BA slashed GDPR fine because ICO 'had jumped the gun'

The real reason British Airways managed to batter down its proposed £183m GDPR fine to “just” £20m had less to do with the financial impact of Covid-19 and more to do with the Information Commissioner’s Office getting carried away with how much it could fine the company, according to an analysis of the 114-page penalty notice.

The incident in part involved user traffic to the BA website being diverted to a fraudulent site and the ICO’s investigation found a variety of information was compromised by poor security arrangements, including log in, payment card, and travel booking details as well name and address information.

The final penalty, which was issued last week, took over a year to settle as BA’s lawyers fought tooth and nail to get the £183m fine overturned.

And, according to a blogpost by Mischon de Reya data protection lawyer Jon Baines, there were various factors behind the move, the most significant being that the ICO initially based its calculation on an internal document (a so-called “draft internal procedure”) “to provide a guide, by reference to the turnover of the controller” as to an appropriate GDPR penalty.

Baines explained: “Although GDPR does – famously – provide for maximum fines of up to 4% of a company’s annual turnover, it does not say that such turnover information is to be used to calculate the amount of a fine, and it appears that BA strongly argued that it should not be (i.e. a company’s turnover can determine where a cap should be set on a fine, but not used to calculate a sum underneath that cap).

“Although the ICO says in the notice that it remains of the view that turnover is a relevant consideration in determining an appropriate level of penalty, it appears to have conceded that it could not, or at least should not, use its draft internal procedure for the purposes of calculating the BA fine.

“Although nowhere does the notice say that this dropping of reliance on the draft internal procedure in itself led to the fall in proposed penalty from £183m to a much lower figure, one can infer that this was the case. What is clear is that BA, and its lawyers, argued strongly against the ICO’s initial approach.”

The document goes on to show that while Covid-19, and its effect on BA, was taken into account, it only led to a £4m discount, with the fact that BA self-reported the incident and co-operated with the ICO investigation also being used in mitigation.

Even so, data protection experts seem divided as to whether the punishment fits the crime. Many have branded the reduced fine as a major climbdown – not because £20m is a paltry sum but because the ICO had bigged up the £183m penalty at the time.

Others – most notably those who either advise companies on data protection or who work for compensation lawyers – have claimed the penalty is still substantial.

Fletchers Data Claims data breach solicitor Paul Cahill said: “Whilst it might seem that BA has had a lucky escape, the ICO’s decision is likely to have large companies reviewing their data security arrangements and seeking to strengthen their protection against cyber-attacks.

“The ICO has decided that despite the fact that the data breach was not intentional or deliberate, BA was responsible for the breach of GDPR as a result of its failure to take ‘appropriate steps’ to secure its customers’ personal data. This decision shows that whilst the ICO does accept that the attack on BA’s systems was malicious, there were clear measures that could have been taken to protect customer data from such an attack.

“The decision suggests that companies cannot simply point to their security measures and suggest that they have tried to prevent an attack, but instead need to show that they regularly review and update their procedures, and could not have reasonably been expected to prevent the attack being successful.”

Earlier this month, the ICO opened a consultation on how it will work out GDPR fines in the future. The “fine calculator” sets out nine steps which it will factor into the calculation of a fine for non-compliance, including seriousness, culpability, aggravating and mitigating factors, economic impact and dissuasiveness. However, one industry insider claimed the guidance “makes Rubik’s Cube look simple”.