Locke Lord QuickStudy: The Sky’s the Limit - Record GDPR Fine Pending for British Airways’ Failure to Provide Appropriate Cybersecurity

Locke Lord LLP
July 8, 2019

Click Here for PDF

The media reported this morning that British Airways has been landed by a GDPR fine of £183 million, the biggest so far and dwarfing the €50 million fine handed to Google earlier in the year.

These press reports are not entirely accurate in that the fine has not yet actually been issued. What has happened is that, following extensive investigation, the UK ICO has issued a notice of intention to fine British Airways £183.39 million, over €200 million. BA still has an opportunity to make representations against the ICO’s findings.

The proposed fine relates to a cybersecurity incident that British Airways notified to the ICO last September. This involved traffic to British Airways’ website being diverted to a fraudulent site. Customer details were harvested by hackers through the false site and some 500,000 customers’ personal data was accessed over a period of several months.

The ICO’s investigation concluded that user information was compromised by poor security arrangements, resulting in the disclosure of log in, payment card, and travel booking details as well as name and address information. The head of the ICO, the Information Commissioner Elizabeth Denham said:

“When an organisation fails to protect [personal data] from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

At this stage there is little further official information or detail from the ICO. However, it seems clear that the proposed fine is based on a breach of Article 5(f) of GDPR, the fundamental principle that personal data must be processed in a manner that ensures appropriate security against unlawful or unauthorised processing. This is set out in more detail in Article 32. GDPR also contains obligations to notify breaches “without undue delay” within 72 hours where feasible to data protection authorities and in serious cases to the individuals. It remains to be seen whether British Airways met all of its obligations under these provisions, although it did ultimately notify the breach to the ICO.

The ICO investigated the case as the lead supervisory authority on behalf of other EU data protection authorities under the GDPR ‘one stop shop’ provisions. Those authorities will also have the chance to comment on the ICO’s findings.

If the fine is upheld after representations, it will represent around 1.5% of British Airways’ turnover. On the basis that the breach was of the principles described above, the maximum fine is 2% (not 4% as commonly reported which applies to other GDPR principles). This indicates the very serious nature of the breach, including the number of individuals affected and the type of data harvested.  

We can expect British Airways to fight a fine of this size vigorously, but it shows the teeth of GDPR and the determination of European authorities to enforce it. As we have previously noted, GDPR can apply to organisations in any country of the world where they have an EU establishment or market to or monitor individuals in the EU. Cybersecurity remains key to compliance.