In a remarkable decision, the UK ICO has issued British Airways ("BA") with a £20m fine, in connection with a data breach affecting more than 400,000 customers. This is a significant reduction from the £183m the ICO had previously proposed.
The UK Information Commissioner's Office (the "ICO") issued a statement in July 2019, announcing the fact that it had issued a notice of its intention to fine BA £183.39 million for alleged infringements of the General Data Protection Regulation ("GDPR") which BA had notified to the ICO in September 2018. It was the largest penalty ever announced for data protection violations in the EU. However, the ICO has today announced its decision to issue a penalty of £20 million–meaning BA will pay just eleven per cent. (11%) of the fine proposed in the ICO's original notice of intention.
The ICO's reasoning
The ICO issued a lengthy (114 page) Penalty Notice, in which it provided significant background on the data breach that affected BA's systems. In summary, the ICO found that between 22 June and 5 September 2018, a malicious attacker gained access to an internal BA application by using compromised credentials. According to the Penalty Notice, the attacker was then able to edit a file on BA's website resulting in BA customer payment card details being sent to an external third-party domain controlled by the attacker.
The ICO concluded BA had failed to process the personal data of its customers in a manner that ensured appropriate security of the data, including failure to protect the data against unauthorised or unlawful processing and against accidental loss, destruction or damage. The ICO also concluded BA had failed to implement appropriate technical and organisational security measures (as required by Articles 5(1)(f) and 32 of the GDPR).
The Penalty Notice explains that, taking into account the nature of this incident, in principle, a penalty of £30m would be appropriate. The ICO did not consider there were any aggravating factors that should increase the penalty. Instead, the ICO noted a number of mitigating factors and remedial measures, and arguments raised by BA, leading to a twenty per cent. (20%) reduction in the fine (i.e., to £24m). The ICO then stated that "having regard to the impact of the Covid-19 pandemic (on BA and more generally) … a further reduction of £4m is appropriate and proportionate." This resulted in the final penalty of £20m.
Impact on businesses
The course of events from the ICO's original notice of intention through to the final penalty set out in the Penalty Notice appears to indicate a business accused of a serious infringement of the GDPR may be able to strongly argue its case, in order to secure a significantly reduced fine. As the ICO stated in the Penalty Notice, "the proposed penalty is less than the initial proposed penalty as a result of BA's Representations". This is likely to encourage other businesses facing significant penalties under the GDPR to engage legal representation in the hope of materially reducing such penalties. The ICO's decision is also encouraging for businesses that may be struggling to achieve compliance in the current economic climate, and suggests the ICO will take account of such difficulties when reaching its decisions on enforcement action and issuing fines.
This case also illustrates the difficulty businesses face in accurately anticipating the financial penalties that may be issued for alleged infringements of the GDPR. The ICO's initial proposal of a £183m fine followed a nine-month investigation into the incident. But in the Penalty Notice, issued more than a year later, that figure was reduced by almost ninety per cent. (90%).
Curiously, the ICO stated that the £183m penalty it had originally proposed was "not treated as the starting point for [determining the £20m penalty that the ICO actually issued] or factored into it." This is likely to create confusion over the relationship between: (i) any proposed penalties set out in a notice of intention from the ICO; and (ii) the actual penalty a business might eventually receive. It remains to be seen whether the ICO will clarify this point going forward.
Bill Webb (White & Case, Trainee Solicitor, London) contributed to the development of this publication.