Marcus Pilgerstorfer QC, of 11 KBW, recounts how the proposed fine of £184m for the BA data breach has been whittled down to £20m announced last week.
Ever since the Information Commissioner issued British Airways with a notice proposing to impose a massive fine of £183.39m for a data breach incident in 2018, we have all be waiting with bated breath to see how that process would conclude. A fine at that level would have been the largest ever issued by a data protection regulator in Europe, and would have dwarfed the eye-watering €50m proposed by the French data protection authority CNIL in respect of Google’s advertisement personalisation practices, affecting millions of French citizens. The prospect of BA, a corporate victim of a criminal cyber-attack affecting around 400,000 people’s (mostly payment-card) data, being subject to fine in excess of 4x as large certainly grabbed the headlines.
The wait is now over and the Information Commissioner’s decision is in: the financial penalty is £20m. This result unavoidably raises the issue of why the data watchdog’s bark was so much worse than its bite. What provoked this near 90% reduction in the level of fine? Was it the impact of Covid-19; was it BA providing further information during the assessment process; or was it symptomatic of the ICO changing course in terms of its handling of the case? These are important questions that need to be considered carefully by everyone with an interest in this area.
BackgroundThe background to this case is well known. Back in 2018, BA’s systems were the subject of a cyber-attack which resulted in an attacker gaining access to personal data including names, addresses, and payment card details of certain of its customers. On investigation, the ICO concluded on a preliminary basis that BA had breached its data security obligations under Articles 5(1)(f) and 32 GDPR and that the case warranted the imposition of a penalty. In July 2019, and in accordance with the statutory procedure provided for under the DPA 2018, the ICO issued a ‘notice of intent’ to BA confirming its intention to impose a penalty of £183.39m. A notification of this nature inevitably required BA to report the threatened fine to the market, which in turn triggered global headlines, with Elizabeth Denham herself commenting to the media with respect to the justifications for imposing a penalty of this size. Thereafter BA filed submissions and answered technical questions posed by the ICO. Three rounds of submissions were lodged, including concerning the impact of Covid-19 on BA’s financial position.
Reasons for the £20m Penalty
The penalty notice sets out the Information Commissioner’s reasoning for assessing the fine at £20m. She had regard to the factors set out in Article 83(1) and (2) GDPR as well as her Regulatory Action Policy of 2018, and highlighted that:
According to the penalty notice, those features would have resulted in a penalty of £30m before adjustments. As to those:
- The immediate remedial actions taken by BA, both technical and towards its customers, including the offer to reimburse financial losses resulting from the attack, and making available a free credit monitoring service.
- That BA promptly informed affected data subjects and law enforcement/regulatory agencies, and cooperated with the investigation
- The wide reporting of the incident will have increased the awareness of other data controllers to the risks and need to ensure compliance with the GDPR
- BA’s brand and reputation was adversely affected
Well, reading between the lines it seems that the principal driver for the dramatic reduction in the quantum of the fine is this: having initially calculated the penalty by reference to a unpublished ‘draft’ policy that put a controller’s “turnover” centre-stage when it came to the process of calculating fines under the GDPR, the ICO went on to abandon this turnover-centric approach, opting instead to treat BA’s undoubtedly substantial turnover as a relevant but not the primary metric for the calculation of the fine. See further the discussion of the draft policy at §§7.60 and 7.74.
Notably, BA made extensive criticisms of the ICO’s approach to penalty calculation in the notice of intent, as is made clear at §7.57 of the penalty notice. Those criticisms included (but were not limited to) an attack both on the ICO’s reliance on an unpublished quantification policy, which reliance BA claimed was unlawful (§7.57(b)) and on its reliance on a turnover-based approach (§7.57(c)). In the event, the Commissioner retreated from her reliance on the draft policy: she said she put that internal document completely aside, and had made “no reference” to it for the purposes of calculating the penalty in the final notice (§7.62, §7.151). That was not to say she regarded turnover as irrelevant – it remained, she said, a core quantification metric to be fed into the assessment as one of many in the basket of relevant factors (§§7.71-5; §7.154). Yet this different methodological approach has clearly had a startling effect on the final number.
Going forward, data controllers may find some comfort in an approach whereby the success of a data controller, measured by turnover, is regarded as a relevant factor, rather than the very prism through which a fine is determined. Such an approach – one might think – is much more appropriate for a penalty process which ought primarily to be about penalising controllers for particular wrongdoing, rather than operating as a tax on success.
Some other points to note from the decision are: