On July 8, 2019, the UK Information Commissioner’s Office (“ICO”) announced that it intends to fine British Airways (“BA”), which is owned by International Consolidated Airlines Group, S.A., £183,390,000 (approximately $230,000,000) for violating the EU General Data Protection Regulation (“GDPR”). This is the first fine to be announced publicly by the ICO under the GDPR and hints at the tough stance it is likely to take with regard to future breaches.
The data breach, which is believed to have commenced in June 2018, occurred when traffic to BA’s website was diverted to a fraudulent site. As a result, personal data such as payment card, travel booking, names, addresses and log-in details was harvested. The breach was notified by BA to the ICO on September 6, 2018, but the full extent of the incident was not understood at that time. It later became clear that approximately 500,000 customers were affected.
In its statement today, the ICO blamed the incident on poor security measures taken to protect customers’ data. The proposed fine represents 1.5% of BA’s 2017 worldwide revenue, but could have been higher as the ICO has the power under the GDPR to levy a fine of up to 4% of worldwide revenue.
In imposing a fine, the ICO takes into account steps that a company has taken to mitigate the impact of a breach and to address any underlying issues. In this instance, the proposed fine is significant regardless of the ICO’s acknowledgement that BA had made improvements to its security arrangements and cooperated with the ICO’s investigation into the incident.
The ICO has investigated the incident as BA’s lead supervisory authority under the GPDR’s “one stop shop” system. Data protection authorities in other EU Member States with residents who have been affected by the incident will have an opportunity to comment on the ICO’s findings before a final decision is made.
Information Commissioner Elizabeth Denham commented: “[W]hen you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
BA apologized to its customers but added that it was “surprised and disappointed” at the finding. BA is expected to appeal the fine, but has already suffered a drop in its share price as a result of the ICO’s announcement.
Update: The ICO issued a reduced fine of £20,000,000 on October 16, 2020, following representations from BA.