In July last year the Information Commissioner's Office (ICO) confirmed, after the issuing of market notifications by the proposed recipients, that it intended to fine BA £183m and Marriott Inc. £99m for (separate) infringements of the General Data Protection Regulation (GDPR). These were "notices of intent" and not concluded fines. UK legislation gives the ICO just six months to convert a notice of intent to a fine, and those six months were, by approximate calculation, due to expire in early January. As we recently noted – the midnight hour was approaching. However, the law does allow the period to be extended if the ICO and the proposed recipient of the fine agree to an extension.
The ICO has now informed Mishcon de Reya that such an extension has indeed been agreed, saying "Under Schedule 16 of the Data Protection Act 2018, [both BA and Marriott] and the ICO have agreed to an extension of the regulatory process until 31 March 2020. As the regulatory process is ongoing we will not be commenting any further at this time.”
It is difficult to speculate just now on the reasons for the extension, but query whether settlements – similar to that agreed recently between ICO and Facebook – are being proposed.