The ICO's announcement today (8 July 2019) that it plans to fine British Airways £183.39m in relation to its high profile data breach has sent a very clear message that the data enforcement landscape has well and truly changed. The fine relates to a cyber incident notified to the ICO by British Airways in September 2018, and would be by far and away the largest fine handed out by a European data protection authority.
The incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. The ICO says that personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.
The ICO has not as yet provided any rationale for the proposed level of the fine at this stage. However, it does not necessarily follow that a data breach implies a breach of the GDPR, so the ICO has clearly decided that the breach was in part caused by perceived security failures on the part of British Airways.
British Airways still has an opportunity to make representations regarding both the ICO's findings and the amount of the fine. In addition, as the ICO has been investigating this case as lead supervisory authority in accordance with the GDPR's 'one stop shop' provisions, other EU data protection authorities whose residents have been affected will also have the chance to comment on the ICO's findings. Once that process is concluded, the ICO will issue its publicly available Monetary Penalty Notice, which will confirm the amount of the fine.
Osborne Clarke comment
It is interesting to note that British Airways owner IAG released an announcement to market and the ICO has issued its press release despite the fact the ICO's intention to fine is preliminary. Historically, fines were announced once the final decision regarding the amount of that fine was reached. It may be that the size of the proposed fine and the listed status of British Airways was such that there was no choice but for IAG to publicly announce the size of the intended fine.
The proposed fine will also provide encouragement for a rapidly growing group of claimant personal injury lawyers looking to bring post-data breach claims for compensation. It is often difficult to attribute a data breach to a breach of the GDPR and even more difficult to prove that such a breach has led to damage and distress, so it will be interesting to see whether the ICO will make any comment about this.
Over the last year, speculation has been rife regarding the approach that the ICO will take to fines. It now clear that the ICO will not be gradually scaling up from its previous £500,000 maximum: the proposed £183.39m penalty is equal to 1.5% of British Airways' worldwide turnover of £12,226m in 2017. This is still substantially less than the possible maximum GDPR fine of 4% of worldwide annual turnover but is still startling and demonstrates more than ever that cybersecurity needs to stay on the board agenda.
Prior to this announcement, the total value of all fines issued under the GDPR across all EU member states had amounted to €56 million. This includes a €50 million fine by the French DPA (CNIL) against Google for what the CNIL considered to be a lack of transparency, inadequate information and lack of valid consent in relation to Google's use of personal data for the purposes of personalising advertisements, as discussed in our recent article.
When the decision is finally published, this case should provide some long-awaited clarity regarding the ICO's exercise of its enforcement powers and in particular what it considers to be "appropriate technical and organisational measures" to protect personal data, which is the key technical standard littered throughout the GDPR.