On 16th October 2020 the UK Information Commissioner’s Office announced that British Airways was to pay £20,000,000 for GDPR violations. This was a significant decrease (90%) of the originally proposed fine of £183,390,000 announced in July 2019. It is still, however, the largest fine imposed by the ICO to date.
In June 2018 British Airways suffered a “sophisticated, malicious criminal attack” on its website, affecting approximately 500,000 customers. It became public knowledge in September of last year. The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
The ICO commented at the time that BA had been negligent in not anticipating that a company of its size was likely to be targeted by attackers. The ICO, furthermore, set out various measures that it felt BA could have taken to prevent the breach occurring, but that were not implemented. The ICO was strong in its comment that the breach of personal data “could have been prevented, or its impact mitigated, by BA implementing one or more of a range of appropriate measures that were open to it.” The ICO also commented: “The failures are especially serious in circumstances where it is unclear whether or when BA itself would ever have detected the breach.”
In calculating the fine the ICO took into account the “anxiety and distress” that individuals suffered as a result of the disclosure of their personal information, and disagreed with BA’s contention that payment card breaches are an “unavoidable fact of life,” commenting: “These statements trivialize what was a serious failure on BA’s part.” It also took into account BA’s representations in response to the original Notice of Intention to fine and additional technical information that BA submitted, together with the factors listed in Article 83(2) of the GDPR, which include the nature, gravity and duration of the infringement, the number of data subjects affected and the damage to them, and steps taken to mitigate the impact of the incident. Mitigating factors, however, contributing to this reduced fine, included the fact that BA did not gain any financial benefit from the breach, notified the ICO promptly on becoming aware of it, had no relevant previous infringements and offered to compensate individuals for financial loss suffered as a direct result of the theft of their card details. The ICO stated that BA had cooperated fully with the investigation, and noted the improvements that have been made to BA’s IT security since the breach.
BA challenged the ICO’s calculation of the fine with wide-ranging administrative law arguments and criticism of the ICO’s apparent reliance on a Draft Internal Procedure (which the ICO stated it had not relied on in calculating the final penalty). The ICO further reduced BA’s fine to reflect mitigating actions taken by BA as well as the economic consequences of the COVID-19 pandemic.
Away from the headline grabbing record fines amount, it is worth noting a couple of other points:
- Not all security breaches are automatically going to amount to breaches of GDPR. Where you have used state of the art security measures but are still subject to a successful malicious attack, you will be much less likely to have failed to comply with GDPR
- Aside from the ICO fine and despite BA offering compensation, it is still facing (at the last count) 7 different group class actions from data subjects so BA’s pain will continue for a little while yet.
For advice on your obligations under GDPR please contact one of our specialists. You can read more articles on GDPR on this dedicated section of our blog.
For more information on the relevant areas mentioned in this case study, please click below: