On 16 October 2020 the ICO announced that it had fined British Airways £20 million for a GDPR data breach – the biggest-ever fine imposed by the ICO to date and one of the highest given out under the GDPR anywhere in Europe.
Cliff Richard might say that ‘congratulations and celebrations’ are in order (if you’re not BA that is), but hang on a min, the ICO originally proposed a fine of £183,390,000. That means BA ‘saved’ £163,390,000 – so maybe Cliff should be saying ‘congratulations and celebrations’ to them? What’s going on? Let’s start at the beginning (always a great place to start from).
One day in 2018 someone hacked into BA’s computer systems and accessed the personal data of more than 400,000 customers, including names, addresses, card number and CVV numbers, as well as the usernames and passwords of some BA employees and admin accounts.
Pretty bad, huh? Yep, but it gets worse – this went on for over two months before BA found out – by being told about what was happening by someone else…
On investigation, the ICO concluded that BA had breached its data security obligations under the GDPR and issued a ‘notice of intent’ to BA confirming its intention to impose a penalty of £183.39m. But BA didn’t just roll-over and pay up. Oh no – they got themselves some ‘legal eagles’ who filed lots of submissions (i.e. criticisms) that basically, claimed the fine was way, way too high.
And, as if by magic, the fine was reduced by nearly 90%! Amazing!
Now, going through the details for this dramatic fine reduction would be mind-numbingly tedious to anyone who isn’t a data protection lawyer, but the (very important) point is that the ICO got itself in a right sticky mess about how it went about calculating the original proposed fine.
Basically, the ICO relied on its (unpublished) ‘Draft Internal Procedure’ to calculate the proposed fine - which provided that the starting point for all fines should be turnover-based. This approach was strongly challenged by the lawyers acting for BA, which seems to have caused the ICO to adopt a different approach to calculating the amount of the fine - hence the very significant reduction.
So, what lessons can be extracted from this sorry tale (apart from ‘don’t get hacked’ and if you do, have things in place so that you know about it)? Well, probably the most obvious is a business accused of breaching the GDPR may be able to significantly reduce a fine by presenting strong mitigating arguments. As the ICO stated in the Penalty Notice, "the proposed penalty is less than the initial proposed penalty as a result of BA's Representations". This seems like code for ‘damn, those lawyers are hot stuff’ (errr, in the clever sense of the word).
Of course, there’s no getting away from the fact that this fine is still of a very significant amount and arguably represents a serious statement of intent from the ICO for its enforcement position going forward.
Still, you can’t but help think that the original proposed fine was just what the world was waiting for (looking forward to?) and that the huge reduction makes it seem (perhaps unfairly) that the ICO got its butt whipped.
Let’s see what happens to the ICO’s proposed £99 million fine on Marriott…