On 8 June 2019, the Information Commissioner’s Office (ICO) issued a statement of its intention to fine British Airways £183.39m following a major cyber incident affecting the airline’s website and mobile app between August and September 2018. If confirmed, the fine would be the biggest so far issued under the GDPR, dwarfing the €50m fine imposed by the French data protection authority, the CNIL, on Google in January 2019.
Although the ICO does not usually publicise notices of intent, its policy on Communicating Regulatory and Enforcement Activity states that it may do so for reasons including financial market reporting obligations and it being necessary for the purposes of international regulatory cooperation. The ICO statement came in response to the announcement made by British Airways parent, International Airlines Group (IAG), to the London Stock Exchange earlier in the day that it had been informed by the ICO of its intention to issue the penalty notice for £183.39m, which the company stated represents 1.5 per cent of British Airways’ worldwide turnover for the financial year ended 31 December 2017.
Statement of intent
The planned fine can be viewed as a signal of intent from the ICO to impose heavy penalties where it believes a personal data breach resulted from non compliant security measures. The ICO acknowledged that the airline had cooperated with the ICO’s investigation and had made improvements to its information security arrangements since the incident came to light, which may have reduced the size of the fine.
The investigation into the British Airways breach is the first landmark case utilising the one stop shop regulatory mechanism, where a lead supervisory authority directs and coordinates an investigation where multiple EU data protection supervisory authorities have an interest in the action. It appears that the one stop shop process remains ongoing, with the ICO stating that other supervisory authorities whose residents have been affected will have the chance to comment on the ICO’s findings.
British Airways has the opportunity to make representations to the ICO as to the proposed findings and sanction. IAG’s announcement confirms that it plans to do so, and that it will ‘take all steps to defend the airline’s position vigorously, including making all necessary appeals’. Other concerned data protection authorities also have the opportunity to provide input before the ICO makes its final decision. Aside from regulatory action, British Airways may face claims from affected individuals, to whom the GDPR gives rights to pursue judicial remedies. Such claims may take the form of a collective action, and may further increase the legal and regulatory costs of the incident.