back to article UK data watchdog having a hard time making GDPR fines stick: Marriott scores another extension, BA prepares to pay 11% of £183m penalty threat

British Airways expects the fine for its 2018 credit card data leak to be just 10.8 per cent of the £183m proposed by the UK data watchdog – while US hotel chain Marriott has both halved and kicked its own data blunder punishment into the long grass once again, The Register can reveal. Marriott has secured an extension for …

  1. Whitter
    Devil

    Falling on sword time?

    In order to continue the pretense that the gov actually wants GDPR enforced - while ensuring funding and will for such are entriely lacking - is it time for the Information Commissioner to take one for the team?

    i.e. Resign, wait a few months then get a pass into the House of Lords?

    1. Lee D

      Re: Falling on sword time?

      Don't be silly, in a few month's time they can just revoke the entirety of the GDPR. Why bother?

      All those years of compliance (with a quite sensible and powerful-to-the-consumer law) will be wasted because of our "independence". They'll just cut the red tape so that their own projects (like the track and trace, etc.) don't fall foul of it either.

      1. Phil O'Sophical Silver badge

        Re: Falling on sword time?

        All those years of compliance (with a quite sensible and powerful-to-the-consumer law) will be wasted because of our "independence". They'll just cut the red tape so that their own projects (like the track and trace, etc.) don't fall foul of it either.

        I can understand reasonable arguments pro/anti Brexit, but why do remainers keep spouting this ludicrous nonsense? Is it just a desperate attempt at propaganda, or blind refusal to understand the arguments of people you disagree with, in case they might be right?

        We need to respect international rules to continue international trade (with the EU and elsewhere). British consumer and data protection law has consistently been tougher than EU minima, and tougher than those implemented by other EU countries (pre-GDPR the UK maximum fines were higher than those permitted in Germany, for example). Part of the parliamentary work before Brexit was specifically to enshrine GDPR in UK law, so that it would not just vanish afterwards. There is no credible reason to believe that reducing UK data protection to levels below GDPR is planned, useful or desirable.

        1. Yet Another Anonymous coward Silver badge

          Re: Falling on sword time?

          >There is no credible reason to believe that reducing UK data protection to levels below GDPR is planned, useful or desirable.

          Exactly, the whole point of Brexit was that as a sovereign nation we would be able to keep all the Eu regulations in place while dictating terms to those American colonials who would be desperate to trade with us any whatever terms we demanded.

        2. Anonymous Coward
          Anonymous Coward

          Re: Falling on sword time?

          "why do remainers keep spouting this ludicrous nonsense?"

          General distrust of the competance of the government of the day?

          "British consumer and data protection law has consistently been tougher than EU minima, and tougher than those implemented by other EU countries"

          That is debatable - there are/were procedings in place by the EU against the government, as the Data Protection Act 1998 is not actually compliant with the Directive 95/46/EC. The govenment won't reveal the details of non-compliance as it would jeopardise international trade.

          https://www.theregister.com/2017/03/16/uks_gdpr_law_will_not_be_judged_adequate_if_it_contains_provisions_that_made_the_dpa_inadequate/

          The Sales of Goods Act 1960 gave a longer period of time to commence action against a seller than the European standard. However, the standard European implementation of 2011/83/EU gives a minimum of 2 year guarantee - the UK implementation does not (it states "reasonable period", which some retailers take the mickey with).

          From https://europa.eu/youreurope/citizens/consumers/shopping/guarantees-returns/index_en.htm

          "You always have the right to a minimum 2-year guarantee at no cost, regardless of whether you bought your goods online, in a shop or by mail order.

          This 2-year guarantee is your minimum right, however national rules in your country may give you extra protection."

          1. Anonymous Coward
            Anonymous Coward

            Re: Falling on sword time?

            Data Protection Act 1998 is not actually compliant with the Directive 95/46/EC.

            But the replacement DPA 2018 explicitly implements those parts of GDPR which member states must do, so effectively enshrining GDPR in UK law even though it is no longer an EU member.

