UK: ICO fines British Airways £20M for data breach
The Information Commissioner's Office ('ICO') announced, on 16 October 2020, that it had fined British Airways Plc £20 million for failing to protect the personal and financial details of more than 400,000 of its customers, following the ICO's notice of intent to fine the considerably higher amount of £183.39 million in July 2019. In particular, the ICO noted that this constitutes its largest fine to date and that the penalty has been approved by the European data protection authorities under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Specifically, the ICO highlighted that, in calculating the fine, it considered both representations from British Airways, the economic impact of the COVID-19 ('Coronavirus') pandemic on their business, and that the infringement of Article 5(1)(f) of the GDPR falls within Article 83(5)(a) of the GDPR, whereas Article 32 falls within Article 83(4)(a) of the GDPR and that, as such, the appropriate tier for the fine is that imposed by Article 83(5)(a) of the GDPR as this is the gravest breach in issue in this case.
Nevertheless, the penalty notice indicates that the penalty is considerably less than 1% of British Airway's total worldwide annual turnover. In addition, the penalty notice provides additional mitigating measures that British Airways could have used to prevent the risk of the data breach, none of which would have entailed excessive cost or technical barriers, with ICO further noting that, since the data breach, British Airways has made considerable improvements to its IT security.