October 19, 2020

British Airways ultimately fined £20m for personal data breach by the UK ICO under the GDPR (reduced from £183.39m)


Related People:    Alistair Ho

The UK Information Commissioner's Office ("ICO") announced on 16 October 2020 that it has ultimately decided to fine British Airways ("BA") £20 million for BA's contraventions of the General Data Protection Regulation ("GDPR") associated with the personal data breach BA first disclosed on 6 September 2018, which affected the personal data of over 400,000 customers and staff. This final amount is a substantial reduction from the £183.39 million fine the ICO first announced it intended to issue in its notice of intent in July 2019 (the "Initial Notice"), although the fine still remains a significant sum and the largest issued by the ICO to date under the GDPR.

The £20 million fine is approximately 0.16% BA’s worldwide annual turnover for the year ending on 31 December 2017 (approximately £12.23 billion), coming well under the maximum 4% fine that could have been issued by the ICO using its powers under the GDPR (a £183.39m fine would have been just under 1.5% of BA's worldwide annual turnover in that year).  Before reducing the fine, as part of the lengthy process undertaken by the ICO, the ICO explained that it considered both representations from BA and the economic impact of COVID-19 on BA's business before setting the final penalty.

Notwithstanding the significance of the fine ultimately issued against BA, the scale of the reduction of the fine and the length of time the ICO took deliberate over it suggests that challenges made to delay and reduce the imposition of large GDPR fines stand a reasonable likelihood of success and are more likely to occur in the future.

Interestingly, the fine has been recalculated without reference to the Initial Notice following representations from BA.  In its response to the Initial Notice proposing the £183.39m fine, BA had alleged that the ICO had misapplied its powers under the GDPR and had unlawfully applied its regulatory action policy (including by reference to an unpublished draft internal procedure) when calculating and imposing the initial fine.  In its ultimate decision, while rejecting BA's arguments, the ICO explained that it had dispensed with considering the unpublished draft internal procedure when recalculating the fine and emphasised that there is no obligation on the ICO to issue a penalty notice in precisely the same terms as the Notice of Intent. It notes the purpose of requiring the Commission to issue the Notice of Intent is to permit consultation. Intriguingly, BA was afforded the opportunity to make meaningful representations at the Notice of Intent stage and it was also afforded additional opportunities to do so, for example when the ICO agreed to consult BA again on its draft decision. 

The final penalty notice details the ICO's reasoning, including the 5 step process adopted by the ICO in ultimately deciding the appropriate penalty:

Step 1 - “Initial Element” removing any financial gain from the breach
The ICO determined that BA had not obtained any financial benefit from its conduct associated with the personal data breach.

Step 2 - Adding in an element to censure BA for the breach based on scale and severity
The ICO started its calculation of the fine at £30 million.

The failures, for which BA were considered wholly responsible, were found by the ICO to be significant and of serious concern. They affected a substantial number of data subjects over a significant period of time (103 days) and resulted in the access of a high volume of sensitive financial data including “full financial data”, such as combined card and CVV numbers, of about 77,000 customers.

Though the breaches were not found to be intentional, BA was considered by the ICO to have been negligent in maintaining operating systems, which suffered from significant vulnerabilities and shortcomings. 

The ICO found that there were numerous measures BA could have used to mitigate or prevent the risk of the personal data breach occurring and that none of these measures would have entailed excessive cost or technical barriers to adopt (some of these measures were available to BA at the time through the operating system BA was using but not adopted).  In addition, the ICO found that BA did not detect the attack themselves but were alerted by a third party more than two months later. It was not clear to the ICO whether BA would have identified the attack themselves and this was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant if the breach had gone undetected.

Nonetheless BA’s prompt notification of the cyber-attack once it became aware and its full cooperation were taken into account at this stage.

Step 3 - Adding in an element to reflect any aggravating factors
Indicative list provided at page 11 of the ICO's Regulatory Action Policy.

No aggravating factors found to apply by the ICO.

Step 4 - Adding in an amount for deterrent effect to others
The ICO did not consider it necessary to increase the penalty further to dissuade others.

Step  5 - Reducing the amount (save that in the initial element to reflect mitigating factors, e.g. financial hardship)
Indicative list provided at pages 11-12 of the ICO's Regulatory Action Policy.

The ICO took the decision to reduce the fine by £6 million (i.e. to £24 million).

In reducing the fine by this amount, the ICO took into account the following factors:

  1. BA promptly informing affected data subjects and law enforcement / regulatory agencies and its full cooperation with the ICO's enquiries;
  2. The immediate measures undertaken by BA to mitigate and minimise damage suffered by data subjects (such as the offer to reimburse any financial losses from the theft of card details and the provision of free credit monitoring);
  3. Widespread briefing to journalists and reporting likely to have increased the awareness of other controllers of the risks posed by cyber-attacks and the need to take all appropriate measures to secure personal data; and
  4. The adverse effect to BA’s brand and reputation, which will have had some dissuasive effect on BA and other controllers.

Following the Commissions own published guidance on its Covid-19 approach (an updated version of which has since been published.) and the impact of the pandemic, both on BA and more generally, the fine was reduced by a further £4 million to a final sum of £20 million.

Related Services & Industries

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.