, which we calculate to correspond to around 0.5 per cent of Marriott International, Inc.’s worldwide turnover for 2017.

Statement of intent

The planned fines can be viewed as a signal of intent from the ICO to impose heavy penalties where it believes a personal data breach resulted from non-compliant security measures. The ICO acknowledges in both notices that the companies had cooperated with the ICO’s investigations. It further acknowledged that British Airways had made improvements to its information security arrangements since the incident came to light, while it also noted that the Marriott breach related to a 2014 incident affecting Starwood Hotels Group before it was acquired by Marriott in 2016 (which highlights the importance of effective data privacy due diligence in M&A transactions). These factors may have helped to reduce the planned fines, neither of which reaches the two per cent ceiling for security breach fines (albeit it is unclear whether the level of the proposed fines has been calculated by reference to the two per cent threshold or whether they have been assessed against the four per cent threshold on the basis of breach of other data protection principles).

The investigations are the first landmark cases utilising the one stop shop regulatory mechanism, where a lead supervisory authority directs and coordinates an investigation where multiple data protection authorities have an interest in the action. It appears that in both cases, the one stop shop process remains ongoing, with the ICO stating that other data protection authorities whose residents have been affected will have the chance to comment on the ICO’s findings.

Next Steps

Both British Airways and Marriott International have the opportunity to make representations to the ICO as to the proposed findings and sanctions. The announcements of both companies confirm that each plans to do so, as well as contesting the proposed sanctions more generally. Aside from the regulatory action, British Airways and Marriott may face claims from affected individuals, to whom the GDPR gives rights to pursue judicial remedies. Such claims may take the form of collective actions, and may further increase the legal and regulatory costs of the incidents.