Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Tina Cowen
    • D A T Green
    • Karthyaeni Vittala
    • Richard Stewart
    • Mor Swiel
    • Ilanit Appelfeld
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Joanna Coombs-Huang
    • Xavier Prida
    • Mark Clough
    • Stewart White
    • Alison MacFarlane
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Shardi Shameli
    • Stephen Hornsby
    • Ewelina Korgol
    • Maria Constantin
    • Sophia Yakhno
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

British Airways issued £20 million fine by ICO for data breach

October 20, 2020By Preiskel & Co

In a significant reduction, the UK Information Commissioner’s Office (the “ICO”), has announced that they have issued a notice of its penalty decision to fine British Airways (“BA”) £20 million.This is different figure from the ICO’s previous notice of intention from July 2019, where BA faced a potential fine of £183.39 million.

The ICO previously ruled that BA had failed to process the personal data of its customers in a manner that ensured appropriate security, in breach of Article 5(1)(f) and Article 32 of the GDPR. This allowed customer payment card data as well as other personal information to be redirected away from BA’s website. BA was made aware of the problem by a third party and notified the ICO on 6 September 2018, but by then the data breach had affected more than 400,000 customers.

The reasoning behind the penalty reduction is set out in the Penalty Notice, where the details of the data breach and BA’s specific failures are enumerated in detail. Despite the initial eye watering figure in the notice of intention, the ICO took into consideration BA’s representations during their decision making process. The Penalty Notice states that due to the nature of the incident, a penalty of £30 million would have been appropriate in principle. However, multiple mitigating factors were to BA’s benefit. These factors included BA receiving no financial benefit from the breach, notifying the ICO promptly, there being no previous infringements relevant to the current breach, and BA having offered to compensate consumers for financial losses suffered as a direct result of the theft of card details. The ICO also stated that BA had cooperated fully with the investigation and noted the improvements that had been made to BA’s IT security since the breach.

These factors led to a 20% reduction of the fine to £24 million, and stated that, “having regard to the impact of the COVID-19 pandemic (on BA and more generally) … a further reduction of £4m is appropriate and proportionate.” This resulted in the final penalty figure of £20 million.

These representations from BA significantly lengthened the decision process, even after the ICO’s initial proposal of a £183 million fine was issued following a nine-month investigation. The Penalty Notice, issued more than a year later, reduces that figure by almost 90%. Other businesses that are facing significant penalties under the GDPR may also seek to also engage in significant representations in the hope of materially reducing any final penalty. However, it is worth highlighting that the mitigation from BA related to their all actions reducing the impact of the breach and were not considered in reducing the initial proposed fine.

This all leads to uncertainty as to the potential scale of any penalty for a data breach that the ICO may issue. Including the consideration companies need to have when reviewing their policies and contractual obligations in light of the 31 December 2020 deadline for the end of the Brexit transition period.

Please contact Jose Saras and Joanna Coombs-Huang if you have any questions relating to data protection policies and procedures.

Latest Preiskel & Co blog posts
  • Claim against NHS Trust for breach of DPA 1998 and misuse of private information dismissed
    April 28, 2022
  • TikTok Class action for the Misuse of Child Personal Data
    April 28, 2022
  • ICO consultation on draft guidance for the research provisions within the UK GDPR and the DPA 2018
    April 20, 2022
  • European Strategy for Artificial Intelligence – a framework to regulate AI and its potential impact on the UK
    April 19, 2022
  • Meta hit by 17 million euro fine by Irish regulator
    April 19, 2022
  • Ofcom has mandated that telecoms providers ensure British Sign Language (BSL) for 999
    March 18, 2022
  • Ofcom publishes statement on the future of telephone numbers
    March 15, 2022
  • German court sends biometric data questions to the ECJ
    February 23, 2022
  • Meta fined £1.5m by CMA
    February 7, 2022
  • International data transfer agreement and addendum laid before Parliament
    February 4, 2022
  • CMA publishes statement of scope in music and streaming market study
    February 1, 2022
  • Google Privacy Sandbox faces European Commission complaint from German publishers
    January 24, 2022

The Preiskel Blog

  • Claim against NHS Trust for breach of DPA 1998 and misuse of private information dismissed 28 Apr 2022
  • TikTok Class action for the Misuse of Child Personal Data 28 Apr 2022
  • ICO consultation on draft guidance for the research provisions within the UK GDPR and the DPA 2018 20 Apr 2022
  • European Strategy for Artificial Intelligence – a framework to regulate AI and its potential impact on the UK 19 Apr 2022

Preiskel news

  • Daniel Preiskel and Xavier Prida lecturing to Academia Mexicana del Derecho Informático and Abogado Digital
  • Preiskel & Co advises Mexico-based premium content production company Dopamine
  • Danny Preiskel was ranked as a Global Elite Thought Leader in Telecoms & Media by WhosWhoLegal Data 2022
  • Danny Preiskel featured in GCCM (Global Carrier Community Magazine)
Preiskel tweets
  • @jwrosewell @m4aow @w3c @IABTechLab Our pleasure!60 days ago
  • RT @jwrosewell: Great work from @Preiskel and the whole @m4aow team. Thank you. Much for @w3c, @IABTechLab, and others to consider in this…60 days ago
  • RT @TC_4KBW: Google’s battle with publishers shows that at every turn it seeks to block others from competing. it blocked header bidding, b…60 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2022 | Site map | Legal notices | Privacy | Cookie Policy | Privacy | Fraud Notice