Two high-profile GDPR fines for British Airways and Marriott International, Inc

The Information Commissioner’s Office (ICO) has released two statements this week declaring intention to fine British Airways and Marriott International, Inc £183.39m and £99m respectively for breaches of the General Data Protection Regulation (GDPR). In both cases, which affect data subjects from countries across the world, the ICO was the lead supervisory authority acting on behalf of other EU Member State data protection authorities.

These punitive measures are provided under the GDPR, and are the largest fines issued by the ICO to date. These fines both therefore break the former record, which was the £500,000 fine issued to Facebook last year for the social media giant’s role in the Cambridge Analytica scandal (which was actually the maximum fine possible under the previous, much more lenient legislation, since much of the action had taken place prior to GDPR’s implementation).

These two warning shots are fines amounting to 1.5% of the respective company’s global turnover, out of a possible 4% provided by GDPR. This leniency is availed by the companies’ willingness to cooperate with the authority and make immediate improvements where possible. However, it is expected that the companies will appeal the decision.

Failure to protect their customers’ data due to negligent digital security was at the heart of the decisions. The ICO discovered that from June to September 2018, users of BA’s website were being diverted to a fraudulent site used to harvest data. Roughly 500,000 customers had their personal information compromised in this way. Arguably on an even greater scale, the hotel giant Marriott was found to be presiding over a system exposing 339 million guest records to the internet.

Due diligence is the important aspect to these decisions, associated to the principle of ‘accountability’ defined in the GDPR. In the case of BA, poor security arrangements on the website were responsible for the cyber attackers being able to harvest personal data relating to log-in details, payment cards, travel bookings, names and addresses. Similarly, Marriott had failed to pursue due diligence when the company acquired Starwood (a hotel chain), which maintained a vulnerability in its guest reservation database dating back to 2014.

Marriott’s CEO has emphasised the fact that their subsidiary was victim to a cyberattack indeed the company itself notified data protection authorities of the breach, but as the Information Commissioner Elizabeth Denham has stated, “the GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

These decisions set a strong precedent, and will hopefully encourage companies to take greater responsibility for the personal data they hold. Being victim to a cyberattack is not in itself an excuse: companies and organisations must demonstrate that they have attempted to take appropriate and robust security measures. The accountability principle as explained in the GDPR is very clear on this.

Harry Smithson, July 2019