In a significant reduction, the UK Information Commissioner’s Office (the “ICO”), has announced that they have issued a notice of its penalty decision to fine British Airways (“BA”) £20 million.This is different figure from the ICO’s previous notice of intention from July 2019, where BA faced a potential fine of £183.39 million.
The ICO previously ruled that BA had failed to process the personal data of its customers in a manner that ensured appropriate security, in breach of Article 5(1)(f) and Article 32 of the GDPR. This allowed customer payment card data as well as other personal information to be redirected away from BA’s website. BA was made aware of the problem by a third party and notified the ICO on 6 September 2018, but by then the data breach had affected more than 400,000 customers.
The reasoning behind the penalty reduction is set out in the Penalty Notice, where the details of the data breach and BA’s specific failures are enumerated in detail. Despite the initial eye watering figure in the notice of intention, the ICO took into consideration BA’s representations during their decision making process. The Penalty Notice states that due to the nature of the incident, a penalty of £30 million would have been appropriate in principle. However, multiple mitigating factors were to BA’s benefit. These factors included BA receiving no financial benefit from the breach, notifying the ICO promptly, there being no previous infringements relevant to the current breach, and BA having offered to compensate consumers for financial losses suffered as a direct result of the theft of card details. The ICO also stated that BA had cooperated fully with the investigation and noted the improvements that had been made to BA’s IT security since the breach.
These factors led to a 20% reduction of the fine to £24 million, and stated that, “having regard to the impact of the COVID-19 pandemic (on BA and more generally) … a further reduction of £4m is appropriate and proportionate.” This resulted in the final penalty figure of £20 million.
These representations from BA significantly lengthened the decision process, even after the ICO’s initial proposal of a £183 million fine was issued following a nine-month investigation. The Penalty Notice, issued more than a year later, reduces that figure by almost 90%. Other businesses that are facing significant penalties under the GDPR may also seek to also engage in significant representations in the hope of materially reducing any final penalty. However, it is worth highlighting that the mitigation from BA related to their all actions reducing the impact of the breach and were not considered in reducing the initial proposed fine.
This all leads to uncertainty as to the potential scale of any penalty for a data breach that the ICO may issue. Including the consideration companies need to have when reviewing their policies and contractual obligations in light of the 31 December 2020 deadline for the end of the Brexit transition period.