A short administrative note for the regulatory file. The Marriott final-fine determination is expected later this year, with the most recent ICO commentary indicating an October-November landing window. The BA case has been delayed by the appeal proceedings and is now expected in Q4 or possibly slipping to early 2021. Both cases have been complicated by the COVID-affected economic environment, with the affected companies' representations including the impact-on-business and ability-to-pay considerations that the regulator is required to factor into the final determination.
The expected reductions on representation are visible in the public commentary. The original BA NoI was £183 million; the eventual fine is widely expected to land in the £20-50 million range. The original Marriott NoI was £99 million; the eventual fine is expected to be in the £15-30 million range. The reductions are substantial and reflect the regulator's accommodation of the affected companies' representations, the cooperation-level assessments, and the COVID-economic-context. Whether the reduced fines will produce the deterrent effect that the original NoI figures suggested is a question the broader UK GDPR-enforcement environment will answer over the coming years.
For the customer briefings, the planning basis remains the original NoI figures rather than the expected reduced final figures. The strategic conclusion that I have been pushing for over a year — that GDPR enforcement is a quantifiable risk justifying substantive programme investment — does not depend on the eventual reduction. The investment decision is justified by the upper-bound exposure rather than by the expected-value exposure, and the customer-organisation programme work continues on that basis.
The wider regulatory landscape continues to develop. The CCPA enforcement period began on the 1st of July (six-month grace period from the January 1 effective date) and the early enforcement actions are starting to surface. The various other state-level privacy regulations in the US (Virginia, Colorado, others in legislative progress) are following the CCPA template. The post-Schrems-II ruling environment that the Court of Justice produced in mid-July (Schrems II judgment, Case C-311/18) has invalidated Privacy Shield as expected; the customer-organisation contingency planning on Standard Contractual Clauses is now in active deployment across the portfolio. The post-Brexit UK adequacy decision continues to be the principal known unknown for the customer-organisation transit-of-data work, with the transition period ending on the 31st of December.
I will write more when the Marriott final fine lands. The post will cover the regulator's reasoning in detail and the precedent value for the future enforcement environment.