ICO proposes fines against British Airways and Marriott | Fieldfisher
Skip to main content
Insight

ICO proposes fines against British Airways and Marriott

Paul Lanois
14/07/2019

Locations

United Kingdom

Last week was packed in terms of new developments in the area of privacy. On Monday 8th July, the UK's data protection authority, the Information Commissioner’s Office (the ICO), announced its intention to fine British Airways in the amount of £183,390 million (equivalent to about EUR 204 million, which according to media reports, is about 1.5% of the company's worldwide turnover last year) for infringements of the EU General Data Protection Regulation (GDPR).

Last week was packed in terms of new developments in the area of privacy. On Monday 8th July, the UK's data protection authority, the Information Commissioner’s Office (the ICO), announced its intention to fine British Airways in the amount of £183,390 million (equivalent to about US$ 230 million or EUR 204 million, which according to media reports, is about 1.5% of the company's worldwide turnover last year) for infringements of the EU General Data Protection Regulation (GDPR). The proposed fine relates to a cyber incident involving user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were allegedly harvested by attackers. The ICO’s investigation found that a variety of information of approximately 500,000 customers was compromised in this incident, including log in, payment card, and travel booking details as well name and address information.

The following day, Tuesday 9th July, the ICO announced its intention to fine Marriott International in the amount of £99,200,396 (equivalent to about EUR 124 million). According to the ICO's statement, systems of Starwood hotels group were allegedly compromised in 2014, which was still undiscovered when Marriott acquired Starwood in 2016. The cyber incident was not discovered until 2018. Personal data contained in approximately 339 million guest records globally were allegedly exposed by the incident (30 million related to EU residents, of which 7 million related to UK residents). The ICO’s investigation found that "Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems". The ICO's statement follows the announcement posted on 3rd July by the Turkish regulator, the KVKK, that it is fining Marriott International  in the amount of 1.450 million Turkish lira (which is equivalent to about EUR 235,000 or £202,000) and Hong Kong airline Cathay 550,000 Turkish lira (which is equivalent to about £76,000 or EUR 88,000), in each case for failure to implement "necessary technical and administrative and measures to ensure data security" and for breaching notification obligations.

It is important to note however that in both ICO cases against British Airways and Marriott International, these are not yet fines but rather intentions to fine: each company still has the opportunity to present their arguments to the ICO and the views of other concerned data protection authorities will also be considered by the ICO before it reaches a final decision.

On the same day as the ICO's statement regarding Marriott International (9th July), the ICO published its annual report for 2018-19 covering an ‘unprecedented’ year for the regulator. Among other things, the annual report revealed that data protection complaints received by the ICO increased from 21,019 in 2017/18 to 41,661 in 2018/19.

Last but not least, The Wall Street Journal reported at the end of the week that the Federal Trade Commission is expected to hit Facebook with a record-setting $5 billion fine for its alleged privacy mishapsfollowing reports that political consulting firm Cambridge Analytica had accessed the data of 87 million Facebook users. On the European side, the Italian data protection authority (Garante per la protezione dei dati personali) had fined Facebook 1 million euros on 28th June in relation to the ‘Cambridge Analytica’ case. The Italian regular stated that in determining the amount of the fine to be imposed, it took into account the non-compliance with information and consent requirements imposed by the GDPR, the size of the database, as well as Facebook’s status and the number of its users worldwide and in Italy.