One data regulator who was engaged in the decision-making process argued that the initial penalty of 100,000 euros (U.S. $99,900) for cross-border data privacy violations against the French hotel group Accor was too low.
The business, which owns the hotel chains Novotel, Ibis, and Mercure, is now subject to a fine of €600,000 (U.S. $599,000), after the European Data Protection Board (EDPB), the European Union's chief enforcement body for violations of the General Data Protection Regulation (GDPR), was compelled to step in because France's CNIL and Poland's ODPA were unable to come to an agreement (DPA).
The decision, which was released on August 17, is the second instance in which the EDPB has significantly raised a fine in a cross-border matter. The regulator contributed to the Irish Data Protection Commission's decision to increase the estimated GDPR penalties against Twitter from between €135,000 and €275,000 to €450,000 (then-U.S. $547,000) in December 2020.
Regarding Accor's exploitation of consumer data for marketing purposes, the CNIL received complaints between December 2018 and September 2019. Another issue was the company's use of consumer bank information to book hotel rooms.
The CNIL agreed to conduct an investigation on behalf of the concerns brought forth by five more EU data regulators: Spain, Ireland, Poland, the German federal states of Saarland and Lower Saxony, and the CNIL agreed to act as Accor's primary data supervisor.
The CNIL discovered during its investigation that people making direct reservations with Accor or one of its group brands were automatically added through a pre-ticked consent box to a list of recipients for its promotional newsletter and loyalty program, but were unable to opt out due to a "malfunction" in the unsubscribe option. Customers also received promotional offers and advertisements from affiliated businesses without their permission.
After receiving indications from the corporation that it had already taken efforts to comply with the CNIL's recommendations, the CNIL delivered its draft decision to the EDPB and the five other DPAs in December 2019.
The other data regulators criticized the planned €100,000 fine as being too low and emphasized the volume of violations, complaints, scale of the business, and revenues.
In the EU alone, Accor has over 3,000 hotels, and in the first half of 2022, the company generated revenue of over €1.73 billion (U.S. $1.728 billion).
The Polish DPA continues to contend that the fine is excessive despite the EDPB's final, binding ruling. The disagreement is likely to increase worries about how inconsistently GDPR enforcement is being applied throughout the European Union and raise new issues about what the role of the EDPB should and may be in settling disagreements between DPAs and completing cross-border determinations.
In a statement sent through email, Accor expressed its "regret that the group has been sanctioned more severely than the CNIL intended due to the cooperation mechanism between data protection authorities in Europe." Accor emphasized that it assisted in the three-year probe by the CNIL.
The company went on to say that it will "examine the legal remedies at its disposal" and that the "objections raised by the Polish data protection authority do not seem justified or detailed."
By fLEXI tEAM