British Airways and Marriott Face Hundreds of Millions in Fines for GDPR Violations

By Richard Montes De Oca* and Priscila Bandeira**
Early this week, the United Kingdom (U.K.)’s Information Commissioner’s Office (ICO) published two statements regarding its issuance of notices of its intention to fine British Airways £183.39 million (or $230 million) and to fine Marriott International £99.2 million (or $123 million) for infringement of the General Data Protection Regulation (GDPR).
British Airways (BA):
In September 2018, BA notified the ICO of a cybersecurity incident which is believed to have begun in June 2018 and which exposed personal data of nearly 500,000 customers to cyber attackers. The attackers used a fraudulent site to harvest customers’ data including log in, payment card, travel booking details, name and address information.
After being notified, the ICO conducted an investigation and concluded that BA had “poor security arrangements”, which may have exposed customers’ personal data.
The fine, which would be the largest one under GDPR so far, is around 1.5% of BA’s annual revenue for the financial year that ended December 31, 2017. It is noteworthy that the fine could go up to 4% of the company’s revenue. BA has already announced the probable penalty to the London Stock Exchange; however, the company’s top executives have expressed “surprise and disappointment” with the fine and that BA will appeal from the notice of penalty, arguing that the company provided timely notification of the breach and that it cooperated with the ICO to assess the issue.
Information Commissioner Elizabeth Denham said that “people’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Marriott International (Marriott):
In November 2018, Marriott disclosed that hackers had access to the reservation systems of many of its hotel chains for 4 years, which exposed personal data of approximately 339 million guests, of which around 30 million were residents of 31 countries in the European Economic Area (EEA), including 7 million in the U.K.