[ad_1]
Remember those massive headline-grabbing fines that the UK’s data protection regulator handed out to Marriott and British Airways last year?
The two proposed penalties — Marriott $130.4 million (£99.2 million) and BA $241.1 million (£183.4 million) — came within a day of each other last July but not much has been heard ever since.
Well, it looks like we’re going to have to wait a bit longer to see how big a hit — if any — the two companies will face. The Information Commissioner’s Office said that separately both BA and Marriott had “agreed to an extension of the regulatory process until 31 March 2020.”
Adding that in both cases “the regulatory process is ongoing we will not be commenting any further at this time.”
So, what should we read into this delay?
Heading for a Climbdown?
The decision to push for more time — and the agreement of both companies — points to some degree of conciliation.
Before the European Union’s new General Data Protection Regulation (GDPR) rules came into place the maximum fine possible was $657,000 (£500,000), a figure Facebook agreed to pay following an investigation into the misuse of personal data in political campaigns, without admitting any liability.
Although the punishments handed out to both Marriott and BA were several orders of magnitude higher, it’s worth remembering that the headline amounts were only provisional figures. In both cases the ICO said it would “consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.”
Might the regulator now be preparing the ground for a significant climbdown?
“Although one is generally loath to make predictions, it is sometimes interesting to speculate. With that in mind, it would perhaps not be enormously surprising to find out that the proposed fines for BA and Marriott don’t materialise, or – at least – aren’t of the size they were initially proposed to be,” wrote Jon Baines, a data protection advisor for law firm Mishcon de Reya, in a blog last November.
Interestingly Baines suggests that the whole procedure might have been unintentional. The ICO frequently serves notices of intent that are not made public but because of the money now involved — thanks to the new beefed-up data laws — both Marriott and BA had to go public via stock market announcements, pushing the action into the public realm.
The regulator is now in a position where any significant reduction in the level of fine would make it look toothless – and therefore the higher level of fines allowed under the new regime pretty pointless.
“It’s standard practice for the ICO to issue penalties for security foul-ups – they did it for 10 years under the old Data Protection Act, so fines at some level is no surprise,” said Tim Turner a data protection expert and director of 2040 Training.
“However, these would be the biggest Data Protection fines anywhere in Europe, and the ICO is uncharacteristically reluctant to go ahead, despite great fanfare for action on Facebook and other big companies.”
Why Were British Airways and Marriott Fined?
Marriott and British Airways were both reprimanded under the European Union’s new stricter data protection laws, which allowed much bigger fines.
In BA’s case, it was linked to a data breach in 2018 where around 500,000 customers had their personal data compromised. Hackers were able to access log in, payment card, and travel booking details as well name and address information.
Skift asked BA about the extension and the fine. A spokesperson said: “I believe the ICO statement covers all the information, so we won’t be adding anything further. Both sides agreed the extension. For your guidance, the fine was always a proposed figure, and was never intended to be finalised or imposed until after the investigation as set out in the legislation.”
Marriott’s fine is related to a data breach at Starwood Hotels & Resorts, which it bought in 2016 for $13.3 billion. The company notified authorities in November 2018 but the vulnerability in Starwood’s IT systems went back to 2014.
A spokesperson for Marriott said: “The regulatory process involving the Information Commissioner’s Office (ICO) in the United Kingdom in relation to the Starwood Data Security Incident is ongoing and we will not be commenting further at this time. And yes, Marriott and the ICO have agreed to an extension of the regulatory process.”
Photo Credit: A Marriott Hotels property. The company was handed a proposed fine of £99.2 million last year. Marriott International
[ad_2]
Source link