Clifford Chance

The ICO has issued a Penalty Notice fining British Airways £20m for infringements of the GDPR, a reduction of £163 million from its original intended fine.

In a long anticipated announcement, the Information Commissioner's Office (ICO) has issued a Penalty Notice against British Airways plc (BA) for infringements of the GDPR. Although the ICO had originally indicated a year ago that it intended to fine BA over £183m, they have imposed a significantly reduced penalty of only £20m.

The fine relates to a cyber incident, believed to have begun in June 2018, in which the personal data of approximately 500,000 BA customers was compromised. The proposed GBP 183.4 million fine had equated to 1.5% of BA's global turnover for 2017 (far under the GDPR maximum penalty of 4% of global turnover) – and while the £20m outcome is significantly less than that, it is still the largest penalty levied by the ICO to date.

The Penalty Notice reveals that, after receiving the ICO's Notice of Intent in July 2019, BA provided two rounds of written representations to the ICO and made oral representations in July 2020. After considering BA's representations, the ICO concluded that a £30m fine would be appropriate to address the seriousness of the breach, which was reduced by £6m to account for various mitigating factors and by a further £4m to account for the impact coronavirus has had on BA's financial position.

Whilst the Penalty Notice refutes BA's representations and criticisms of the imposition of the fine, it does not identify which representations were accepted or the specific factors that resulted in the substantial reduction of the proposed fine from £183m to the new starting figure of £30m.

In addressing BA's procedural criticisms, the ICO noted that "through issuing the [Notice of Intent], BA was afforded the opportunity to use the consultation process to make meaningful representations which were capable of affecting the outcome of the investigation … The Commissioner rightly took all of the material submitted by BA into account, which necessarily resulted in further clarity being brought to the circumstances of the Attack and a more detailed decision being produced."

The ICO concluded in the Penalty Notice that BA had been negligent in processing a significant amount of personal data in an insecure manner. However, it considered the following mitigating factors as grounds for reducing the penalty to £20m:

• BA took immediate measures to mitigate and minimise any damage suffered by the data subjects by implementing remedial measures;
• BA promptly informed the affected data subjects, other law enforcement and regulatory agencies, and the Information Commissioner, and fully cooperated with the ICO;
• Widespread reporting of the cyber-attack in the media is likely to have increased the awareness of the risks posed by cyber-attacks and the need to ensure that other data controllers take all appropriate measures to secure personal data; and
• The attack and subsequent regulatory action has adversely affected BA's reputation, which will have reinforced the importance of ensuring that personal data is adequately protected.

While the Penalty Notice is, perhaps, to be read in the context of the current economic climate, it is notable that the ICO's penalty process mirrors the level of transparency of other regulators (notably, the FCA). Although the section of the notice dealing with calculation of the fine runs to fifty pages, there is little to no real explanation of the reasoning which lead to the £30m starting figure.

The Penalty Notice highlights the significant impact representations can have on the final quantum of a proposed penalty. However, how the ICO will impose penalties in the future in light of this development, remains to be seen.