top of page
Search

EU Record-breaking Fines for Privacy Violations

  • Noa Geva, CIPP/E, Adv.
  • Jul 15, 2019
  • 2 min read

EU: British Airways and Marriott

  • The UK Information Commissioner’s Office (ICO) has for the first time used new powers to punish companies that break laws protecting consumers’ data. British Airways and the Marriott hotel chain were the first firms targeted by the ICO, which handed them fines totalling almost £300m.

  • On Monday, following an extensive investigation, the ICO issued a notice of its intention to fine British Airways a whopping 183.39 million GBP for infringements of the GDPR. The incident in question involved the scraping or harvesting of more than 500,000 customer records — including financial records — over a period of months without detection (read our earlier post on the British Airways data breach). In its capacity as the lead supervisory authority, the investigation has been led on behalf of other EU member state data protection authorities. Under the GDPR "one-stop shop" provisions, fellow EU regulators will have the opportunity to comment on the ICO’s findings. The fine, if enforced in its totality, would represent about 1.5% of BA’s global turnover.

  • The next day, the ICO made another significant GDPR enforcement announcement against Marriott International, with a notice of intention to fine Marriott 99.20 million GBP. This case relates to a cyberattack in November 2018, in which a variety of personal data contained in approximately 339 million guest records were exposed, of which around 30 million related to residents of 31 countries in the European Economic Area, and 7 million related to U.K. residents.

  • It is believed that the data compromise began with system vulnerabilities of the Starwood hotels group back in 2014 that, in turn, was subsequently acquired by Marriott. The breach was only uncovered in 2018.

  • This case highlights the implications for mergers and acquisitions activity: ICO Commissioner Elizabeth Denham remarked, “the GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

  • The ICO is using its first investigations under GDPR to make an example of British Airways and Marriott, providing a cautionary tale for others. Companies are allowed to appeal against the scale of the fines and have 28 days to make representations – and the ICO could reduce the final amount.

This update is presented as a summary only and should not be regarded as advice regarding any specific situation. For specific advice please contact our office.

bottom of page