            The Sales of Goods Act 1960 gave a longer period of time to commence action against a seller than the European standard. However, the standard European implementation of 2011/83/EU gives a minimum of 2 year guarantee - the UK implementation does not (it states "reasonable period", which some retailers take the mickey with).

            That's because UK law generally offers guidance, leaving the details to be decided by the courts, which is not the case in many other countries. The courts have already created precedents that "reasonable" can be 5+ years in the case of domestic goods, for example.

            It doesn't detract from the fundamental point that there is no reason for the UK to weaken consumer protection below that of GDPR, since it generally applied higher standards than EU/EC minima, even before it was a member.

      2. Anonymous Coward
        Anonymous Coward

        Re: Falling on sword time?

        Abolish GDPR? Not for awhile I hope. I am busy (well my lawyers are) battering a POS parking enforcement company that incorrectly and illegally ticketed me. So much fun costing those b*ards time and money. Next step is getting the ICO involved, so just need a year or so to really twist the knife.

        1. Anonymous Coward
          Anonymous Coward

          No need to worry...

          Your case would be based on the legislation in force at the time.

        2. Woodnag Silver badge

          Details please...

          ...at least the general basis of the case

          1. Anonymous Coward
            Anonymous Coward

            Re: Details please...

            see reply further down.

        3. Anonymous Coward
          Anonymous Coward

          Re: Falling on sword time?

          Best of luck to you! Those scumbags deserve everything they get and more. But just remember, you weren't "illegally ticketed". They had no authority to ticket you in the first place, legal or otherwise. You have (I presume) merely broken an implicit contract by overstaying your welcome.

          Give them a jolly good kicking, unless it's Parking Eye. Sorry but you wouldn't stand a chance against them annoyingly as they're the ones with friends in low places etc.

          1. Anonymous Coward
            Anonymous Coward

            Re: Falling on sword time?

            Parking Eye? Right, will avoid any parking that has one of their signs. As for legality, I had actually paid for the duration, but there was a type-o. Got the notice through 2 months later, and a little research and they according to some bylaw regarding land owned by railway, they are not allow to do what they did. But that is besides the point, as I just sent in a scan of the parking stub (as I had done it to claim expenses 2 months prior) and they let me off, because they had no chance.

            But, and this is the reason I am now getting my lawyers involved, this really pissed me off, they said if I make a type-o again, they would fine me anyway and I would have to pay. Fat chance.

            So far, from their return letters, it looks like they are shifting themselves and keep apologizing. I am still trying to find out why it took 2 months to even query DVLA for my details. So far, they are not releasing all the info I am after. ICO is next step once the current 30 timer is up and they fail to release all of it.

            1. Anonymous Coward
              Anonymous Coward

              Re: Falling on sword time?

              "But, and this is the reason I am now getting my lawyers involved, this really pissed me off, they said if I make a type-o again, they would fine me anyway and I would have to pay. Fat chance."

              you really have far too much time on your hands.

              from your earlier post i had assumed they sent in the bailiffs or something

              1. Anonymous Coward
                Anonymous Coward

                Re: Falling on sword time?

                Yes, I know. But its so much fun.

          2. markr555

            Re: Falling on sword time?

            Yep,

            Don't take on Parking Eye, they manage to do what other parking shysters can't, successfully getting prosecutions thought the courts. I took them on after a 26 minute overstay. While at the 'court' I saw the magistrate/judge laughing/joking/flirting with the Parking Eye solicitor multiple times before my case, but yet they told me they hadn't had any discussions before the hearing. The judge wasn't having any of my defense of the fact that no loss had been incurred and I was promptly ordered to pay 3 times the cost of the original ticket. After paying the 'fine' I requested multiple times a receipt to prove I'd payed it, for the purposes of avoiding a CC judgement on my credit record, but they ignored every request. I therefore got an entry on my credit record which has only just been removed after 6 years. I would recommend never parking on a car park operated by them, they are a complete scam organisation.

            1. markr555

              Re: Falling on sword time?

              Downvoted for telling a story - are there Parking Eye employees on this forum?

              1. You aint sin me, roit Silver badge
                Holmes

                Re: Falling on sword time?

