It is understood that, once more, the Information Commissioner's Office (ICO) and Marriott Inc. have mutually agreed an extension in the protracted process relating to a proposed fine under data protection law. In July 2019 the ICO announced an intention to fine Marriott £99m for infringements of the General Data Protection Regulation (GDPR), at the same time as it also said it intended to fine British Airways £183m. Although the law only normally allows the ICO six months to confirm an intended fine, both matters have instead been subject to repeated extensions (as we have discussed previously).
This latest extension (no doubt as a result of robust defence of its position by Marriott, just as BA is no doubt defending its position) will be likely to add to concerns about the ICO's ability, under the current regulatory scheme, to issue serious fines. Although GDPR allows for fines of up to 4% of global annual turnover, the only fine so far actually issued by the ICO under GDPR was one of £275,000.
It is also important to consider whether this all might impact on any pending decision by the EU as to the 'adequacy' of the UK's data protection regulatory regime post-Brexit.