Jan 92020

ICO Delays British Airways and Marriott GDPR Fines

William RM Long, Vishnu Shankar and Eleanor Dodding
, , , , , ,

Further to the publication of the ICO’s notices of intention to fine British Airways and Marriott in July 2019, the ICO has recently issued a statement delaying the issuance of both GDPR fines which had originally been expected by the end of 2019. (The ICO’s initial notices of intention to fine had stated that British Airways would face a fine of £183m ($228m) and Marriott, a fine of £99m ($123m). We reported on these here: British Airways and Marriott.)

It is understood that the delay was agreed between both parties and the ICO respectively in accordance with Schedule 16 of the UK Data Protection Act 2018, which provides that the ICO must give a penalty notice to a person in reliance on a notice of intent within 6 months of that notice of intent, unless that period is extended by agreement between the ICO and that person.

With the original notices of intent due to expire this week, the ICO will now have until March 31, 2020 to finalize the penalties imposed on both British Airways and Marriott, which were the result of two high-profile data breaches and subsequent ICO investigations.

William RM Long

London

wlong@sidley.com

Vishnu Shankar

vshankar@sidley.com

Eleanor Dodding

London

edodding@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Substantial changes to Hong Kong’s privacy laws coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.