The wait for one of the U.K. Information Commissioner's Office's most stringent enforcement actions is over. The ICO announced it levied a final penalty of 20 million GBP against British Airways — the DPA's largest fine to date — over violations of the EU General Data Protection Regulation in relation to a 2018 data breach affecting more than 400,000 customers.
The fine comes more than a year after the regulator publicized its intent to fine the airline 183.39 million GBP for its data protection response. Following that notice in July 2019, the ICO and British Airways engaged in negotiations that not only carved out extensions for a final decision, but also allowed the two sides to plead their cases regarding the severity of the penalty.
"Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result," U.K. Information Commissioner Elizabeth Denham said in a public release. "When organizations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security."
A British Airways spokesman told the IAPP that the airline was satisfied with the ICO's final decision.
"We are pleased the ICO recognizes that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation," the spokesman said. "We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations."
Hogan Lovells Partner Eduardo Ustaran, CIPP/E, views the ICO's penalty as a warning shot across the bow of companies playing it fast and loose with their data security practices.
"The scale of this enforcement action reminds us that data security is one of the top priorities of the European data protection framework," Ustaran said. "In particular, how to avoid, handle and react to a personal data breach needs to be looked at as a strategic business issue."
Much of the attention paid to how this case would play out came at the hands of British Airways, which, along with Marriott, publicized the ICO's intent to fine through their respective disclosures to the U.S. Securities and Exchange Commission.
"Our usual process is that our preliminary fining notices are done in confidence between our office and the companies," Denham said during a June webinar hosted by Global Counsel. "In this case, BA and Marriott disclosed our preliminary notices due to market sensitivities. So it wasn't our disclosure, it was the companies."
Denham also mentioned there were "confidential evaluations going on," alluding to the back-and-forth her office had regarding representations brought forward by British Airways, which were detailed in the ICO's penalty notice.
The decreased penalty comes as a surprise to some, but deeper analysis shows this was the likely result for some time.
International Airlines Group, British Airways' parent company, forecasted 20 million GBP as its "best estimate" for the final penalty in its mid-year financial report published July 31. On the other side, Denham emphasized "preliminary notices" in her comments about the potential fine during the Global Counsel webinar but also noted at the outset of the COVID-19 pandemic that her office would be "an enabler and protector," signaling ease in enforcement actions in favor of sympathizing with affected organizations and individuals.
The unique time and circumstances of the fine should be a consideration for disappointed onlookers, according to Ustaran.
"In my view, criticizing the ICO because the amount of the fine ultimately issued is significantly lower than the amount set out in the original Notice of Intent is ignoring that GDPR enforcement involves a complex legal process which needs to take into account the facts of the case, the correct interpretation of the law, the representations made by the parties and what is actually going on in the real world," Ustaran said.
Photo by Isaac Struna on Unsplash