On 8 and 9 July 2019, the Information Commissioner’s Office (“ICO”) announced its intention to impose two of the biggest fines for data security incidents since the General Data Protection Regulation (“GDPR”) and its UK equivalent, the Data Protection Act (2018), came into force on 25 May 2018. The penalty for breaching the GDPR is up to €20 million or 4% of annual global turnover, whichever is highest. This is far greater than the maximum penalty of £500,000 under its predecessor, the Data Protection Act (1998).
In October 2018, the ICO fined Facebook the maximum £500,000 for failing to protect users’ personal data resulting in the Cambridge Analytica scandal. The ICO considered this contravention to be serious and warned, “the fine would inevitably have been significantly higher under the GDPR.” This was the largest fine that the ICO had issued to date, which was significantly less than the two fines intended for British Airways and Marriot International.
While these are not the first fines issued under the GDPR, previous fines had been for less serious breaches, such as the ICO’s £100,000 fine against EE Limited on 24 June 2019, for failing to obtain consent before sending 2.5 million direct marketing messages.
On 8 July 2019, the ICO published that it intended to fine British Airways £183.39 million, following extensive investigations into a data security incident in June 2018.
British Airways reported the incident within the 72-hour window required under the GDPR, and according to the ICO, British Airways has since cooperated with the authorities and improved its cyber security arrangements.
The fine equated to 1.5% of British Airways’ 2017 global turnover, which, whilst unprecedented, is still below the maximum 4% the ICO has the power to impose under the GDPR.
On 9 July 2019, the ICO also published its intention to fine Marriot International £99,200,396 for a data breach reported in November 2018. The breach exposed the personal data of approximately 339 million guests, 30 million of which were EEA residents, and included data such as credit card details, passport numbers and dates of birth.
The breach resulted from a vulnerability that had been present in the IT systems of Marriott’s subsidiary, Starwood, since 2014. Marriot acquired Starwood in 2016, but did not discover the vulnerability until September 2018, which it reported in November 2018.
The ICO found that Marriot did not undertake sufficient due diligence when it acquired Starwood and did not do enough to secure its systems. However, the ICO confirmed that Marriot has cooperated with the investigation and improved its information security arrangements since.
Marriot and British Airways, as well as any concerned data protection authority, are invited to make representations before the ICO makes its final decision.
The intended fines demonstrate that EU data protection authorities are willing to impose heavy monetary penalties on corporations, for GDPR breaches. They are intended as a reminder to companies to ensure that their information systems and processes are secure and that they adequately protect the fundamental right to privacy when handling personal data with which they are entrusted.
 General Data Protection Regulation (2018), Article 83;
Data Protection Act (2018), s157
 Data Protection Act (1998), s55C (1);
Information Commissioner’s Office, (2015), ‘Information Commissioner’s guidance about the issue of monetary penalties prepared and issued under section 55C (1) of the Data Protection Act 1998’, Accessed at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/422792/ico-guidance-money-penalties-2015.pdf