In July 2019, the Information Commissioner’s Office (ICO) announced notices of intent to serve monetary penalty notices on British Airways and Marriott International for infringements of their obligations under the General Data Protection Regulation (GDPR). The intended sums (£183m and £99m respectively) were of a magnitude previously never seen. Indeed, they were of such magnitude that the companies (both listed) had had to make announcements to their respective markets in the UK and in the US, and it appears to have been these market notifications which led the ICO to effectively have to confirm the position.
At the time and indeed since, many people have treated these notices of intent as final determinations. They are not. The law (paragraph 2 of Schedule 2 to the Data Protection Act 2018 (DPA)) obliges the ICO, before serving a monetary penalty notice (more commonly referred to as a “fine”, by reference to GDPR’s use of the term “administrative fine”), to serve a notice of intent. The notice of intent must inform the recipient that it may make written representations. It is very much the first step in a process which may result in a monetary penalty. Figures disclosed to us under freedom of information law show that the ICO regularly serves notices of intent which actually culminate in a decision to issue no fine whatsoever (this happened 19 times in the five years to 2018), and even more regularly serves notices of intent which culminate in a figure lower than that originally proposed (57 times in the same five-year period). In fact, in approximately a third of cases where a notice of intent was served, the final outcome was no fine or a lower fine than that originally proposed. It is very clear that the opportunity for the recipient of a notice of intent to make representations is one which can produce favourable results. And one should bear in mind that those figures relate to fines in the pre-GDPR period, when the maximum fine was £500,000. In cases where fines might be measured in millions - even hundreds or thousands of millions - of pounds, that representations period is of extraordinary importance and significance: one has no doubt whatsoever that BA and Marriott will have had lawyers working extensively and aggressively on challenging the notices of intent.
Four months on from the notices of intent in question, there has been no further news from the ICO (nor from BA and Marriott). And here is the very interesting thing - the law gives the ICO a strict six-month period from serving a notice of intent to serving the monetary penalty itself. Six months might seem a long time, but when ranks of expensive lawyers are serried against you, it probably seems to pass quite quickly. In those circumstances it is perhaps a short time to make sure one has absolutely got one’s facts right, and to ensure that, as a regulator, one is following public law principles of fairness and transparency in investigating and punishing infringements. It is worth noting the robustness with which Facebook challenged (by way of statutory appeal) its pre-GDPR fine of a “mere” £500,000, with the result that it recently reached a remarkable settlement with the ICO under which it paid the sum in question, but has made no admission of liability in relation to the fine.
If the clock ticks past six months, then no fine can – as a matter of law – be served (unless both the ICO and recipient agree to an extension).
Although one is generally loath to make predictions, it is sometimes interesting to speculate. With that in mind, it would perhaps not be enormously surprising to find out that the proposed fines for BA and Marriott don't materialise, or – at least – aren't of the size they were initially proposed to be.