The Information Commissioner's Office ('ICO') has fined Marriott International Inc. £18.4 million, following its investigation into a data breach that occurred in 2014. 

Originally, the ICO had declared its intention to fine Marriott International, Inc more than £99 million under GDPR for data breach.  However, so much has happened since then, including a global pandemic, a looming global recession and a grinding standstill of the travel industry (something that a year ago was unimaginable). 

Sound familiar?

If this sounds familiar it is because the rationale is very similar to the one given in the BA fine (as is the amount of the fine).  

Why they got fined: The ICO's investigation found that Marriott failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems. 

How the amount of the fine was calculated: The penalty notice outlines the considerations the ICO has taken into account when calculating the value of the fine. These include: the absence of previous infringements or failures on the part of Marriott to comply with past notices, and the fact that Marriott cooperated fully with its investigation, and had taken steps to notify the affected data subjects. 

An interesting debate 

Surprisingly, the penalty notice makes no mention of Covid 19 but it does highlight that Marriott had made a series of criticisms on the way the ICO had calculated the amount of the fine.  These included: 

  • Applicable tier: Marriott argued that the ICO had applied the inappropriate fining tier under the GDPR;
  • Calculating the amount of the fine based on turnover is not ok: Marriott sent criticisms of the ICO's reliance on turnover in calculating the proposed penalty; and
  • Lack of consistency: Marriott argued that the proposed penalty was inconsistent with previous action regarding 'equivalent' breaches by the ICO and other EU supervisory authorities, contrary to the stated aim of the GDPR being to create a harmonised regime.

Whereas the ICO disagreed and rebutted these arguments, they seem to have given the ICO food for thought about how it calculates fines. This would explain why the BA fine was published first and the detailed rationale in both cases.

Key takeaways

The ICO's carrot and stick approach towards compliance is clear:

  • The stick - The ICO takes its job very seriously:  When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives, the ICO will use tools it has at its disposal to encourage businesses to make better decisions about data. It will not take excuses.
  • The carrot - The ICO lives in the real world: Whereas they won't accept excuses or poor performance when it comes to compliance, they will consider improvements that are made by organisations and the business circumstances when making a decision.
  • Cooperation and dialogue: In this situation, it is best to cooperate and take the constructive feedback. Proportionally, BA got the better end of the stick because it cooperated and did their best to fix and improve as much as they could. 

You can read the press release here, and the penalty notice here.