Legal experts have warned of more potential delays to the official GDPR fines set to be handed down to British Airways and Marriott International, potentially undermining the authority of the UK regulator.

The Information Commissioner’s Office (ICO), Europe’s largest data protection regulator by budget and employees, originally handed down a notice of intent to fine BA a massive £183.4 million fine after a Magecart-related breach on its site. A £99 million fine was slated for the hotel group soon after for its breach of 339 million customer records.

Although these were first published in July 2019, they’ve been subject to delays as the companies involved made detailed representations to the regulator.

The initial six-month period from notice of intent to fine was extended to May 2020, according to BA’s recent annual report.

However, experts at Cordery Compliance now believe the deadline will be pushed back again due to COVID-19, to around August-September time.

“Our understanding is that whilst still emphasizing the seriousness of the breaches, the ICO will apply a lenient approach to the amount of the fines due to the financial impact of COVID-19,” the compliance firm added in an alert.

This is likely to raise questions about the ability and resolve of the ICO to bring large cases against well-funded corporations.

“Although the impact of COVID-19 may explain some of the current continued delay, quite why what may end up being over a year to resolve these matters since the ICO announced its intentions to fine may leave some wondering whether GDPR enforcement is going as quickly as it should,” said Cordery.

“In addition, what was also expected to be a showcase for the first significant fines under GDPR in the UK may now be a let-down.”

That said, the two companies are still facing the prospect of potentially costly litigation from disgruntled customers, it added.

A report out last month argued that Europe’s GDPR regulators are woefully under-resourced financially and lacking in the in-house technical expertise needed to take on the major technology firms.

From:  infosecurity-magazine.com