ICO Delays British Airways and Marriott GDPR Fines

Further to the publication of the ICO’s notices of intention to fine British Airways and Marriott in July 2019, the ICO has recently issued a statement delaying the issuance of both GDPR fines which had originally been expected by the end of 2019. (The ICO’s initial notices of intention to fine had stated that British Airways would face a fine of £183m ($228m) and Marriott, a fine of £99m ($123m). We reported on these here: British Airways and Marriott.)

It is understood that the delay was agreed between both parties and the ICO respectively in accordance with Schedule 16 of the UK Data Protection Act 2018, which provides that the ICO must give a penalty notice to a person in reliance on a notice of intent within 6 months of that notice of intent, unless that period is extended by agreement between the ICO and that person.

With the original notices of intent due to expire this week, the ICO will now have until March 31, 2020 to finalize the penalties imposed on both British Airways and Marriott, which were the result of two high-profile data breaches and subsequent ICO investigations.