This article first appeared in the November 2020 issue of PLC Magazine.

The Information Commissioner’s Office (ICO) has issued British Airways (BA) with the UK's largest fine to date under the General Data Protection Regulation (679/2016/EU) (GDPR). This is the one that everyone has been waiting for since the news of the proposed fine for BA stole the headlines in July 2019.

However, questions abound as to why the fine has dropped nearly 90% from the initial proposed eye-watering amount of £183.39 million to the final figure of £20 million. Looking at the ICO's rationale in this case reveals valuable information for businesses on how the ICO's approach to enforcement has changed since the initial announcement, and how it may develop in future.

The 2018 breach

In July 2019, the ICO issued its notice of intent (the notice) to fine BA £183.39 million in relation to a cyber attack that took place between May and November 2018 (see News brief "Data breach: British Airways faces sky-high fine", www.practicallaw.com/w-021-3571). The attack involved user traffic being diverted from the official BA website to a fraudulent website where nearly 500,000 customers’ personal data, including payment card data, were compromised.

Ultimately, the ICO attributed BA’s weak security as the reason for the cyber attack. This was in breach of BA’s data security obligations under the GDPR (Articles 5(1)(f) and 32) which the ICO determined was serious enough to warrant a fine.

Developments since the proposed fine was announced 

Importantly, the notice set out the ICO’s proposal rather than being a conclusive determination. The ICO had a statutory deadline of six months to issue its final penalty, but this was extended on a number of occasions by agreement between the parties. BA used this time to negotiate with the ICO and lodge three rounds of submissions which successfully played a part in reducing the level of the final penalty nearly 15 months later.

The ICO's approach to the fine 

The initial proposed fine of £183.39 million would have dwarfed the then-largest fine of €50 million imposed under the GDPR against Google by the Commission nationale de l’informatique et des libertés (CNIL), the French data protection authority, in January 2019. In October 2020, the Hamburg data protection authority issued a €35 million fine against retailer H&M. It is clear that other EU data protection authorities have taken a tough stance when issuing fines in order to ensure that fines are an effective deterrent.

The £20 million fine against BA will be the fourth largest fine under the GDPR to date, ignoring any proposed fines which have not been converted into a final penalty, and amounts to just 0.16% of BA’s annual turnover for the relevant year. This is considerably less than the 4% fine that the ICO had the power to impose under the GDPR, which raises questions about how the £20 million figure was calculated.

The ICO emphasises in its enforcement notice (the enforcement notice) that the level of penalty that it initially proposed is not treated as a starting point for the consideration of the final penalty (https://ico.org.uk/media/action-weve-taken/mpns/2618421/ba-penalty-20201016.pdf). Crucially, the biggest reduction came from the ICO deciding to move away from its initial approach as set out in its draft internal procedure for setting and issuing monetary penalties, which it consulted when determining the original proposed penalty. In line with the GDPR and its regulatory action policy, it determined that the appropriate starting point for the final penalty was £30 million (https://ico.org.uk/media/about-the-ico/documents/2259467/regulatory-action-policy.pdf).

The ICO states that this amount is appropriate in reflecting the seriousness of the breach and the need for the penalty to be “effective, proportionate and dissuasive”. This indicates a change in approach by the ICO in the last 15 months.

The next step in the ICO’s calculation was to take into account the following mitigating factors:

  • BA promptly implemented remedial measures to minimise any damage.
  • BA promptly informed the affected data subjects, relevant regulatory authorities, the ICO and co-operated with the ICO’s investigation once it had discovered the breach, even though it arguably should have been discovered earlier.
  • BA offered to reimburse all customers who had suffered financial losses as a result of the theft of their card details.
  • Publicity of the cyber attack is likely to have increased awareness of the risks of cyber attacks.
  • The impact of the attack on BA’s brand and reputation is likely to have a dissuasive effect on BA and other organisations.
  • BA implemented a number of remedial technical measures to reduce the risk of a similar attack in the future.

In light of these mitigating factors, the ICO determined that the proposed £30 million penalty should be reduced by 20% to £24 million. The ICO determined that there were no other aggravating factors and the penalty did not need to be increased in order to dissuade others.

