Arne Sorenson, President and Chief Executive Officer of Marriott International. Anjali Sundaram | CNBC

British Airways and Marriott received the largest-ever fines under the EU's new General Data Protection Regulation this past week. The U.K. Information Commissioner's Office (ICO) fined British Airways a proposed $230 million for an incident that took place from June to September 2018 and compromised the data of 500,000 customers. The ICO gave Marriott a $123 million proposed penalty for the loss of 339 million guest records, reported in November 2018. Both companies have the opportunity to respond to the fine before the ICO issues a final decision, and both companies already indicated they will appeal the decision. But the GDPR fines were important for reasons well beyond numbers. The GDPR is a very broad rule with little detail, and companies have had few insights into how regulators in the EU would interpret the law, particularly what they would consider "adequate" security measures. The maximum GDPR fine is 4% of a company's global turnover. The fines for BA and Marriott both represented 1.5% of their respective turnover, and the commission said both companies cooperated fully with their respective investigations.

This makes the stakes particularly high for tech companies like Google and Facebook, which are either currently under investigation in the EU, and for whom the legislation essentially was tailor-made. Google could face a fine of up to $5 billion, and Facebook up to $2.2 billion, based on both companies' annual revenue in 2018. Earlier this year, the ICO indicated it would investigate Google over leaking of customer data from its advertising platform. Google has already faced scrutiny and fines under the GDPR from France's regulator, with a $57 million penalty levied in January for "lack of transparency" and valid consent controls for users, among other issues. Facebook has also received modest penalties for the Cambridge Analytica scandal, in which users weren't given proper notice that a survey was being used for political research and advertising. The company incurred a modest fine of $644,000 for that incident, but is currently under investigation for a breach of usernames and passwords on its Facebook and Instagram platforms that could be far more costly.

A more punitive approach

The decisions included punitive language that has been uncommon in the privacy enforcement arena, particularly in the U.S., where companies are traditionally treated as victims of cybercrime first, rather than perpetrators of data loss. This standpoint was reflected in a statement, filed with the Securities and Exchange Commission by Marriott CEO Arne Sorenson: "We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database." In fact, the European Data Protection Board questioned how well Marriott had vetted and protected data when it acquired Starwood in a $13.6 billion deal that closed in 2016.

"The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected," the board said. The commission said less about its fine of British Airways, but the relatively short-term breach and relatively small number of affected customers show the commission may build past data security issues into its equation as well. British Airways parent IAG said it was "surprised and disappointed" by the decision, and said it would "vigorously" defend its stance.

Putting everyone on notice