The fines were handed to both companies following damaging and widely publicised digital break-ins affecting millions of people around the world.
According to EU news website Politico, the fines have been delayed for Marriott until 1 June this year, with UK law firm Mishcon de Reya's data protection man Jon Baines blogging, with reference to the same source, that BA owner IAG's annual report revealed that its own fine had been postponed until 18 May.
That statement [212-page PDF, statement on page 184] said in part: "The ICO initially had six months from issuing the Notice of Intent to British Airways within which it could issue a penalty notice, which has been extended through to May 18, 2020, to allow the ICO to fully consider the representations and information provided by British Airways."
It added that BA would "vigorously defend" itself all the way to the Court of Appeal if needed, suggesting the airline isn't going to let the ICO collect a cheque without a fight.
The ICO would not comment other than to say the process was "ongoing".
Marriott copped its £99m fine after letting 383 million people's data go AWOL thanks to Chinese hackers. BA was stung for £183m after losing control of 380,000 people's payment card details in 2018.
British (and thus EU) data protection law is convoluted when it comes to fines: the ICO announces its intention to impose a big monetary penalty and then the naughty companies have a chance to argue about it behind closed doors, a bit like an appeal.
So it was that BA and Marriott managed to have their fines postponed in January for three months while lawyers argued about it.
It is easy to see why BA scored an extension, what with the existential threat posed to it by the global economic coronavirus shutdown. Marriott, meanwhile, has a whole new hack of 5.2 million customers' records on its hands to deal with.
El Reg will keep an eye on the situation. The ICO's legal budget for all of its functions, as well as taking on two multinationals in one go, is a relatively paltry £2m. ®