When the ICO announced their intention to fine British Airways £183million, it was seen as one of the landmark penalties in GDPR. It was a shot across the bow for any company handling personal data, that the ICO intended to make full use of its powers under the new data protection act. Now though, the airline says it expects to pay only 10% of the total fine. So does this mean the regulator is taking a lighter touch?
What happened at British Airways?
In July, the ICO announced that it had fined British Airways £183million after a computer hack which compromised the personal data of half a million people. At the time, the airline said it had been the victim of a ‘highly sophisticated attack’ which compromised the bank information of half a million people who had booked flights through its website.
However, the ICO took the view that information had been compromised by poor security arrangements and took action accordingly. The £183million fine represents an enormous 1.5% of the firm’s annual turnover and is also the largest fine that the ICO has handed out. Furthermore, it was the first fine it made public since the new rules came into force. Under the rules of GDPR, the ICO could have decided to levy a higher fine, amounting to 4% of the annual turnover, should they have deemed necessary.
A reduced fine?
From that perspective, BA could have been said to have got off lightly. However, they immediately announced their intention to defend their position and make any necessary appeals.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”Willie Walsh, head of British Airways’ parent company (International Airlines Group) at the time
BA announced its intentions to make representations to the ICO and these appear to have had an effect. In its July 31st statement the company said it had put aside only £20 million to cover the fine. This, it said, represented their “best estimate of the amount of any penalty issued by the ICO”.
If they are correct, the final penalty would represent a 90% reduction and the news has concerned a number of privacy campaigners. Your Lawyers, a consumer action law firm that has been appointed in a Steering Committee position by the High Court of Justice against British Airways in the GDPR case, have condemned the move.
The firm’s director Aman Johal, said that the indication of a vastly reduced fine “is an affront to data protection and the GDPR.”
He went on to say:
“The ICO’s decision last year to issue a record provisional intention to fine was a landmark decision that could set the standard for organisations and act as the candid warning that is so desperately needed in today’s age of continual breaches. Such a substantial reduction could seriously undermine the purpose of GDPR, which was to act as a credible deterrent for organisations to ensure that they protect the information they store and process.”
In a statement the ICO said, “The regulatory process is ongoing, and we will not be commenting until it has concluded.” However, it is unlikely that BA’s management will have plucked this figure from thin air. The chances are, it represents their best guess based on the ongoing negotiations between the airline and the regulator.
What does it mean?
The ICO is remaining tight lipped about the proposed fine, which leaves us to speculate on their possible reasoning. It may be that BA has been highly convincing in its representations to the regulator. If they can show that there were mitigating circumstances or that they had taken measures to safeguard data, the regulator might have been persuaded to take a more lenient stance.
Equally, though, this reduced fine may also be down to the ongoing pandemic – the ICO has already announced that it would take a lighter touch on GDPR enforcement during the pandemic, and will take into account whether an organisation’s financial difficulties have stemmed from the pandemic.
BA, like other airlines, has suffered during lockdown. Passenger numbers fell by 98% in the second quarter of 2020 as lockdown devastated business in various sectors. IAG, the owner of BA, was forced to raise £2.49bn to strengthen its balance sheet after reporting record losses. Over 10,000 jobs have already been cut in an effort to lower costs.
The fine, then, comes at a time that BA’s ability to absorb such a fine would have been compromised. Time will tell on the reasoning, however, with the ICO thus far having not followed through on its intention to fine Marriot Hotels under GDPR, the episode will raise questions about how and what stance the regulator intends to take over GDPR.