Marriott and BA's Reduced Privacy Fines: GDPR Realpolitik
In July 2019, the ICO issued notices of intent to fine BA £184 million ($238 million), and Marriott £99.2 million ($128.2 million) fine. While steep, these proposed fines were nowhere near the maximum possible. With $20.8 billion in 2018 revenue, for example, Marriott faced a maximum possible fine of nearly $840 million. The final fines announced by the ICO are still record-setting for the U.K. But they are also much lower than what was initially proposed - down to £20 million ($26 million) for BA and £18.4 million ($23.8 million) for Marriott.
"The fine reductions have been significant, however, it is important to remember that these were only 'notices of intent' initially and that both were made public by the companies concerned, and not by the ICO." Both businesses responded in detail to the ICO as its investigation continued, and the regulator says each one not only assisted, but has since substantially overhauled its security programs and practices. For BA, the ICO said that the dire economic conditions facing the airline industry had been a major factor in its reducing the fine. For Marriott, the ICO says that the lower final fine more reflects its evolving Regulatory Action Policy, currently under review, which states that "before issuing fines we take into account economic impact and affordability."
The biggest GDPR fine to date has been against Google, which France's privacy regulator CNIL last year hit with a penalty of €50 million ($59 million) for failing to clearly and transparently inform users about how it handles their personal data, and for failing to properly obtain their consent for personalized ads. The second largest GDPR fine came to pass last month, when privacy regulators in Germany slammed clothing retailer H&M with a €35.2 million ($41.2 million) fine for improper workplace surveillance practices.
Final GDPR fines, however, don't necessarily spell the end of potential legal peril for breached organizations. "Quite aside from the precise levels of fine, the notices themselves also serve up a number of key findings of fact, which could form the basis of future civil liability for both organizations and data subjects in the coming weeks and months," privacy attorneys at London-based Mishcon de Reya say in a recent blog post.