The legal news service MLex reported yesterday that Information Commissioner Elizabeth Denham had announced, at a conference, that the intended huge fines for British Airways and Marriott Inc. for infringements of the General Data Protection Regulation (GDPR) had been pushed back again to August.
This is remarkable for a number of reasons.
Firstly, and primarily, this is because the law envisages that it will take a maximum of six months for the Information Commissioner’s Office (ICO) to issue an actual fine under GDPR, after serving a notice of intent, yet August will be more than 12 months since BA and Marriott received notices of intent to be fined £183m and £99m respectively. We have previously observed that the initial six month period can only be extended (and only in exceptional circumstances) with the consent of the intended recipient.
Secondly, only one fine has as yet been issued by the ICO under GDPR in the two years it has been in place. This is in notable contrast to some of the ICO’s peer supervisory authorities (Germany and Spain have issued more than 20, for instance, while France and Italy have each issued around ten).
Thirdly, MLex says that Ms Denham's remarks were made in the context of an online event run from Washington DC. It is unusual for an announcement of this kind to be made at a conference, let alone one taking place outside Europe. One would expect news of this significance to be made openly and transparently, in line with the ICO’s statutory duty under GDPR to promote public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data, and its own communications policy which says that it aims to be an “effective, open and transparent regulator”.
Recently we observed that COVID-19, and particularly its impact on the global travel economy, would have to be a factor taken into account by the ICO when arriving at its final decision about the size of fines. One notes, in support of this, that MLex reports Ms Denham as saying that “When it comes to an airline and...a hotel chain that are both significantly hit with the results of the pandemic, there will have to be a reexamination of the financial case of each of those companies”.
Regulatory forbearance is understandable during this time of pandemic, and will be welcomed by many companies struggling with its economic impact. But, equally, it is important for all organisations who must comply with GDPR to understand how the ICO will assess the sanctions for infringements. At the time the intended fines were announced questions were asked about whether the proposed sums were sustainable, and until there is some finality to these investigations, uncertainty will prevail.
It seems clear that any fines which eventually emerge from this protracted process are likely to be considerably lower than ICO initially envisaged.