The Information Commissioner’s Office has been accused of a humiliating climbdown after being forced to slash its proposed GDPR fine for British Airways from £183m to “just” £20m following months of legal wrangling – a markdown of nearly 90%.
The issue dates back to September 2018, when BA “self-reported” a cyber attack, triggering an ICO probe.
The incident in part involved user traffic to the BA website being diverted to a fraudulent site and the ICO’s investigation found a variety of information was compromised by poor security arrangements, including log in, payment card, and travel booking details as well name and address information.
The regulator then issued a “notice of intent” on July 8 2019 to fine the airline £183m; a day later it issued another notice of intent to fine Marriott International £99m for a cyber incident which exposed 339 million customer records globally, of which over 30 million were in the EU and 7 million in the UK.
Both companies insisted they would fight the fines.
Since then, the ICO has been forced to delay issuing the final penalty four times. However, in the “exceptional items” section of IAG Group’s consolidated results for the six months to June 30, 2020 – published in August – the company said it had set aside €22m for the fine.
Information Commissioner Elizabeth Denham has put a brave face on the outcome, saying: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.”
However, one industry insider commented: “Of course £20m is a big fine but what does it say about the ICO’s case when BA managed to get a 90% discount? It’s a humiliating climbdown and one which sends out all the wrong signals. The real problem is that the ICO shot itself in the foot by ‘going large’ in the first place and tried to make a big statement about how it wouldn’t stand any nonsense under GDPR.
“However, it is not even the biggest fine in Europe – the Germans issued that a fortnight ago. In fact, the Germans have issued 27 fines to the UK’s two.”
And Mishcon de Reya data protection officer Jon Baines added: “A £20m fine is by far the largest ever issued by the ICO, and only the second fine issued by the ICO under the GDPR. However, given that the original intention was to fine BA £183m, this may be seen as a climbdown by the ICO.
“The fact that the actual notice is 114 pages long, referring to multiple and robust arguments from BA’s lawyers, suggests there may be an appeal – and more developments to come. This is likely to cost the ICO and BA heavily in terms of legal fees, at a time when both will have a whole host of Brexit-related and Covid-related matters on their rosters.”
Germans issue 27th GDPR fine as H&M is hit for €35m
Marriott faces data loss claim – will it open floodgates?
Once more with feeling: Marriott wins new delay to fine
BA allots £20m for GDPR fine but may not pay a penny
Fresh delay to Marriott and BA fines fuels ICO criticism
‘Chicken’ ICO kicks adtech investigation into long grass
BA and Marriott block £282m GDPR fines – yet again
Hotel hell: Fresh Marriott data breach hits 5.2 million
BA and Marriott to escape GDPR mega fines…for now
2019 Review of the Year: Why it’s crunch time for GDPR
ICO issues first GDPR fine, but it’s not BA or Marriott