ICO intention to fine British Airways £183 million under the GDPR

09 Jul 2019

Commercial and Regulatory, Information Law

By Damien Welfare

The announcement that the Information Commissioner’s Office (‘ICO’) intends to fine British Airways £183.39 million for breaches of data protection law is a ‘wake-up call’ to all controllers of personal data.

The level of fine far exceeds those imposed previously by the Commissioner, using new powers in the GDPR. According to the BBC, it represents 1.5% of BA’s worldwide turnover in 2017 (against a limit of 4% of turnover for breaches of that kind).

The news came on 8 July 2019, following an announcement to the London Stock Exchange, to which the ICO responded on the same day. The ICO has issued a notice of its intention to fine BA, following a cyber incident notified to the regulator by the airline in September 2018. The Commissioner found, after an ‘extensive investigation’, that the incident partly involved the diversion of user traffic from the BA website to a fraudulent site, where customer details were ‘harvested’ by the attackers.

The ICO has said that the personal data of approximately half a million BA customers were compromised, in an incident believed by the Commissioner to have commenced in June 2018. The ICO stated that a range of information was compromised by poor security arrangements, including login, payment card, and travel booking details, as well as information on names and addresses.

The ICO said in its statement that BA has co-operated with the investigation, and that it has improved its security since these events came to light. BA now has an opportunity to make representations to the ICO as to the proposed findings and the sanction. The Chief Executive of the company which owns the airline is also reported to have said that it would make ‘any necessary appeals’.

The UK’s Commissioner has been investigating the matter as ‘lead supervisory authority’ on behalf of data protection regulators in other member states. Under the GDPR’s ‘one stop shop’, those data protection regulators will also have the opportunity to comment.

A final decision by the ICO will then follow BA’s representations and the other regulators’ comments.

The proposed fine, if confirmed, would be the largest to be imposed by the ICO, and is the first to be publicised in the UK under the GDPR. In January 2019, CNIL, the French regulator, imposed a fine of 50 million Euros on Google under the GDPR (over which Google announced an appeal).

Damien Welfare specialises in information law, and is the author of Cornerstone on Information Law, a one-volume guide for practitioners to Data Protection, Freedom of Information, and the Environmental Information Regulations.