British Airways plane landing on Schiphol airport in the Netherlands. Credit: Nieuwland Photography/Shutterstock.com

The UK's Information Commissioner's Office (ICO) gave a clear message this week: It is serious about penalizing companies that aren't properly protecting consumer data.

On Monday, the ICO announced its intention to fine British Airways £183.39 million ($230 million). The proposed fine was the result of the British data privacy agency's investigation of Britain Airways' 2018 data breach that left roughly 500,000 customers' financial and personal information compromised.

As observers attempted to gain some insight from the British watchdog agency's first significant fine under the General Data Protection Regulation (GDPR), on Tuesday the ICO also proposed a £99 million ($124 million) fine against Marriott over the hotel chain's data breach of guests' personal data in late 2018. 

To be sure, the largest allowed fines for noncompliance under the GDPR is €20 million ($22 million) or 4% of the company's worldwide annual revenue, whichever is higher. While British Airways' and Marriott's fines don't reach the 4% threshold of their company's revenue, lawyers say that the ICO still sent a stern message.

“It was an open question since the GDPR became effective: The question was would the enforcement be very significant for companies?” said Ahmed Baladi, a Paris-based Gibson, Dunn & Crutcher partner and co-chair of the firm's privacy, cybersecurity and consumer protection practice group. “We have a crystal clear response that they will enforce it and enforce it with heavy fines.”

The U.K. regulator's reaction and fines signifies a new stricter approach generally not associated with the ICO before the GDPR, Baladi said. Coupled with France's $57 million fine against Google over its data collection process earlier this year, Baladi noted EU data regulators are projecting a unified approach.

McDermott Will & Emery partner Ashley Winton agreed. “I do think the ICO wants to put up a united front with its fellow European data regulators,” he said. “I think we will see this as a new style with the ICO.” Winton noted that the style includes a consistent approach to data protection across Europe and the ICO carefully following guidance and acknowledging that material and non-material damages can occur in data breaches.

In the Marriott announcement, the U.K.'s Information Commissioner Elizabeth Denham highlighted companies' responsibility to secure personal data and her agency's duty to protect citizens.

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset,” she said in the press release announcing the proposed Marriott fine. “If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

Although the size of the proposed fines were attention-grabbing, the ICO noted in both press releases that the penalties weren't finalized. Under the GDPR's “one-stop shop” provisions, the data protection authorities in the EU whose residents were impacted can comment on the ICO's findings. Meanwhile, the company being penalized has 21 days to make representations about the penalty. In a U.S. Securities and Exchange Commission (SEC) filing on Tuesday, Marriott said it will “vigorously” defend against the proposed fine. Likewise, British Airways said it would be reaching out to the ICO as well, according to the BBC.

While lawyers will watch closely as the companies appeal the proposal and regulators weigh in in the first big test of data regulation under the GDPR, Baladi highlighted that the British agency's announcements were made as the country is in a bitter stalemate over Brexit.

While a more “pragmatic approach” or flexibility with sanctions could signal the United Kingdom is corporate-friendly as the country prepares to leave the European Union voting bloc, the U.K. instead took a different stance, Baladi said.

“The ICO doesn't care about the political issues surrounding Brexit. What they are concerned about is that the GDPR and Data Protection Act are complied with by organizations operating in the U.K.,” he said. “I think it's brave.”