ARTICLE
11 July 2019

UK Data Protection Regulator Issues Notice Of Intention To Fine British Airways £183.4 Million For Personal Data Breach

CG
Cleary Gottlieb Steen & Hamilton LLP

Contributor

Cleary Gottlieb Steen & Hamilton LLP logo
Cleary Gottlieb’s 1,300 lawyers from more than 50 countries work across practices, industries, jurisdictions, and continents to provide clients with simple, actionable approaches to their most complex legal and business challenges. Global corporations, financial institutions, sovereign governments, local businesses, and individuals come to us for consistently practical and forward-looking advice.
Explore
The proposed fine, if enforced by the ICO, will be the largest penalty levied under the GDPR to date.
UK Privacy
Photo of Natalie Farmer
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

The UK Information Commissioner's Office ("ICO") has issued a notice of intention to fine British Airways following an extensive investigation into the British Airways cybersecurity incident (notified by British Airways to the ICO in September 2018). The fine of £183.4 million relates to various alleged infringements of the EU General Data Protection Regulation ("GDPR").

According to the ICO's press release, the cybersecurity incident in question involved a hack that caused user traffic to the British Airways customer website to be diverted to a fraudulent site. The false site was then able to harvest the personal information of approximately 500,000 British Airways customers. The ICO commented that its investigation revealed "poor security arrangements" including in relation to the security of customers' log in, payment card, and travel booking details as well name and address information.

The proposed fine, if enforced by the ICO, will be the largest penalty levied under the GDPR to date. The ICO has not yet detailed the basis upon which it has calculated the size of the fine, however the sum is equal to approximately 1.5% of British Airways' global passenger turnover in 2018 (£11.6billion), falling short of the maximum fine which can be levied under the GDPR (which is up to 4% of group annual worldwide turnover).

The proposed fine would certainly set the tone for UK enforcement, further emphasised by the comments of the UK Information Commissioner, Elizabeth Denham, who stated:

"People's personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That's why the law is clear – when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

British Airways is reported to have been cooperative with the ICO's investigation and now has the opportunity to make representations to the ICO before a final sanction is imposed.

The ICO's press release can be found here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Natalie Farmer
Natalie Farmer
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More