Marriott International announced a significant data breach two years ago following which the UK's data protection regulator, the ICO, issued a statement in July 2019 citing an intention to fine Marriott £99.2 million for breaches of the General Data Protection Regulation (GDPR). Whatever comes of that intention, recent filings in the High Court in London reveal that Marriott now faces the additional threat of a customer class action which cites GDPR non-compliance in respect of the same security breach.
The lawsuit was launched by technology consultant Martin Bryant, represented by international law firm Hausfeld. It has been reported that Mr Bryant is seeking damages on behalf of affected data subjects as he wants to serve a notice to data controllers to treat the data that they hold responsibly.
The ICO's July 2019 statement suggests that hackers had gained unauthorised access to around 30 million EU citizen's guest records within the Starwood guest reservation database, Starwood having been purchased by Marriott in 2016.
What is a class action?
Class actions are an increasing trend in Europe following the notification of data breaches to regulators and data subjects in line with the requirements of the GDPR. Such action have been advertised or commenced in respect of companies ranging from British Airways to the UK supermarket Morrison's, the latter following the leaking by a rogue employee of staff records relating to approximately 100,000 individuals.
There are two class action types that can be initiated; a group litigation order (CPR 19.11) or a representative action (CPR 19.6). Marriott is facing a representative action, which allows for numerous individuals to bring forward a joint claim if they have a common grievance and seek the same relief on an opt in basis.
If this class action succeeds, Marriott will face multiple payouts which although individually may be for small amounts cumulatively could be substantial. It was the size of the maximum fine available to regulators under the GDPR that caught the eye in the run up to its go live date of 25 May 2018 (the greater of 4% of worldwide turnover or €20 million), but the threat of class actions looks to be of equal motivation when it comes to those in the hotel sector taking steps to ensure GDPR compliance.
 See https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach/