09 Jul 2019

The ICO has issued notice that it proposes to fine British Airways (BA) 1.5% of its worldwide turnover, £183.39m, for infringements of the General Data Protection Regulation (GDPR).

Background

On 6 September 2018, BA disclosed to the ICO an incident that affected around 250,000 of its customers. The "sophisticated, malicious criminal attack" allowed hackers to breach the BA website and app and harvest personal and financial details such as names, billing addresses and bank card details, although this did not include passport information. The hack appeared to have taken place from 21 August to 5 September 2018. However it was later discovered that the hack had possibly begun in June 2018, affecting a further 185,000 customers.

Customers of the airline were notified of the incident and asked to contact their bank or credit card provider for advice. BA apologised and offered to compensate customers left out of pocket, many of whom cancelled their credit cards due to the incident. The company has since stated that it responded quickly, that there has been no evidence that the data was used for any fraudulent activity and that it had co-operated with the ICO. The ICO's notice of intent criticises BA's data security but the airline has said it will take all appropriate steps to defend its position vigorously, including making any necessary appeals.

ICO powers

The GDPR overhauled how businesses handle and process personal data. It became a mandatory requirement for all data controllers in the UK to report any data breaches to the ICO within 72 hours of the breach being discovered. If the ICO discover that there has been a failure to comply with data processing and security obligations under the GDPR this can result in a fine being issued of up to 2% or 4% of worldwide turnover or €10m or €20m, whichever is greater, depending on the GDPR provision which has been contravened. It is not clear which tier of penalties the ICO is applying in BA's case.

The proposed fine of £183.39m is the biggest penalty the ICO has proposed handing out, equating to 1.5% of BA's worldwide turnover in 2017. The previous largest penalty of £500,000, the maximum allowed under the old regime, was issued to Facebook over the Cambridge Analytica data scandal.

However, not all infringements may lead to a fine. The ICO has a range of corrective powers, including: issuing warnings and reprimands, imposing restrictions or bans on data processing, ordering the rectification or erasure of data; and suspending data transfers to third countries.

Between 25 May 2018 and 31 March 2019, the ICO investigated 11,468 cases but only 29 monetary penalties were issued in this period, the majority of which were issued for unsolicited marketing - therefore indicating that less than 1% of investigations actually lead to a monetary fine.

Conclusion

While the penalty may appear large, the ICO has power to levy up to a maximum of £500m based on BA's turnover. The BA data breach is not of itself unique and has factors which occur in many data breaches. It will be useful for data professionals to see how these factors play out in the ICO's final decision.

If the penalty is maintained, one can expect that BA may appeal to the Information Tribunal and potentially the Courts. With £183m at stake, there is a substantial incentive for BA to fight this all the way through the Courts and so this may become the seminal test case on GDPR penalties in the UK.

This incident serves as a reminder to companies that they should be very mindful of the nature of the data that they control and ensure that GDPR compliance and suitable security are a priority.