Might COVID-19 fundamentally affect the likelihood of BA and Marriott receiving huge GDPR fines?
In July 2019 the Information Commissioner’s Office (ICO) served notices of intent to fine British Airways and Marriott International Inc £183m and £99m respectively for serious infringements of the General Data Protection Regulation (GDPR). Normally, the ICO should have finalised the issuing of the fines within six months, but, as observed recently, that period was extended in both cases, by mutual agreement with the ICO, until 31 March 2020. The extension indicated that there were complicating factors at play already, but a further complication is now introduced by the global economic impact of COVID-19.
In the last month the share prices of both companies have significantly fallen, and many of their competitors are reeling from the effects of travel restrictions, and cancellations. Arguably, the last thing either company – or indeed any company in the travel sector - needs is to be faced with a regulatory fine representing a significant chunk of annual turnover.
GDPR requires that fines should be, among other things, “proportionate”, and that the ICO must give “due regard” to various factors, such as the nature, gravity and duration of the infringement as well as the number of data subjects affected and the level of damage (see Article 83). What it does not say, expressly, is that the ICO should take into account the ability of the controller to pay the fine, nor the potential impact of a fine on the controller. However, GDPR does require the ICO to take into account “any mitigating factors”, and the ICO’s own guidance says that one such potential factor is “the ability to pay (financial hardship)”.
Additionally, as a public authority, the ICO has a general public law duty to take into account relevant factors when arriving at decisions. It is strongly arguable that if it failed to take into account the current effect, and the likely future effect, of COVID-19 on BA’s and Marriott’s finances, then any decision to issue a fine would be vulnerable to appeal or a successful application for judicial review.
When the ICO announced its intent to serve these fines last year, some commentators questioned whether they would ever be served in the amount proposed, given the huge sums involved and the likelihood that the controllers would make strong representations against. No one could have predicted, however, that a public heath pandemic would come to be a major factor in deciding the issue.
Practical guidance for COVID-19
Read the latest COVID-19 related updates on our hub.