In July last year we woke up to the news that the UK's data protection regulator (the "ICO") was going to hand out its first fine under the GDPR (at the record setting amount of £183.39m) to British Airways. The very next day, hotel group, Marriott were notified about the ICO's intention to issue it with a £99m fine. The ICO well and truly decided to flex its muscles for the first time since the GDPR came into force. Arguably these significant penalties were a much needed wake up call to the organisations which assumed the ICO adopted a more relaxed approach to enforcement than other EU regulators.
But that was 7 months ago, what's happened since?
At the time, the ICO issued both companies with a "notice of its intention to fine", meaning that the amount of the fine was not a final determination. Both BA and Marriott had 28 days to to appeal against the ICO's initial findings by making written representations about the findings of the investigation and the amount of the proposed fine. The ICO then had a strict six-month window from the date of the notices to liaise with the companies and other EU data protection regulators before ultimately issuing its final monetary penalty notices. That six-month period has now expired. Interestingly, both BA and Marriott have agreed to an extension with the ICO until 31 March 2020.
So what will be the likely outcome?
Looking at the first fine under the GDPR that the ICO did actually issue last month, it is clear that representations made to the ICO, amongst other factors, may have an impact on the amount of the final fine imposed. In June 2019, the ICO issued pharmaceutical company, Doorstep Dispensaree ("DD"), with a notice of its intention to fine the company £400,000. In September 2019, DD provided written representations in respect of this notice. In December 2019, the ICO decided to impose its final penalty of £275,000; a significantly lower amount than specified in the original notice. The ICO took into account the improvements DD has made to its data protection practices as well as the financial health of the company when considering the level of fine to impose.
Clearly, both BA and Marriott, armed with their extensive legal resources, will have the opportunity to make representations which could potentially reduce the amount of the final fine imposed. Considering the fact that these fines are in the millions, have made media headlines and are likely to set a precedent for future GDPR fines, it is not surprising that the ICO has needed a bit more time to consider the final outcome. Critics may argue that BA and Marriott will escape the hefty fines, or at least the level of fine specified in the original notices. However, it's clear that the ICO will want to use these large organisations as an example to other non-compliant companies so is unlikely to do a complete 180 on its decision last July. Pre-GDPR, the ICO announced that "hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law". On 31 March we may see this statement come to fruition when the ICO announces its final decision on the BA and Marriott fines.
Those who predicted that British Airways and Marriott International might never have to pay the record fines – totalling £282m – for breaches of GDPR will be raising a wry smile following confirmation of an 11th-hour agreement to extend the “regulatory process” for another three months.