On 8 July 2019, the U.K. Information Commissioner’s Office (ICO) issued a Notice of Intent to fine British Airways (BA) £183.39 million (approximately $232 million). While the Notice of Intent, as the name suggests, is not a final decision by the ICO, it is the first step towards the ICO imposing a civil monetary penalty. If confirmed, the proposed fine (equating to 1.5% of BA’s worldwide turnover in 2017) shows that the threat of huge GDPR fines is real in appropriate circumstances.
The proposed fine relates to a 2018 cyber incident. As a result of the incident, personal data, including login details, credit card information (including card numbers, expiry dates and CVV codes), and travel booking details of approximately 500,000 BA customers was compromised. BA now has 28 days to make representations to the ICO on the findings and proposed sanction. The ICO’s final decision would be open to appeal to the First Tier Tribunal (Information Rights).
The GDPR and Fining Powers
One of the most notable changes introduced by the GDPR was the increased fining powers granted to regulators. Failures to maintain “appropriate technical and organisational measures” under the GDPR are punishable with fines up to €10m (approximately $12,445 million) or 2% of worldwide revenue, whichever is higher. For more fundamental breaches of the GDPR, including a failure to process personal data in accordance with the GDPR’s basic processing principles or failing to appropriately respond to data subjects’ rights requests, the levels of potential fines double to 4%. This contrasts markedly with the highest data protection fine imposed by the ICO to date: a fine of £500,000 (approximately $622,200) – the maximum under previous legislation – against Facebook in respect of its data processing activities connected with Cambridge Analytica.
If the ICO proceeds to fine BA, it is likely to top the current record fine under the GDPR, which stands at €50 million (approximately $57 million). This fine was imposed by the French regulator, CNIL, against Google in January 2019 for failure to meet the GDPR’s transparency requirements in respect of personalized advertisements (more details here).
Warnings of fines in the hundreds of millions or billions were often dismissed as scaremongering. Shortly before the GDPR came into effect, the U.K. Information Commissioner herself stated that fines would be a last resort and that the maximum fines would not become the norm. However, the Notice of Intent shows that in appropriate circumstances, fines at the higher levels will be pursued. The ICO seems to have concluded that the data breach was caused by BA’s failure to fully comply with the GDPR’s data security principle, pointing to its finding of “poor security arrangements”. While it is a vast financial penalty, by any measure, there is still significant headroom to the maximum 4% of global revenue.
The Broader Context
While the Notice of Intent is a hugely significant indicator of the potential consequences of a failure to prevent a data breach, it needs to be viewed in its broader context. According to statistics compiled by the European Data Protection Board, in the first year since the GDPR entered into force, just under 90,000 data breach notifications were filed with national data protection authorities (roughly 250 per day across all regulators). Many regulators and commentators have noted that there has been an element of over-reporting, driven by the broad scope of a reportable data breach, the tight 72-hour timeframe for notification, and the potential penalties for failure to comply.
Although not yet final, the level of fine published in the Notice of Intent is an unambiguous message from the ICO that serious data security breaches will lead to significant fines. Each incident will obviously turn on its facts, particularly the nature of the personal data, measures taken to protect that personal data and mitigate the effects of a breach, and the impact on individuals. However, practically every organisation needs to look at the fundamentals of its data handling and security arrangements. GDPR compliance goes beyond superficial policy statements and requires a thorough business understanding and awareness of the nature of the personal data that is being processed and the measures taken to protect such personal data.