Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Kingdom
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS Spotlight: join our events and webinars!
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

ICO indicate intended record fines under DPA 2018

10 Jul 2019 United Kingdom 2 min read

The Information Commissioner’s Office (ICO) has announced that the first fines under the Data Protection Act 2018 (DPA 2018) implementing the EU GDPR Directive is intended to be against British Airways for a record £183.39m, 1.5% of BA’s global revenue for 2018, and Marriott International for £99.2m. The intended fines dwarf the previous highest fines of £500,000, the maximum possible fine under the previous Data Protection Act. The intended fines both relate to data breach incidents notified in late 2018. In September 2018 BA notified the ICO that around 500,000 BA customers were redirected by malware from the company’s website when entering payment details causing contact and account details to be compromised. In November 2018 Marriott International notified the ICO that 30 million EU customers details out of 339 million worldwide had been compromised by hackers in 2014.

The ICO could have levied fines of up to 4% of annual global turnover under its enforcement powers, but both BA and Marriott cooperated fully with the ICO.BA maintain that no evidence of fraudulent activity on affected customers accounts has been identified. Both BA and Marriott intend to appeal the level of the fine within the next 28 days and the ICO have confirmed that they will consider any representations carefully.

The ICO were the lead regulatory body as the both breaches affected customers from across the EU. The ICO will have consulted with other data protection regulatory bodies in the EU and will do so again on the appeals.

Comment

Although the higher of the intended fines is 366 times the previous highest fine, it is well within the maximum possible fine under the DPA 2018. It is likely that the previous highest fines would have been comparable if they had been levied under this new regime. Companies suffering data breaches involving hundreds of thousands of individuals can expect to receive similarly significant fines. The fines, which could be reduced on appeal, are a statement by the ICO that companies need to take their data protection obligations seriously.

The record regulatory fines are not the end of potential liabilities. Neither BA nor Marriott have disclosed any individual or group civil claims for compensation received from individuals affected by the data breaches, but BA have publicly stated that no one affected will be left out of pocket.

More insights
Cyber Defendant Personal Injury Financial Services Professionals Insurance Brokers Pension Professionals Solicitors Surveyors Technology Reinsurance Warranty & Indemnity Liability Other Classes Fine Art, Specie and Jewellers' Block Trade Credit and Political Risk Practice Title Indemnity Aviation Construction & Energy Construction CAR/EAR Energy Property Directors’ & Officers’ Liability Financial Institutions Healthcare, Social Care and Life Sciences Marine Professional Negligence Accountants & Actuaries Construction PI Insurance Education Dispute Resolution Insurance Corporate Technology TMT - Technology, Media & Telecommunications Data Protection & Freedom of Information Scotland

Explore more

Event United Kingdom

Cross-Border Financial Services 2026 webinar series

05 May 2026
Publication United Kingdom

Cyber risk management for senior leadership teams

02 Oct 2025 1 min read
Expert Guide International

Data protection and cybersecurity laws in the United Kingdom

38 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.