GDPR: British Airways and Marriott International face record breaking fines from the ICO

10th July 2019

This week, the Information Commissioner’s Office (ICO) made its first public move to issue fines under the General Data Protection Regulation (GDPR) – and it did not disappoint. The ICO has issued statements that it intends to fine British Airways a record breaking £183.39m and Marriott International £99.2m.  Both fines dwarfing fines issued by any other EU data regulator under the new GDPR regime.

British Airways
On 8th July 2019, the ICO issued a statement confirming it intends to fine British Airways £183.39m for infringements of the GDPR.

The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018, where user traffic to the British Airways website was diverted to a fraudulent site resulting in approximately 500,000 customers’ data being compromised and harvested by hackers. In their statement, the ICO revealed its investigation had found that a “variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well as name and address information”.

British Airways chairman and chief executive Alex Cruz said he was “surprised and disappointed” by the ICO’s initial finding. It is, however, clear from the Information Commissioner’s, Elizabeth Denham, comments that the ICO has adopted a hard-line approach in relation to its regulatory action against infringers of GDPR who said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The proposed fine represents approximately 1.5% of British Airways’ £11.6 billion worldwide turnover last year, indicating that the ICO exercised an element of restraint when announcing the record breaking £183m fine – as the GDPR has granted EU data regulators the power to issue fines equalling up to 4% of an offending company’s annual global turnover. This is a substantial uplift from pre-GDPR rules, where the maximum fine the ICO could issue was £500,000.

Before making a final decision, the ICO will need to consider comments from any EU data regulators whose residents have been affected, as well as consider representations made by British Airways. Willie Walsh, the chief executive of British Airways’ parent company – International Airlines Group – has said they “intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

Marriott International
On 9th July 2019 – a day after the British Airways announcement – the ICO issued notice of its intention to fine Marriott International £99.2m for breaches of the GDPR.

The proposed fine relates to an incident notified to the ICO in November 2018 – when Marriott’s Starwood Hotels guest reservation database was hacked. Passport and credit card numbers was amongst the data exposed for approximately 339 million guest records worldwide, of which around 7 million related to UK residents.

The ICO’s investigation revealed that the vulnerability began when the Starwood Hotels group systems were compromised in 2014, two years before Marriott acquired Starwood in 2016. The importance of “carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected” was highlighted in a statement from Information Commissioner Elizabeth Denham.

Arne Sorenson, the President and CEO of Marriott International, said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. We deeply regret this incident happened.”

The proposed fine also acknowledges the extended territorial scope of the GDPR which now also applies to companies based outside the EU that offer goods or services to individuals within the EU.

The ICO has bared its teeth and these headline-grabbing figures have reinforced the fact that companies need to be extremely vigilant about their data security arrangements in the GDPR world in which we now reside.

For further information, please contact Simon Halberstam at or Ben Ifrah.