The Information Commissioner's Office has agreed a delay with BA and Marriott on the issue of penalty notices, which would follow the notices of intention given to these companies in 2019 for large data breaches. Sidley Austin LLP reports as follows:
Further to the publication of the ICO’s notices of intention to fine British Airways and Marriott in July 2019, the ICO has recently issued a statement delaying the issuance of both GDPR fines which had originally been expected by the end of 2019. (The ICO’s initial notices of intention to fine had stated that British Airways would face a fine of £183m ($228m) and Marriott, a fine of £99m ($123m). [Sidley’s Data Matters Blog reported on these] here: British Airways and Marriott.)
It is understood that the delay was agreed between both parties and the ICO respectively in accordance with Schedule 16 of the UK Data Protection Act 2018, which provides that the ICO must give a penalty notice to a person in reliance on a notice of intent within 6 months of that notice of intent, unless that period is extended by agreement between the ICO and that person.
With the original notices of intent due to expire this week, the ICO will now have until March 31, 2020 to finalize the penalties imposed on both British Airways and Marriott, which were the result of two high-profile data breaches and subsequent ICO investigations.
(Privacy press clipping sourced via Sidley Austin LLP)
Jurisdiction: United Kingdom
The ICO has delayed issuing penalty notices against British Airways and Marriott for its large 2019 GDPR fines. This is because its original “notices of intention” aren’t fines in of themselves, but simply the start of a regulatory process in issuing a fine. The ICO needs to inform a person beforehand that it is going to impose a fine, and this occurs via a “notice of intent”. The rules then require that the actual fine is imposed within 6 months of this notice of intent, as Sidley has pointed out in its blog. The Data Protection Act 2018 states that the “Commissioner may not give a penalty notice to a person in reliance on a notice of intent after the end of the period of 6 months beginning when the notice of intent is given”. If additional time is needed, the period can be extended with the agreement of the respondent companies involved – in this case British Airways and Marriott. Skift has reported separately that both British Airways and Marriott have agreed to an extension of this period, citing statements from the ICO, BA and Marriott. The extension of time will be until 31 March 2020 (by Sidley’s calculation).
Speculating somewhat, Skift has asked whether the ICO is heading for a “significant climbdown” on the amount of these GDPR fines. This scenario would be uncomfortable, no doubt, for the regulator and fuel sentiment in some quarters that GDPR enforcement is in practice toothless against big corporates.
Even when these GDPR fines are finally issued against British Airways and Marriott, they will be subject to appeal as penalty notices under the Data Protection Act 2018. Probably what is occurring now is a degree of negotiation between both British Airways/Marriott and the ICO on the amount of the penalty notices, such that an appeal would be unnecessary. The ICO obviously has an interest in getting its first GDPR fines to stick without lengthy appeals. Knowing this, the respondent companies may be searching for a happy middle ground on sum of their penalties.