The British Supervisory Authority, the British Information Commissioner's Office (ICO), announced its intention to impose a GDPR fine of £183 million (equivalent to €243.47 million) on British Airways. This is 1.5% of the total turnover of the company in the financial year 2017. Since it is a proposed fine, British Airways can still express their position and comments on the investigation, the findings and the fine proposed by the ICO.
The trigger for the GDPR fine proposed by the ICO was a cyber-attack on the British airline. Since June 2018, cybercriminals have been redirecting traffic to the official British Airways website to another fraudulent website. The ICO's investigation revealed that cybercriminals obtained personal data from approximately 500,000 customers through this mechanism.
The British supervisory authority started the investigation after the data breach was notified to them by the airline in September 2018. The investigation revealed that different categories of personal data had been leaked. This included data such as login details, booking details, contact details, but also financial data such as expiry dates and the three-digit CVC code of credit cards. However, British Airways states on its website that no travel dates or passport details have been leaked.
The study will be conducted by the ICO as the leading supervisory authority under the one-stop shop mechanism. This mechanism implies that the supervisory authority of the head office in the EU will conduct the investigation and will cooperate with the other supervisory authorities to this end. These authorities will also be able to comment on the proposed fine before the ICO imposes a final fine.
The GDPR provides that an administrative fine may not exceed 4% of the total worldwide annual turnover in the preceding business year of the undertaking concerned (Article 83 GDPR). The fine of £183.39 million (equivalent to €243.47 million) proposed by the ICO is equal to 1.5% of British Airways' annual turnover in 2017. The proposed fine is thus within the limits set by the GDPR, but would be the highest fine imposed so far by a supervisory authority. This potential fine amounts to four times the fine imposed on Google earlier this year by the CNIL.
In any event, the ICO should take into account the elements of Article 83 of the GDPR for the determination of the fine. It also provides that any fine must be effective, proportionate and dissuasive. However, the ICO has not yet provided any information on the exact criteria for determination of the fine, but according to us the following elements seem to be relevant to this determination:
According to the ICO, British Airways participated in the investigation and the airline has in the meantime improved its security system, but this proved to be insufficient to convince the ICO not to fine them.
In the meantime, British Airways announced that it was surprised and disappointed by the possible fine proposed by the ICO in its communication. According to the CEO, the company reacted quickly to the theft of its customer data. In the same communication, International Airlines Group - the group to which British Airways belongs - stated that it did not agree with the fine proposed by the ICO. They will take all measures to defend the position of the company and, if necessary, to appeal against the fine.
It remains to be seen whether the ICO will stand firm and actually impose this monster fine. Meanwhile, affected consumers can find all their questions on the British Airways website.