back to article UK data watchdog kicks £280m British Airways and Marriott GDPR fines into legal long grass

The UK Information Commissioner's Office has kicked £280m in data breach fines against British Airways and US hotel chain Marriott into the long grass. As spotted by City law firm Mishcon de Reya, the ICO has extended the time before it will fine the two companies what it claimed would be a total of £282m, split between BA's £ …

  1. Anonymous Coward
    Anonymous Coward

    What's the point?

    Why have hard legislation if you can't fully enforce it.

    1. Ordinary Donkey

      Re: What's the point?

      So that you can selectively enforce it?

    2. Halfmad

      Re: What's the point?

      Why have a regulator and properly fund it?

      £2M a year is a limit they should not have..

      1. lglethal Silver badge

        Re: What's the point?

        Give them £2M a year + 10% of all the fines they collect. Although for the first year, give them enough funding that they can extract the maximum fine from each company they go after.

        I guarantee they will be far less willing to bend over for companies at that point...

        1. paulf

          Re: What's the point?

          I'd suggest some caution here. While I agree in principle that the ICO should benefit from the work it does enforcing the regulations, so that it can continue doing said work with decent funding, allocating them a percentage of fines levied does risk invoking the law of unintended consequences. Some examples:

          1. Traffic enforcement officers incentivised to maximise revenue from fines will start issuing tickets for the smallest violations (e.g. right on a parking bay boundary) or exactly one minute after the penalty applies rather than allowing a short grace period.

          2. A particularly egregious (and likely unusual one) involving a store detective that was incentivised to catch shop lifters. To increase their success rate they started slipping items into people's bags when they weren't looking, then "catching" them after the checkouts with said unpaid for items. The person involved was caught by the police but it goes to show incentives for desired behaviour risk undesirable consequences as the people involved work to maximise the incentive regardless of the wider cost.

          The point here is the ICO is clearly underfunded compared to the work they need to do to enforce the regulations, and the potential revenue they can bring in from massive fines, but ensuring they are properly funded is a matter for HM Treasury to rectify. It's worth noting other enforcement agencies like the CPS, and HMCTS are also underfunded compared to the work they have to do so the ICO is not alone here. Giving them an incentive to directly benefit from the fines they levy risks them becoming over zealous which then risks the ICO, and the wider concept of data protection, losing popular public support; and that would be to everyone's disadvantage!

          1. Pascal Monett Silver badge

            Objectively you're right, of course, there's no denying that. All enforcement organizations end up abusing their powers in some way and must be reigned in.

            Unfortunately, there is also no denying that if the ICO is watering down its approach simply because the companies that it has in its sights have a bigger legal budget to play with, then 380k people are at risk of having been abused without recourse, and that is not fair either.

            Why is it that we can't have an adaptive approach ? Give the ICO a percentage on its fines to enable it to enact justice, and take said bonus away when it is no longer necessary.

            1. paulf

              I agree - the ICO should be kicking some serious arse and collecting every penny of the fines discussed in the story. Only when CEOs see massive holes in their company's P+L, and by extension their bonus, will information security be taken seriously (and hopefully by further extension IT budgets in general). It's quite reasonable that the proceeds of those fines help fund further enforcement. I'm not against that, but I am suggesting some caution regarding a direct link between enforcement and income that could lead to the system being gamed in some way that is detrimental to wider society.

              It ought to be the aim of any regulator to do such a good job that it does itself out of a job. That's probably unlikely but we all know the stories of "If you don't spend it this year you won't get it next year" to realise that the budget won't be reduced, unless some Government minister decides it's in their interest to forcibly cut it.

            2. Anonymous Coward
              Anonymous Coward

              The ICO are dinosaurs chasing lazy rodents on the sunny uplands of Chixuclub. This is why ...

              This is the right debate to have on the topic of enforcement. My observation is that the ICO have become much more secretive and amenable to plea bargains at the expense of data subjects rights in the last few years. Think the ICO is going to right that data protection wrong? You probably don't know the ICO nowadays.

              Aside from the fact that the ICO has become little more than a ahem, data protection compliance protection racket ("just keep paying your data register fees okay?") I predict that GDPR compliance is about to go the way of tax compliance - offshored to extralegal entities beyond the reach of pesky regulators.

              My evidence for this is the Danish toy maker, while registered with the ICO and claiming data protection compliance actually moved it's data controller to Denmark for UK customers (meaning that the ICO has no interest and the Danish regulator can claim the offence had been committed outside Denmark). This has been done with the full connivance of the ICO, to the detriment of data subjects rights. As long as they keep paying their fees to the ICO, they UK escape justice for GDPR breaches.

              Evidenced also by the highly questionable Israeli sales contact data mining company that claims compliance with GDPR but has no offices, employees or interests within the legal jurisdiction of GDPR. That folks is the future of GDPR compliance and the proverbial asteroid hurtling towards the pea-size brained Wirral data police.

