The Information Commissioner’s Office has been slated for its handling of the British Airways data breach investigation, amid claims it has shown a “staggering” lack of judgement by issuing the notice of intent to fine the airline £183.39m before the process is even complete.
That is the damning verdict of some data protection experts to the Commissioner Elizabeth Denham’s decision to go public on the BA case, reinforcing fears – expressed last year – that the regulator is making it virtually impossible for companies to respond to any charges.
And while some commentators have used the decision to big up the regulator, insisting it shows the ICO has “teeth”, others have been quick to point out that the fine has not even been issued yet and could be much lower.
Data protection consultant and former ICO policy manager Tim Turner wrote on LinkedIn: “All day, people will be saying that the Information Commissioner’s Office has fined British Airways £183 million under #GDPR. They haven’t. They’ve issued BA with a notice of intent. BA can make representations. The actual fine might be lower, if it ever happens.”
In response to a separate post, Turner wrote: “The fact that the ICO doesn’t have the self-discipline to hold off commenting until the process is complete shows that they’re not a serious regulator. The lack of judgement is staggering, and I’ll be fascinated to see if BA appeal.”
However, the ICO insists it simply issued statements in response to announcements made by both companies to the stock markets.
Even so, Denham does have “previous” on this issue. Last July, she was castigated for announcing a notice of intent to fine Facebook £500,000 over the misuse of data for political advertising, before the company had had a chance to respond. Earlier that month, Emma’s Diary was also slapped with a notice of intent of a £140,000 fine before it could reply.
And, despite making “representations” to the ICO, both Facebook and Emma’s Diary failed to overturn the decisions. Facebook has since launched an appeal, although a date for the hearing has yet to be set.
One industry source said: “The BA case isn’t exactly carrot and stick is it? It feels more like the company being bludgeoned before it can defend itself. BA reported the incident and fully co-operated with the investigation, yet it is still facing a massive fine. And, unlike other cases, there has been no evidence of fraudulent activity on accounts linked to the theft. Last week, the ICO was caught breaching GDPR over its use of cookies and what happened? It quickly changed its website. It won’t face sanctions because no-one polices the data police.”
Other data protection experts, however, have praised the ICO’s tough stance.
Patrick Wheeler, a partner and head of intellectual property and data protection at law firm Collyer Bristow, believes the BA case should make firms sit up and take note.
He added: “ If businesses were feeling complacent about their GDPR obligations, thinking that nothing was going to happen, this record fine should serve as a wake-up call.
“We were expecting the ICO to hand down some pretty hefty fines to coincide with the first GDPR anniversary and it has now started to do so. The ICO has shown that it takes its regulatory responsibilities protecting the interests of data subjects very seriously and also that it wants businesses to work hard to comply.
“The fine imposed on British Airways may be the first, but it will not be the last: several large commercial and public sector entities will all be in the ICO’s spotlight.”
Meanwhile, law firm Decoded Legal tweeted: “Been putting off asking for budget for GDPR legal advice? You may find senior management are quite receptive this week…”
Related stories
BA faces record £183m GDPR fine for data meltdown
Facebook bids to overturn £500,000 data abuse fine
Facebook finally hit with maximum £500,000 data fine
Experian in ICO sights as Emma’s Diary gets walloped
Denham under fire over ‘unchallenged’ Facebook fine
Emma’s Diary first broker to be fingered in ICO probe
BHF breaks ranks to lay into ICO for pandering to media
Privacy chief accused of sucking up to the Daily Mail