Any doubt that the world of data protection changed profoundly when the European Union’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018, were solidly dispelled when the United Kingdom’s Information Commissioner’s Office (ICO) issued a notice of its intention to fine British Airways a record £183.39 million (C$300 million) for infringements of that law. While the GDPR allows penalties of up to 4.0 percent global annual turnover of an organization, the proposed British Airways fine is close to 1.5 percent of its 2017 global turnover.

The ICO’s investigation found that British Airways’ “poor security arrangements” was responsible for a cyber incident in June 2018, that allowed user traffic to the airline’s website to be diverted to a fraudulent site where the personal information of approximately 500,000 individuals was harvested by attackers.

The airline will have opportunity to make representations to the ICO as to the proposed findings and sanction; but this and other recent announcements by the UK regulator highlights the potentially large liability that may be imposed under GDPR⁠—not only for organizations that have an establishment in the European Union, but other organizations as well. Indeed, the GDPR has extraterritorial effect as it is intended to apply to any natural or legal person, public authority, agency or other body outside of the European Union who:

  1. targets individuals in the European Union by offering goods or services (regardless of whether a payment is required); or
  2. monitors the behavior of individuals in the European Union (where that behaviour takes place in the European Union).

Given the sweeping extraterritorial application of the GDPR, together with significant fines that may be issued thereunder, Canadian organizations are cautioned to be mindful of the potential application of the GDPR, and periodically evaluate whether this law may apply to their operations.