Good week for ICO. The British personal data protection regulator, equivalent to the CNIL in France, confirmed on Tuesday afternoon its intention to impose a fine of 111 million euros on the hotel group Marriott International. The cause was a serious computer hack revealed at the end of 2018 by the chain, which compromised the data of more than 500 million customers of one of its subsidiaries, Starwood Hotels. For more than 330 million victims, the stolen information was especially sensitive: names, first names, email addresses, phone numbers, postal addresses and even passport numbers.

In addition to the ICO, Marriott International is also the subject of five other investigations carried out by different American states. If the fine is confirmed, meaning that the hotel group does not convince the British authorities of its good faith, it will be the first official sanction against the group. It would also be one of the largest fines ever imposed by Britain's data protection regulator. “We are disappointed with this ICO notice of intent, which we will contest,” Marriott CEO Arne Sorenson said in a statement. The group has already promised to appeal this decision.

First post-GDPR sanctions

This announcement comes after another sanction adopted by the ICO. On Monday, the regulator announced its intention to impose a fine equivalent to 201.6 million euros on IAG, parent company of the airline British Airways. In October 2018, the latter revealed that almost half a million of its customers had been affected by a hack of their personal information. In some cases, bank card numbers were stolen, as well as their expiration date and confirmation number. The penalty represents approximately 1.5% of IAG's turnover in 2017.

These two fines are imposed by the ICO within the framework of the GDPR, the European data protection regulation. This legal framework, in force since May 2018, grants new responsibilities to companies in terms of protection and management of their users' information, as well as greater sanctioning power to the different supervisory authorities of European countries. Therefore, they can impose fines of up to 4% of the global turnover of a given company. Before the GDPR, this limit was, for the ICO, 500,000 pounds or 556,000 euros.

In France, Google was subject to the first post-GDPR sanction by the CNIL, in early 2019. The French data protection authority considered that the American search giant did not sufficiently inform Internet users about the processing of their data. , after the presentation of several complaints by privacy associations. Finally, he sanctioned the company with a fine of 50 million euros.