On 8 July 2019, the UK data protection authority (Information Commissioner’s Office; ICO) issued a notice of its intention to fine British Airways (BA) GBP 183.39 million (approx. USD 229.46 million) for infringements of the General Data Protection Regulation (GDPR).
The proposed fine relates to a data breach in which personal data of approximately 500,000 customers were compromised. The incident (reported to the ICO in September 2018) involved user traffic to the BA website being diverted to a fraudulent site where customer details were harvested by attackers. Following an “extensive investigation,” the ICO found that customer data was compromised by “poor security arrangements at the company.”
ICO Enforcement Implications
This marks the first fine issued by the ICO resulting from a data security breach under the GDPR and will be the largest fine ever issued by the ICO. By comparison, under the previous UK data protection regime, the highest fine imposed by the ICO in relation to security breaches was GBP 500,000 (the previous statutory maximum). The proposed fine against BA therefore marks unprecedented enforcement action by the ICO and paves the way for much higher penalties under the GDPR regime.
The proposed fine serves as a reminder of the level of fines that data security breaches can attract under the GDPR. When considering data security obligations, organisations must not only consider Articles 32 – 34 GDPR (breaches of which attract potential fines of up to 10,000,000 EUR or 2% of annual worldwide turnover) but also the essential security principle under Article 5 GDPR. Where a data security breach is regarded as a breach of the security principle of the GDPR (Article 5(1)(f) GDPR), which specifically refers to protection against unauthorised or unlawful processing of data, supervisory authorities may impose fines of up to EUR 20,000,000 or up to 4% of annual worldwide turnover (whichever is the higher).
Whilst it is not clear at this stage how the ICO calculated the proposed fine, it appears that it amounts to approximately 1.5% of BA’s worldwide turnover last year. The ICO’s Regulatory Action Policy (available here) states that in deciding whether to impose a penalty and the decision as to the amount of the penalty will involve consideration of various factors including: (i) the nature, gravity and duration of the failure; (ii) the categories of personal data affected by the failure; and (iii) whether the penalty would be effective, proportionate and dissuasive. The ICO’s aim in applying penalty notices is to ensure compliance with legislation and information rights obligations and to act as an effective deterrent.
Through this enforcement action, the ICO appears to be trying to re-set the bar in terms of what is “appropriate” (and hence legally required) to meet the GDPR standards of data protection.
What happens next?
At this stage, the ICO has issued a notice of intent (NOI) to fine BA. A NOI sets out the circumstances of the breach, the findings of ICO’s investigation and the ICO’s proposed level of penalty along with a rationale for the penalty.
Following a NOI, an organisation subject to the NOI has 21 calendar days to make representations to the ICO about both the imposition and the level of the penalty.
Where appropriate, the ICO will also have regard to representations from other concerned supervisory authorities before the final penalty notice is issued. The ICO has confirmed that it will consider representations made by other “concerned data protection authorities” before it takes its final decision with respect to the BA penalty.
For penalties over the threshold of GBP 1 million, the Commissioner may also convene a panel compromising non-executive advisors to the Commissioner’s office to consider the investigation findings and any representations before making recommendations to the Commissioner in relation to the level of penalty applied.
The Commissioner makes the final decision on the level of penalty to be issued and will confirm any penalty notice in writing through a monetary penalty notice (MPN). The MPN must include the reasons for the amount of the penalty, including aggravating and mitigating factors that the ICO has taken into account. Once the MPN has been issued by the ICO, it will be clearer how the ICO arrived at its monetary penalty.
Right to Appeal
Once the ICO issues its MPN, the organisation subject to the MPN must pay the amount within the period specified in the MPN (maximum of 28 days). An organisation subject to an MPN also has the right to appeal the penalty notice to the First Tier Tribunal within 28 days of receiving the MPN. This enforcement action against BA will likely serve as a test case as to the approach taken by the ICO to enforcement action under the new GDPR regime. If appealed, the grounds for the MPN as well as the amount of the fine are likely to be thoroughly scrutinised and the outcome of any such appeal will serve as a valuable point of reference for managing data security risks going forward.