                Dunno... it wasn't me, but probably for suggesting a percieved lack of incurred loss is a valid defence for an overstay. Do you book a hotel for a night but refuse to leave for as long as there is another unoccupied room?

                No wonder the magistrate was laughing!

    2. tiggity Silver badge

      Re: Falling on sword time?

      She has a CBE already - the cynic in me wonders if that may be linked to lack of going after companies.

      The cynic in me also believes that if someone has accepted an honour then their partiality must be deemed suspect in such roles as they have fully succumbed to establishment assimilation.

      1. You aint sin me, roit Silver badge
        Pirate

        Part time cynics!

        The cynic in me says that it will all be quietly dropped, "never brought in any money in any case", in preparation of the takeover of UK plc by the Americans as part of the bestest ever, have cake and eat it, line the pockets of the rich, trade deal.

        P.S. Can Liam Fox please be charged for leaking secrets from his email account?

        1. Yet Another Anonymous coward Silver badge

          Re: Can Liam Fox please be charged for leaking secrets from his email account?

          He has a exemption from prosecution on the grounds of permanent diminished responsibilities

  2. Sherminator
    FAIL

    Toothless Crones

    After all the fanfare and copious amounts of GDPR "expert" consultants getting UK PLC over the start line for GDPR, you do have to wonder what on earth is the point of the whole process and fines if they aren't going to be upheld.

    I can understand a reduced fine for early payment, but dragging on negotiations ad infinitum is not exactly showing the corporate world that GDPR has any teeth when enforced.

    I wonder if similar DP regulations are facing the same problem when it comes to enforcement and fines globally? i.e. the California Consumer one and others.

    If any company being hit by fines thinks they can allocate lower amounts, then where is the pressure to perform and act correctly?

    It would appear that the consumer will be the one taking the hit again as more data is lost and more PII etc, gets into the wild!

    The mind boggles.

    1. Snowy Silver badge
      Facepalm

      Re: Toothless Crones

      100% agree if the law is not being upheld what is the point. Seems to me this hits smaller companies and the big ones just get to ignore it.

    2. tip pc Silver badge

      Re: Toothless Crones

      The ICO thought they where being smart dolling out huge fines as a deterrent to others.

      The ICO should have just issued realistic fines & shamed the companies involved.

      The ICO now just look stupid and have created a lobbying industry giving them future headaches.

  3. firefly

    Fine negotiation

    I got a speeding fine through the post the other day so I think I'm going to write back and offer a tenner. If it works for BA then it should work for me as well, right?

    1. IGotOut Silver badge

      Re: Fine negotiation

      No problem, you just need a £1000 p/h lawyer to write the letter.

    2. Zarno Silver badge
      Coat

      Re: Fine negotiation

      See if you can get the speed camera to testify in court.

      With any luck, it'll be yammering about failing diodes down it's left side, and the judge will reduce the fine to a half hour poetry lesson.

      I'll get my coat, hopefully I still have the Electronic Thumb in the pocket...

  4. James Anderson

    So net loss to the taxpayer

    The amount collected in fines over the two years won't even cover the cost of running the department.

    To say nothing of the millions honest companies have given to "GDPR compliance consultants"

    for telling companies what they should have been doing anyway.

    Typical Sir Humphrey meets Jean-Claude cockup.

    1. Yet Another Anonymous coward Silver badge

      Re: So net loss to the taxpayer

      cockup?

      The Eu requires a conservative govt to regulate companies exploiting the peasants.

      Naturally they put their best people on it.

    2. Mike 137 Silver badge

      Re: So net loss to the taxpayer

      Actually, it's not any kind of loss to the taxpayer (at least not directly). The ICO is not funded from taxation (to avoid any suggestion of conflict of interest if it takes action against a government entity). Nor is it funded by fines (to avoid any suggestion of vested interest). It's funded from the registration fees, which, although not proportional, are scaled in accordance with the size of the registrant organisation.

      Given this position, going after large companies has clearly nothing to do with revenue for the ICO, but it may be good for raising its profile, and that could well be necessary if the ICO wants to remain recognised by the EU. That in turn could at least unofficially affect whether or not the UK gets its adequacy decision swiftly (or indeed at all).

