GDPR: When are the regulators going to show their muscles?

Protecting the Public or Protecting Big Business?… The recent downgrading of fines by the UK ICO for British Airways and Marriott raises some questions.

Let’s face it: During the second half of October 2020, we probably came across the first major milestone since GDPR came into force on 25th May 2018: The downgrading by the UK ICO of the fines it had proposed in the summer of 2019 in relation to the 2018 data breaches at British Airways and Marriott.

The UK regulator probably intended to showcase its business acumen and its understanding of the situation those industries are going through with the COVID crisis, but in practice, it is likely to be seen over time as a sign of weakness, and it definitely sets a precedent.

And we must not overlook the size of the “rebate”, which — interestingly — is not even mentioned in the press releases from the ICO we have come across: From proposed fines of £183m for BA and £99m for Marriott, down towards the £20m mark for each of them… quite a substantial drop…

Right from the start in 2016–2017, it was obvious that the role the regulators decide to take with regards to GDPR, and their appetite for enforcement will be key in…