GDPR Strikes Back

GDPR Strikes Back: British Airways and Marriott Fined Millions

When the General Data Protection Regulation (GDPR) came into force on May 25, 2018, it promised to reshape the entire data privacy sphere. No longer could companies be irresponsible or negligent with users’ data — unless they wanted to pay €20 million euros (~$23 million dollars) or 4% of their annual global revenue in penalties.

However, in the year that followed, few fines for non-compliance came close to the numbers that the GDPR threatened.

Analysts argued that regulators were merely catching up on their data-breach backlogs, and that the big fines were coming any day now. Then, shortly after the law’s one-year anniversary, the GDPR floodgates opened, and several major companies were hit at once.

Read on to learn who’s paying the price for mishandling data after the GDPR went into effect, and what the implications of these penalties are — both for the future of data privacy, and for other businesses.

Google — $57 million

The first year of GDPR enforcement was marked by a distinct lack of newsworthy fines — except when Google fell afoul of the GDPR at a cost of €50 million (~$57 million) in January 2019.

French data protection agency Commission Nationale de l’Informatique et des Libertés imposed the fine, because Google did not clearly disclose how personal data was processed when users set up an Android phone. Vital explanations were spread across several pages, and a consent box was pre-checked in the data-handling configuration options.

Consent and transparency are two of the most important concepts of the GDPR. If the average user can’t understand how their details are being used, data collection is not transparent. For consent to be valid, users must be able to provide a “freely given, specific, informed and unambiguous” indication of their wishes.

The Google GDPR fine exemplifies the risk of ignoring the GDPR’s accessibility requirements. It’s critical that users know what data-processing practices they’re agreeing to, and that they can easily withdraw their consent at any time.

British Airways — $230 million

The first GDPR penalty to arrive in the UK was the highest that had ever been issued.

In July 2019, British Airways (BA) was slapped with a ground-breaking fine of £183 million (~$230 million) by the Information Commissioner's Office (ICO), after the personal data of 500,000 customers was compromised in a cyberattack.

Hackers inserted malicious code onto the airline’s homepage, which diverted users to a fraudulent site. Here, they entered their login information, payment card details, name, address, and travel booking information. The incident began in June 2018 and continued until September.

In many ways, this penalty sets the tone for future enforcement. Although significant, the breach itself was not as bad as other recent hacks. For example, 143 million consumers were affected by the Equifax breach in 2017 (which occurred when the Data Protection Act, a less stringent regulation that the GDPR superseded, was in effect).

BA are appealing the decision, and it’s possible that it will be reduced from the current amount, which is approximately 1.5% of the airline’s 2017 annual turnover. If the ICO is willing to push for a fine this high for a comparatively small breach, it suggests regulators won’t be shy about handing out the full 4% for a more extreme incident.

The BA penalty the record for GDPR fines, but it’s a record that’s likely to be broken soon.

Marriott — $123 million

Only a day after the ICO issued the penalty against BA, it announced that Marriott would be hit with a steep £99 million (~$123 million) penalty.

In November 2018, the US hotel group (which also owns Le Méridien and Sheraton) notified the ICO of a data breach in which 339 million guest records were exposed. The attack affected an old system used by Starwood Hotels, a company acquired by Marriott three years ago. Although the incident occurred in 2014, it was not discovered until four years later, long after the damage had been done.

Under the GDPR, companies are fully accountable for the data they process. The ICO’s Elizabeth Denham stated that:

“This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

Preventive measures that protect customer data are difficult to quantify, but companies have a responsibility to map their data and identify vulnerabilities. One way any business can avoid a similar fine is to build Privacy by Design into their operations. This is a core part of what the GDPR is about — data collection should be minimized, and data protection should be integrated into technology from the start.


Related read: How GDPR Rules Will Affect Your Online Business


Who’s next?

In addition to the GDPR, companies in the US will also have to contend with the California Consumer Privacy Act (CCPA) next year. As the data privacy landscape becomes more difficult to navigate, and regulators enforce legislation more assuredly, Silicon Valley is a prime target for the next record-breaking penalty.

The ICO already fined Facebook £500,000 (~$620,000) in the wake of the Cambridge Analytica scandal — a debacle that continued until July 2019, when the social media giant agreed to a $5 billion settlement with the US Federal Trade Commission. This would be a staggering amount for most businesses, but according to one senator, it’s merely chump change for Zuckerberg.

If there’s a lesson from the end of this GDPR grace period and the large fines issued recently in Europe, it’s that regulators have found the confidence they need to fully enforce the GDPR.

Companies like Facebook can no longer be complacent.



This is a guest post by Simon Fogg. Simon is a legal analyst and data privacy expert for Termly. He studies the latest news and trends in the data privacy space, then brings compliance solutions to small business owners and marketers. His focus for the past two years has been tracking the GDPR and its international impacts.