It's been over a year and the proposed GDPR fines against Marriott and British Airways haven't been finalized yet. Lawyers argue the delay stems from the challenge of setting a precedent that puts a bite into regulators' actions but doesn't get dismantled in court for overreach. 

In early July 2019, the United Kingdom's Information Commissioner's Office (ICO) announced an intention to fine British Airways for $230 million, citing General Data Protection Regulation (GDPR) violations after the airline's site was compromised. The breach exposed the personal data of hundreds of thousands of customers.

A day later, the ICO also proposed a $124 million GDPR fine against Marriott for the exposure of 30 million European Economic Area residents' personal data due to system security shortfalls. 

The ICO was the lead supervisory authority for both matters under the GDPR's one-stop-shop provision. Under the U.K. Data Protection Act 2018, penalty notices can be extended if the regulator and party agree. In January 2020, the ICO agreed to extend the notice of intent period until March 31, 2020, for British Airways and Marriott, according to media reports. At the end of March, it was reported the ICO and Marriott agreed to another deadline, and that the hotelier expected a reduced fine.

Lawyers watching the process noted the first significant fines announced by the ICO would face industry and regulatory scrutiny to strike the right balance.

"These are two of the largest fines levied, it's understandable regulators are taking their time," noted Carlton Fields technology lawyer Steven Blickensderfer. "It's likely COVID had an impact but its not unexpected that the company would work with the regulators to determine the appropriate measures and work through the issues. It's a collaborative process to a degree."

"You want to get a fine that the company is willing to pay," he added. "If you start issuing 4% fines, you're potentially slowing down the process in the back end [with court appeals]. I think we are seeing deliberate thought from companies and regulators."

While neither of the proposed fines were at the level of either companies' 4% annual global turnover, Blickensderfer noted regulators are "making sure the fines they levy are effective, proportional and dissuasive under the circumstances."

Blickensderfer also argued the matters are being watched closely to gauge how the GDPR will be enforced against U.S. companies.

"Another factor is you have a U.S. company with establishments in the EU [Marriott is headquartered in Maryland] and when the GDPR first came out if you're a U.S. company with a smaller presence in the EU, [some questioned] 'Why does the GDPR matter to me?' This is probably another factor in the regulator's mind. This will also be important in showing the GDPR can be enforced for companies that are global and in the U.S."

Companies will use the eventual decisions as a barometer to measure their own cyber incidents, Blickensderfer added. "It will be something companies and industries will use to determine the cost of doing business. It's an important test case for GDPR enforcement going forward," he added.

Citing the recent invalidation of the United States' Privacy Shield program, Dyann Heward-Mills, founder of U.K.-based data protection consultancy HewardMills, argued the ICO's current lengthy period of finalizing its Marriott and British Airways' penalties is part of a push to set a continental standard for data protection.

"I think the advice to organizations is to look at the substance of what they're doing and being proactive in the protections they're applying to data from individuals."

Still, while the process for the ICO to finalize a penalty has been lengthy, regulatory scrutiny over data protection won't wane, Heward-Mills noted.

"Beyond the fines themselves, the financial implications of getting this wrong is far and far reaching, and not just with the ICO but other regulators—the French regulators, the CNIL recently fined Google, the DPC [Ireland's Data Protection Commission] has numerous cases in relation with tech companies not complying," she said.