Multimillion-pound fines issued to British Airways and Marriott International by the UK’s Information Commissioner’s Office (ICO) under the European Union (EU) General Data Protection Regulation (GDPR) have again been deferred pending the completion of further investigations.
The fines of £183m and £99m, respectively, were imposed in the summer of 2019 following data breach incidents that unfolded at BA and Marriott during 2018 and, if successfully levied, will be by far the largest fines issued under GDPR laws to date.
In a brief statement, an ICO spokesperson confirmed that “the regulatory process is ongoing in both BA and Marriott”, but offered no further information.
Under the rules, the ICO would normally have six months from giving notice of intent to fine organizations, during which it can issue a penalty notice to levy a fine. Both BA and Marriott have already received one initial extension back in January 2020. These were due to expire at the end of March.
In its annual report, BA parent IAG said the six-month period had now been extended to 18 May 2020, while according to Politico, which was first to report the story, Marriott’s deferral will be to 1 June 2020.
Although there is no indication from any party involved that the pandemic is a factor in the latest extensions, Chad McDonald, vice-president of customer experience at Arxan Technologies, said the decision to defer the fines further made sense in the current circumstances.
“BA and Marriott happen to be in two of the hardest-hit industries,” he said. “I think it’s a reasonable expectation that the ICO will delay penalties until either industry begins to bounce back.
“The alternative is that the hundreds of millions in penalty payments could drive additional layoffs at BA and Marriott. At a time like this, I don’t think that benefits anyone. While travel has largely stopped globally, both organizations still hold consumers’ personal data and require resources to help protect it.
Read Original Article