Greetings from New England!

While still Stateside until Sunday, clearly some of the critical news on the privacy scene this week was emanating from “Old England.” You may recall, I wrote about the British Airways data breach back in September of 2018. Well, fast forward to this week with the ICO sharing momentous GDPR enforcement announcements.

On Monday, following an extensive investigation, the ICO issued a notice of its intention to fine British Airways a whopping 183.39 million GBP for infringements of the GDPR. The incident in question involved the scraping or harvesting of more than 500,000 customer records — including financial records — over a period of months without detection. In its capacity as the lead supervisory authority, the investigation has been led on behalf of other EU member state data protection authorities. Notably, under the GDPR "one-stop shop" provisions, it stands that other EU member state residents will have been affected, so fellow regulators will have the opportunity to comment on the ICO’s findings. If that fine were to be enforced in its totality, it would represent about 1.5% of BA’s total revenue for the fiscal year of 2018. No doubt BA’s legal teams will be working behind the scenes challenging the decision.

If that wasn’t breaking news enough, then the next day, the ICO made another significant GDPR enforcement announcement. This time, the ICO had Marriott International in its crosshairs, with another notice of intention to fine Marriott 99,200,396 GBP. This particular case relates to a cyberattack in November 2018, in which a variety of personal data contained in approximately 339 million guest records were exposed, of which around 30 million related to residents of 31 countries in the European Economic Area, and 7 million related to U.K. residents.

Looking at this incident from a different perspective, it is believed that the data compromise began with system vulnerabilities of the Starwood hotels group back in 2014 that, in turn, was subsequently acquired in 2016 by Marriott. The breach was only uncovered in 2018. The more interesting aspect of this case to my mind is the underlining implications for mergers and acquisitions activity: Was there sufficient due diligence carried out by Marriott? Commissioner Elizabeth Denham remarked, “the GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.” Here again, one can note how privacy considerations can impact other areas of mainstream corporate business with high-risk exposure.

To conclude, and in equally compelling news, the Court of Justice of the European Union heard the case known as “Schrems II,” which ran into an eight-hour affair Tuesday with multiple interventions from stakeholders in Luxembourg. Jen Baker, in Brussels, wrote a summary piece here for The Privacy Advisor. And if you needed more clarification on that particular case, Ruth Boardman of Bird & Bird does a good FAQ here that looks at potential repercussions.

All in all, it has been a dizzy week, with much more to follow on all these cases.