- The ICO has published a notice of its intent to fine British Airways £183.39 million for its 2018 data breach where the personal data of 500,000 customers was stolen by hackers;
- This is the first ‘mega fine’ issued by a European data regulator since the implementation of the GDPR;
- The ICO acted as lead supervisory authority and has confirmed that it has been liaising with other EU privacy regulators;
- No details have yet been published by the ICO regarding the specific GDPR infringements involved;
- British Airways now has the chance to respond to the notice of intent, after which a final decision will be made by the ICO.
Background
British Airways was the victim a cyber incident in mid to late 2018 which directed users to a false website and resulted in the personal data of approximately 500,000 customers being stolen.
Following an “extensive” investigation by the ICO, the regulator has issued a notice of its intention to fine the company £183.39million for infringements of the General Data Protection Regulation relating to the British Airways data breach, although details of the specific infringements have not yet been published.
The first GDPR ‘mega fine’
As noted in our round-up of the first year of the GDPR, 12 months on from GDPR implementation and we had still not yet seen any form of ‘mega fine’ from the European regulators (previously the largest fine was issued by the CNIL in France for EUR 50 million).
However, the landscape has now changed with this proposed £183.39 million fine – which equates to approximately 1.5% of British Airways’ annual worldwide turnover. Many will note that the fine still does not approach the permitted ceiling for fines of 4% of global annual turnover (assuming that the identified infringements were ones for which the ceiling is 4% and not 2%) but it is nonetheless significantly higher than anything we have previously seen. In particular, it is interesting to compare this enforcement action to the recent approach taken by the ICO with respect to HMRC’s non-compliant collection of special category personal data, where no fine at all was levied.
What next?
The ICO has not yet published the full details of its enforcement. In particular, it hasn’t published details regarding the specific infringements in question or details of how it calculated the level of fine. The enforcement action itself has also not yet been finalised and British Airways will now have the opportunity to make representations to the ICO as to the proposed findings and sanction. The ICO will then consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision. This could mean that the final level of fine is different to today’s announcement, although it would be rather surprising if, having announced an intention to fine at such a high level, the ICO then ended up fining a much smaller number. We would expect the ICO to have done its homework when assessing the fine initially.
Even if the final fine does remain at its current intended level, it seems likely that British Airways would appeal, a process which would take some considerable time and potentially end up in the Court of Appeal.
In practice, in order to be able to justify (and defend) such a high level of fine, it will be essential for the ICO to be able to point to specific breaches of the GDPR (such as specific technical and organisational measures that were absent, or other specific failings in their cyber risk management or incident response) that are recognised by the cyber security industry as sufficiently egregious to warrant such a fine: in other words, it should be plain what BA did wrong. If not, it will raise challenging questions as to what “good” looks like when organisations are considering what technical and organisational measures are necessary to protect their data.
Whatever the outcome of the enforcement, it is clear that the British Airways data breach marks a turning point in GDPR enforcement – and will certainly serve to focus the minds of companies with respect to data security and GDPR compliance. It may also force some organisations to carefully reconsider their current approach to GDPR risk.
Andrew Moir
Partner, Intellectual Property and Global Head of Cyber & Data Security, London
Key contacts
Andrew Moir
Partner, Intellectual Property and Global Head of Cyber & Data Security, London
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.