The ICO has issued a Penalty Notice fining British Airways £20m for infringements of the GDPR, a significant reduction of £163 million from the fine originally indicated by the ICO.
In a long-anticipated announcement, the Information Commissioner’s Office (ICO) has issued a Penalty Notice against British Airways Plc (BA) for infringements of the General Data Protection Regulation (GDPR). Although the ICO had indicated a year ago that it intended to fine BA over £183m, it has announced that the penalty will be only £20m, underscoring the critical role that representations can play in such cases.
The fine relates to a cyber incident, believed to have begun in June 2018, in which the personal data of approximately 500,000 BA customers was compromised.
The proposed £183m fine had equated to 1.5% of BA’s global turnover for 2017 (far under the GDPR maximum penalty of 4% of global turnover) – and while the £20m outcome is significantly less than that, it is still the largest penalty levied by the ICO to date.
Whilst the Penalty Notice refutes BA’s representations and criticisms of the fine, it does not identify which representations were accepted or the specific factors that resulted in the substantial reduction of the fine.
In addressing BA’s procedural criticisms, the ICO concluded, without providing specifics, that “through issuing the [Notice of Intent], BA was afforded the opportunity to use the consultation process to make meaningful representations which were capable of affecting the outcome of the investigation … The Commissioner rightly took all of the material submitted by BA into account, which necessarily resulted in further clarity being brought to the circumstances of the Attack and a more detailed decision being produced.”
As explained in detail below, after considering BA’s representations, the ICO concluded that a £30m fine was appropriate. This was, however, further reduced by £6m to account for various mitigating factors and by £4m to account for the impact that Covid19 has had on BA’s financial position...
Kate Scott, Clifford Chance Partner, Financial Institutions Corporate Group et al.
Please note this blog post was written by a Clifford Chance LLP employee. Clifford Chance LLP is the parent company of Clifford Chance Applied Solutions (CCAS). The content within this post does not constitute legal advice.