              So spare a thought for the ICO (and for that matter HMRC). They are dinosaurs in the Chixuclub basin, wondering how bright their futures might be. Very bright is the answer. Very very bright.

              1. jeremylloyd

                Re: The ICO are dinosaurs chasing lazy rodents on the sunny uplands of Chixuclub. This is why ...

                While we're still in the EU a company can register with any data protection registrar - though it should be where the largest portion of where they business takes place. Once the UK leaves the EU, any companies trading in/with the UK will be subject to regulation by the ICO, and if external to the UK will have to register a representative in the UK. Similarly, any UK company trading in/with the EU will have to register a representative in an EU member state.

          2. Lee D

            Re: What's the point?

            Your first example is literally enforcing the laws. One minute / small violations are still violations. Don't do it, you can't be fined.

            Your second example is literally illegal.

            Neither are good reasons for not funding a government enforcement agency looking after millions of citizens data properly.

            1. The Mole

              Re: What's the point?

              But there is a big difference between literally enforcing the laws and enforcing justice. If someone intended to park legally/get back to the car in time but were unable to for whatever reason by a tiny amount, then it isn't in the public interest to punish someone in that case. If the intent or impact is criminal then indeed they should be punished. Society tends to agree with the view that law enforcement should have some discretion as it is far more efficient than having to get laws exactly perfect.

              Having incentives that encourage the removal of common sense can have known on implications for society.

          3. Richard Jones 1

            Re: What's the point?

            ICO have a mailing list, perhaps some providing information about the sloppy ways of BA and that Marriott, and advice to avoid might be wise. Bullying bullies should always be fun.

            I am on the ICO mailing list but have already noted that both outfits are to be avoided.

          4. Velv

            Re: What's the point?

            While the unintended consequences you point out are a risk, in each case the "staff" were incentivised to commit their crime directly (i.e. they could make a personal difference to their remuneration).

            I don't think with something as fundamentally different as major fines for corporations issued by a body that there is the same opportunity for an individual in the ICO to "line their own pockets" in the same way as your Cop or Security Guard.

            You need to trust the integrity of your staff to an extent, and have audit controls to monitor compliance.

          5. quxinot

            Re: What's the point?

            With examples like that--having no grace period and always going for max fines, etc... I say great! At that point, we have laws being enforced equally, and can change the laws to reflect the way they should be dealt with, instead of writing massively draconian laws and penalties that may or may not be enforced.

          6. trindflo Bronze badge

            Re: What's the point?

            In case that doesn't seem egregious enough, this is a worse example of why it is a problem: Donald_P._Scott

          7. NeilPost Silver badge

            Re: What's the point?

            On the counter argument.... if the Police gave a £££ share for Video footage of Vehicular Miscreants if convicted as a ‘bounty’ I could give up my day job.

            25% of each and every £100 traffic violation fine ??

            Endemic bad driving would evaporate overnight as crowd-sourced enforcement takes over.

        2. The Mole

          Re: What's the point?

          The problem is they will start looking at return on investment and soon realise the best thing to do is fine lots of little companies for technical violations - the ones who will probably just pay up with a simple lawyers letter threatening a full investigation. That's for more efficient and low risk than going against big organisations with proper legal teams who might fight and win.

          1. Yet Another Anonymous coward Silver badge

            Re: What's the point?

            The IRS (US tax office) got into trouble (well actually a few raised eyebrows) over that

            They had a policy to target people making just under average wages on the basis that this minimised the capacity to fight any demand

          2. NeilPost Silver badge

            Re: What's the point?

            Pre-GDPR coming fully into force, the ICO stated prosecution/fines would be “impact related”.

            Small violation - small fine/enforcement

            Big Violation (BA/Marriot grade) - large fine/enforcement/arse kicking

            £2m is a piddling little legal budget and if not increased massively will lead companies to going GDPR... m’eh.

  2. Anonymous Coward
    Anonymous Coward

    Losing credibility before getting off the ground

    This is an embarrassment for the ICO and kills what little credibility it had post launch.

    AC, because I don't trust them with my personal details...

    1. Anonymous Coward
      Anonymous Coward

      Re: Losing credibility before getting off the ground

      Post launch? It's been the ICO since 2001, when it took on FOI.

      You thinking of GDPR?

  3. Mike 137 Silver badge

    Privacy legislation - a bit of a farce?

    Underfunded regulators, perpetrators allowed to negotiate their penalties, and at least a few extraordinary decisions.

    For example, I have an official ruling from the ICO that it's legitimate to conceal processing performed on the basis of Legitimate Interest. This is strange to me, as data subjects have a statutory right to object to processing on that basis. The ICO specifically nevertheless considers it "sufficient" for a data controller to provide "examples" of its processing on the basis of Legitimate Interest, which effectively means that the data controller can simply not mention some of such processing when a data subject exercises their right to be informed.