Finally, the ICO considered the economic impact and affordability of the fine in line with the its guidance relating to the 2019 novel coronavirus disease (COVID-19) pandemic. In light of the guidance, the ICO applied a further reduction of £4 million, to take the final penalty to £20 million, which it deemed appropriate and proportionate in the circumstances.

Key lessons on future enforcement

There is a lot to learn from the biggest fine to date from the ICO as this will act as a precedent for any future enforcement action.

Future challenges to proposed fines. The ICO itself accepts that the revised penalty of £20 million is considerably lower than the original proposed penalty, which it attributes to BA’s detailed representations over the course of the last year. In October 2020, the ICO launched a public consultation on its draft statutory guidance on regulatory action, which sets out how the ICO will exercise its enforcement powers (https://ico.org.uk/media/about-the-ico/consultations/2618333/ico-draft-statutory-guidance.pdf). Interestingly, the guidance states that where a fine based on turnover would exceed the €10 million or €20 million figures in the GDPR, the ICO will cap the fine at the relevant €10 million or €20 million limit rather than fining at the available percentages of turnover, which allows for higher level fines (Articles 83(4) and (5)). 

Practitioners will now wait to see what happens with the ICO’s fine against Marriott for its 2018 breach, which was originally issued with a proposed £99 million fine. It is now likely that Marriott and other organisations issued with large proposed fines will seek to follow BA’s approach and make robust representations to challenge the proposed fine set out in their notice of intent.

COVID-19 was not the key factor. Interestingly, the reduction in the fine was not solely attributed to the effects of the COVID-19 pandemic as previously suspected; in fact, it only accounted for a £4 million of the reduction in the fine. The ICO stated that, although the impact of the COVID-19 pandemic has had a significant effect on BA’s immediate financial position, it does not consider that the final penalty will cause BA financial hardship.

Shift in focus on turnover when calculating a fine. In the enforcement notice, the ICO acknowledged that, although turnover is a relevant metric, it is one factor to be taken into account in the round, rather than being the key focus. It is likely that the significant reduction in the fine was a result of the ICO moving away from its initial focus on turnover being the driving factor when calculating fines.

The ICO’s apparent shift in approach may be reassuring for large organisations facing regulatory enforcement action as its pragmatic approach considers a number of mitigating and aggravating factors, rather than just focusing on an organisation’s financial position as a starting point for calculating a fine. It also arguably indicates a regulatory approach under the Data Protection Act 2018 that differs from the headline grabbing fines that the GDPR facilitates (see feature article "GDPR one year on: taking stock", www.practicallaw.com/w-020-0982).

Organisations need to tighten up security measures. Organisations such as BA have learned the hard way that they will not be absolved of liability when a data breach occurs as a result of criminal activity. The ICO makes clear that the security of BA’s network was inadequate and if it addressed those failings by implementing appropriate measures, it could have prevented the cyber attack. BA was penalised for its own breaches rather than the conduct of any third parties.

The ICO was particularly concerned that BA did not detect the breach itself and was only notified of the breach by a third party two months later. But interestingly, BA's failure to detect the breach was not considered to be an aggravating factor. For those involved in negotiating complex arrangements with supplier processors, unfortunately the ICO has not used this opportunity to offer more guidance as to when members of a supply chain may be found to be culpable.

The ICO emphasised that there were a number of measures that BA could have implemented to prevent the cyber attack from occurring that were neither excessively costly or technically prohibitive to adopt. The ICO’s enforcement notice provides useful guidance on the minimum security measures that the ICO expects organisations to have in place. The emphasis on robust security measures has become increasingly important in the current remote working environment.

Consequences may be greater than a fine. Finally, this is an important reminder that a data breach can have far greater consequences than just a fine by a data protection regulator. At the time of the proposed fine, BA faced considerable media scrutiny and reputational damage which resulted in a 1.5% drop in its parent company’s share price. However, a rising concern for organisations affected by significant data breaches will be the increase in US-style data subject class actions which could have even greater financial and reputational consequences for affected organisations (see feature article "Data class actions: the outlook after Morrison").