    3. macjules Silver badge

      Re: So net loss to the taxpayer

      I can just see how this goes:

      1) ICO Commissioner resigns and is boosted to HoL

      2) Baroness Harding, fresh from the TalkTalk Track 'N Trace fiasco takes over

      3) ICO sequester several BA jets in attempt to get the money

      4) Nobody wants to buy them except BA who offer 5% as a buyback.

  5. Rich 2 Silver badge

    What a shit show

    Instead of having the fine over time, they should be adding interest!!

    It’s pathetic. It really is

  6. Mike 137 Silver badge

    A non-optimal strategy

    The UK Information Commissioner has publicly declared that the ICO will concentrate on going after the big offenders and aiming for large fines. This is clearly good for raising the profile of the ICO, but it has the following disadvantages:

    [1] it preferentially selects those best equipped to challenge any action against them

    [2] it consumes resources on a few cases that might otherwise be applied to dealing with large numbers of meritorious complaints

    [3] it does not deter the majority of offenders as they consider themselves under the radar.

    Only by pursuing a reasonable percentage of the majority-scale abuses will the legislation ultimately be made to stick. For example, I've been conducting research into the quality of privacy notices since May 2018, and out of hundreds I've only found literally a couple that actually comply with the requirements of the GDPR. Somewhat surprisingly, the ICO's own template privacy notice for SMBs doesn't. It requires all the statutory information, but presents it in a manner that prevents the exercise of data subject rights in respect of specific purposes and processing. This is not trivial. The privacy notice is the primary basis on which a data subject must initially rely to exercise their statutory rights. If it prevents them doing so, that is itself an offence under the principles of transparency and accountability (inter alia Articles 5 and 12).

    1. Boris the Cockroach Silver badge

      Re: A non-optimal strategy

      Sounds like its doing the reverse of the inland revenue who go after the small tax avoiders/evaders so they'll have to pay the fines/backtax because they cant afford the expensive lawyers/accountants the big evaders/avoiders can.

      1. tip pc Silver badge

        Re: A non-optimal strategy

        going after the small guys ensures there is precedence for when they go after the big fish.

        The Banks jumped at the notion that they will be responsible for their contractors taxes. The banks are not stupid enough to let the taxman gain obvious advantage over them so have rushed to reduce their exposure.

    2. James Anderson

      Re: A non-optimal strategy

      It has actually had a negative effect on users privacy.

      By requiring users to "agree" to cookie use unscrupulous companies have been putting in all sorts of extras into the unread "privacy policy" which legally exposes the users data to much more abuse than was previously possible.

      1. Anonymous Coward
        Anonymous Coward

        Re: A non-optimal strategy

        By requiring users to "agree" to cookie use

        That is a violation of GDPR in itself.

  7. sitta_europea Silver badge

    I don't understand the concept of 'negotiating a fine'.

    I thought you paid a fine, or you got a bigger one, and paid that too, or you went to prison.

    1. usbac

      No silly! That's only for us "regular people", not for corporations that contribute to political campaigns.

    2. Anonymous Coward
      Anonymous Coward

      You can always negotiate fines, such as those for not paying taxes on time. In general, people you owe money too would rather have some money than have you in jail & unable to pay anything.

      The problem is that it's not worth the bother of negotiating (on either side) unless the amount is in the millions, so rarely affects ordinary folk. Never hurts to ask, though.

  8. HildyJ Silver badge
    FAIL

    Lawyer up

    We see the same thing on this side of the pond. Civil Service staffs are budget constrained and big corporations are not. Big corporations can throw as many (tax deductible) lawyers at the problem as they want. The outcome is not in doubt.

    Plus, groups like the ICO start negotiations with what they consider reasonable, not with what could be the maximum penalty.

    I can't say if there's a revolving door between the ICO and industry but there are certainly plenty of those in the States.

  9. 0laf Silver badge

    Is it just us?

    Are other GDPR territories haveing any better luck extracting the actual money from the fines?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021