    I may possibly have missed something obvious, but it's not clear to me how one can object to something one hasn't been told about. It therefore seems that the national regulatory body is advocating that data subjects be denied a statutory right.

    1. A Non e-mouse Silver badge

      Re: Privacy legislation - a bit of a farce?

      I think you'll find this isn't restricted to just the ICO. Many of the other regulators' legal budget is tiny compared to that of the companies they regulate.

      1. elwe

        Re: Privacy legislation - a bit of a farce?

        That gives me a great idea, tax companies based on their spend on lawyers. 40% sounds about right, on top of VAT etc.

        Oracle would be screwed... So win all round.

  4. Claverhouse Silver badge

    The EU is to Blame

    They easily created the excellent GDPR without thinking it through how simple-minded and weak-willed countries could apply it, or their incorporation of it into their own law, when they light-mindedly wandered off to achieve Independence ( and no doubt FREEDOM! ) afterwards. A government of imbeciles cannot be expected to adequately fund anything, especially when it has a philosophical horror of government spending any money whatsoever...

    1. NeilPost Silver badge

      Re: The EU is to Blame

      Don’t think so. Enforcement is down to local countries and most of this is a refresh/clarify of existing legislation across the EU as a common framework.

      Enforcement of measures against say murder depends on funding of local regulators. Not yhe EU’s bag.

      Weak and underfunded regulators does no-one any good long term. Governments/politicians need to stop creating new laws if existing ones barely enforced. Will become worse than useless. Plague of wild enforcement of Box-ticking of DBS in scope child protection ... whilst shit like Rotherham - and many others - proliferated.

      Data, financial, hand-held mobile phones, child protection. environmental, emissions.

    2. EnviableOne Silver badge

      Re: The EU is to Blame

      Except that the large majority of GDPR was written by the ICO and they wanted it to go further.

  5. Anonymous Coward
    Anonymous Coward

    As toothless as my poor old rescue cat who lost all it's teeth due to having cat flu at an early age.

    1. EnviableOne Silver badge

      you thnik they're toothless, atleast they intend to fine people, the irish version DPC is currently failing to issue procedings against FB, MS, Apple, et al. as they are headquatered (at leats for europe) in Ireland

  6. Korev Silver badge
    Thumb Down

    He opined: "It's worth remembering the ICO is a relatively small regulator (although large compared to its European counterparts) with a limited legal budget."

    Britain is part of Europe and will remain so after Brexit.

    1. phuzz Silver badge

      In some ways, yes. In other ways, no.

      Broadly, it depends whether you're talking about political or geographical meanings of 'Europe'.

    2. The Mole

      And that statement made no mention of Brexit and will read no differently after Brexit. They will still be the ICO's counterparts in Europe, as opposed to its Australian counterpart (which presumably may be larger, smaller or the same size as the ICO).

  7. Mog_X

    And in related news...

    ICO bosses have had their BA flights upgraded to first class and their hotel rooms at Marriott to the best suites until further notice.


    A long list of excuses.

    Just another one to concatenate to a very long list of ICO excuses...

    "We lost your complaint".

    "We are not adequately funded".

    "We don't have any enforcement powers".

    "We are not IT experts".

    "It was only a technical offence".

    "There was implied consent for this processing (the processing no one was informed about)".

    "It was a small scale trial".

    "The solicitor with the Rolls Royce and Surrey mansion house told us he has no money to pay a fine, so we let him off with a £1 fine".

    "The GPRS doesn't apply so 5p per offence is the best we can do"


    "We are going to fine the crooks! Unlimited cash! (but lets not rush into it eh? we have agreed to an extension so they can suggest a better excuse we can use)".

  9. Snowy Silver badge

    The fees and fines are:

    Taken from The Information Commissioner's Office web site (

    The fees you pay each year and the amount they fine you for not paying.

    Tier 1 – micro organisations. Maximum turnover of £632,000 or no more than ten members of staff. Fee: £40 Fine: £400

    Tier 2 – SMEs. Maximum turnover of £36 million or no more than 250 members of staff. Fee: £60 Fine: £600

    Tier 3 – large organisations. Those not meeting the criteria of Tiers 1 or 2. Fee: £2,900. Fine £4,000

    There is a £5 discount for payments by direct debit.

    Looks wrong to me for Tier one and two the fine is 10 times the fee but Tier 3 it is not even twice the fee. I think massive companies pay a relatively small fee which if they do not pay get a relatively small fine and now I know if they do something wrong they can get away without paying any fine. This does look rather anti-competitive!

    If the ICO needs a slogan I think it should be

    "Catch and fining the small while letting the big get away with it"

  10. wayneinuk

    GDPR Waste

    I guess if that was an SME they'd be heavily fined!!! It sucks!!!

    They should be fined per the rules with a heavy proportion of the takings being channeled into our ever struggling NHS.

    Just my thought anyway.

  11. Anonymous Coward
    Anonymous Coward

    SO have they fined them or not?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022