GDPR shows its teeth -Marriot, British Airways bothto be fined heavily

July 11th, 2019 by Stephen Jones Leave a reply »

The U.K. data protection authority said it will serve hotel giant Marriott with a £99 million / $123 millionfine under EU GDPR laws for a data breach that exposed personal details of over 339 million guests. The incident concerns a 2014 data breach of hotel company Starwood, which was acquired by Marriott in 2016. The breach, however, wasn’t detected until November 2018.

Information Commissioner Elizabeth Denham said companies collecting personal data have a legal duty to protect them, and that ICO will not hesitate to take strong action if that doesn’t happen. “The GDPR makes it clear that organisations must be accountable for the personal data they hold, This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

The latest ICO fine came a day after UK airline British Airways was hit with an even larger penalty of £183 million ($229 million). The BA fine was the biggest ever issued by the ICO, and the first under the EU General Data Protection Regulation (GDPR) laws. The updated regulations, which went into effect last year, state that the ICO can seek a fine of up to 4 percent of a company’s worldwide annual revenue in the prior financial year. This marks a significant increase on the maximum fine of up to £500,000 it could levy under the UK‘s previous data protection guidelines.

The fines for BA and Marriott both represented 1.5% of their respective turnover, and the commission said both companies cooperated fully with their respective investigations.

Meanwhile, Facebook, Google and Apple remain under investigation by the Irish Data Protection Commission, which enforces the GDPR.Google could face a fine of up to $5 billion, and Facebook up to $2.2 billion, based on both companies’ annual revenue in 2018.
Earlier this year, the ICO indicated it would investigate Google over leaking of customer data from its advertising platform. Google has faced scrutiny and fines under the GDPR from France’s regulator, with a $57 million penalty levied in January for “lack of transparency” and valid consent controls for users, among other issues.

Facebook received modest penalties of $644,000 for the Cambridge Analytica scandal, in which users weren’t given proper notice that a survey was being used for political research and advertising. it is currently under investigation for a breach of usernames and passwords on its Facebook and Instagram platforms that could be far more costly.

The European Data Protection Board questioned how well Marriott had vetted and protected data when it acquired Starwood in a $13.6 billion deal that closed in 2016.The decisions used punitive language uncommon in the privacy enforcement arena, particularly in the U.S., where companies are traditionally treated as victims of cybercrime first, rather than perpetrators of data loss. In a statement, filed with the Securities and Exchange Commission by Marriott CEO Arne Sorenson said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. ”

Advertisement

Comments are closed.