The U.K. regulator, the Information Commissioner’s Office, has issued hefty fines in two cases:
- Marriott: the equivalent of CHF 122 million against Marriott International as a result of a data leak that exposed personal data of around 339 million guests (including around 30 million in the EU). The leak stemmed from the Starwood Group, which Marriott acquired in 2016. It was only discovered in 2018, and – according to the ICO’s investigation – because Marriott had neglected due diligence when it bought the group (Media release of the ICO);
- British AirwaysThe case is also the result of a data leak in June 2018, which was caused by inadequate security measures on the part of British Airways and in which personal data (including payment card data) of around 500,000 people fell into criminal hands via a fake site.
In both cases it is not about a finebut a so-called “notice of intention to fine”. The companies concerned have the opportunity to comment on the facts established and the impending fine.
The ICO’s actions clearly show – against the background of the (non-legal) CNIL fines Google and corresponding Statements from regulators – that authorities across Europe have moved from a more advisory to a more punitive stance.