In a outstanding choice, the UK ICO has issued British Airways (“BA”) with a £20m advantageous, in reference to a knowledge breach affecting greater than 400,000 clients. It is a vital discount from the £183m the ICO had beforehand proposed.
The UK Info Commissioner’s Workplace (the “ICO”) issued a statement in July 2019, saying the truth that it had issued a discover of its intention to advantageous BA £183.39 million for alleged infringements of the General Data Protection Regulation (“GDPR“) which BA had notified to the ICO in September 2018. It was the biggest penalty ever introduced for information safety violations within the EU. Nonetheless, the ICO has immediately announced its choice to difficulty a penalty of £20 million–that means BA pays simply eleven per cent. (11%) of the advantageous proposed within the ICO’s unique discover of intention.
The ICO’s reasoning
The ICO issued a prolonged (114 web page) Penalty Notice, wherein it offered vital background on the info breach that affected BA’s programs. In abstract, the ICO discovered that between 22 June and 5 September 2018, a malicious attacker gained entry to an inner BA utility through the use of compromised credentials. In accordance with the Penalty Discover, the attacker was then capable of edit a file on BA’s web site leading to BA buyer fee card particulars being despatched to an exterior third-party area managed by the attacker.
The ICO concluded BA had didn’t course of the private information of its clients in a way that ensured applicable safety of the info, together with failure to guard the info in opposition to unauthorised or illegal processing and in opposition to unintentional loss, destruction or harm. The ICO additionally concluded BA had didn’t implement applicable technical and organisational safety measures (as required by Articles 5(1)(f) and 32 of the GDPR).
The Penalty Discover explains that, bearing in mind the character of this incident, in precept, a penalty of £30m can be applicable. The ICO didn’t contemplate there have been any aggravating elements that ought to enhance the penalty. As an alternative, the ICO famous a lot of mitigating elements and remedial measures, and arguments raised by BA, resulting in a twenty per cent. (20%) discount within the advantageous (i.e., to £24m). The ICO then acknowledged that “having regard to the affect of the Covid-19 pandemic (on BA and extra typically) … an extra discount of £4m is acceptable and proportionate.” This resulted within the remaining penalty of £20m.
Influence on companies
The course of occasions from the ICO’s unique discover of intention by to the ultimate penalty set out within the Penalty Discover seems to point a enterprise accused of a severe infringement of the GDPR might be able to strongly argue its case, with a purpose to safe a considerably lowered advantageous. Because the ICO acknowledged within the Penalty Discover, “the proposed penalty is lower than the preliminary proposed penalty on account of BA’s Representations”. That is more likely to encourage different companies going through vital penalties below the GDPR to have interaction authorized illustration within the hope of materially decreasing such penalties. The ICO’s choice can be encouraging for companies that could be struggling to realize compliance within the present financial local weather, and suggests the ICO will take account of such difficulties when reaching its choices on enforcement motion and issuing fines.
This case additionally illustrates the issue companies face in precisely anticipating the monetary penalties that could be issued for alleged infringements of the GDPR. The ICO’s preliminary proposal of a £183m advantageous adopted a nine-month investigation into the incident. However within the Penalty Discover, issued greater than a yr later, that determine was lowered by nearly ninety per cent. (90%).
Curiously, the ICO acknowledged that the £183m penalty it had initially proposed was “not handled as the start line for [determining the £20m penalty that the ICO actually issued] or factored into it.” That is more likely to create confusion over the connection between: (i) any proposed penalties set out in a discover of intention from the ICO; and (ii) the precise penalty a enterprise may ultimately obtain. It stays to be seen whether or not the ICO will make clear this level going ahead.
Invoice Webb (White & Case, Trainee Solicitor, London) contributed to the event of this publication.