ICO fine for British Airways lands at £20m

Ever since the Information Commissioner issued British Airways with a notice proposing to impose a massive fine of £183.39m for a data breach incident in 2018, we have all be waiting with bated breath to see how that process would conclude. A fine at that level would have been the largest ever issued by a data protection regulator in Europe, and would have dwarfed the eye-watering €50m proposed by the French data protection authority CNIL in respect of Google’s advertisement personalisation practices, affecting millions of French citizens. The prospect of BA, a corporate victim of a criminal cyber-attack affecting around 400,000 people’s (mostly payment-card) data, being subject to fine in excess of 4x as large certainly grabbed the headlines.

The wait is now over and the Information Commissioner’s decision is in: the financial penalty is £20m. This result unavoidably raises the issue of why the data watchdog’s bark was so much worse than its bite. What provoked this near 90% reduction in the level of fine? Was it the impact of Covid-19; was it BA providing further information during the assessment process; or was it symptomatic of the ICO changing course in terms of its handling of the case? These are important questions that need to be considered carefully by everyone with an interest in this area.

Background

The background to this case is well known. Back in 2018, BA’s systems were the subject of a cyber-attack which resulted in an attacker gaining access to personal data including names, addresses, and payment card details of certain of its customers. On investigation, the ICO concluded on a preliminary basis that BA had breached its data security obligations under Articles 5(1)(f) and 32 GDPR and that the case warranted the imposition of a penalty. In July 2019, and in accordance with the statutory procedure provided for under the DPA 2018, the ICO issued a ‘notice of intent’ to BA confirming its intention to impose a penalty of £183.39m. A notification of this nature inevitably required BA to report the threatened fine to the market, which in turn triggered global headlines, with Elizabeth Denham herself commenting to the media with respect to the justifications for imposing a penalty of this size. Thereafter BA filed submissions and answered technical questions posed by the ICO. Three rounds of submissions were lodged, including concerning the impact of Covid-19 on BA’s financial position.

Reasons for the £20m Penalty

The penalty notice sets out the Information Commissioner’s reasoning for assessing the fine at £20m. She had regard to the factors set out in Article 83(1) and (2) GDPR as well as her Regulatory Action Policy of 2018, and highlighted that:

• BA did not gain financially as a result of the breach (§7.7)
• The ICO regarded the data breach as serious in terms of nature and duration (§§7.9-7.16)
• The infringement was not intentional or deliberate (§7.18), but BA was responsible for the infringements found (§7.28)
• BA had no relevant previous infringements or failures to comply with past notices (§7.30)
• BA fully cooperated with the investigation (§7.31)
• No “special category” data was affected (§7.33)
• BA acted promptly when notifying the Commissioner (§7.35)

According to the penalty notice, those features would have resulted in a penalty of £30m before adjustments. As to those:

• Upwards adjustment was not required because of an absence of aggravating factors and need to make the penalty dissuasive (§7.37-8)
• Downwards adjustment by 20% (to £24m) was appropriate in light of mitigating factors, namely (§7.41):

– The immediate remedial actions taken by BA, both technical and towards its customers, including the offer to reimburse financial losses resulting from the attack, and making available a free credit monitoring service.

– That BA promptly informed affected data subjects and law enforcement/regulatory agencies, and cooperated with the investigation

– The wide reporting of the incident will have increased the awareness of other data controllers to the risks and need to ensure compliance with the GDPR

– BA’s brand and reputation was adversely affected

• The Covid-19 pandemic, and associated economic consequences, justified a further downwards adjustment of the penalty by £4m to £20m (§7.53).

Assessment

Well, reading between the lines it seems that the principal driver for the dramatic reduction in the quantum of the fine is this: having initially calculated the penalty by reference to a unpublished ‘draft’ policy that put a controller’s “turnover” centre-stage when it came to the process of calculating fines under the GDPR, the ICO went on to abandon this turnover-centric approach, opting instead to treat BA’s undoubtedly substantial turnover as a relevant but not the primary metric for the calculation of the fine. See further the discussion of the draft policy at §§7.60 and 7.74.

Notably, BA made extensive criticisms of the ICO’s approach to penalty calculation in the notice of intent, as is made clear at §7.57 of the penalty notice. Those criticisms included (but were not limited to) an attack both on the ICO’s reliance on an unpublished quantification policy, which reliance BA claimed was unlawful (§7.57(b)) and on its reliance on a turnover-based approach (§7.57(c)). In the event, the Commissioner retreated from her reliance on the draft policy: she said she put that internal document completely aside, and had made “no reference” to it for the purposes of calculating the penalty in the final notice (§7.62, §7.151). That was not to say she regarded turnover as irrelevant – it remained, she said, a core quantification metric to be fed into the assessment as one of many in the basket of relevant factors (§§7.71-5; §7.154). Yet this different methodological approach has clearly had a startling effect on the final number.

Going forward, data controllers may find some comfort in an approach whereby the success of a data controller, measured by turnover, is regarded as a relevant factor, rather than the very prism through which a fine is determined. Such an approach – one might think – is much more appropriate for a penalty process which ought primarily to be about penalising controllers for particular wrongdoing, rather than operating as a tax on success.

Some other points to note from the decision are:

• The Commissioner’s emphasis that when assessing fines under the GDPR / DPA 2018 regime, it is wrong to rely on cases issued under the previous regime (§7.92e), and that a comparison with previous provisions is inapt (§§7.99ff). This decision, however, is the first major penalty issued under the GDPR and will undoubtedly constitute an important benchmarking precedent for future cases.
• The Commissioner’s view that (perhaps unsurprisingly) she regards her Regulatory Action Policy as adequate in terms of legal certainty (§7.108), although compare and contrast the concerns raised by BA about the lack of legal certainty in the penalty regime, as noted in §7.57(f).
• Comparisons with other cases (see §7.115) did not cause the Commissioner pause that she might have taken a disproportionate approach to the fine (see §7.117). They, she thought, were fact specific with limited public information available (§7.118). Of course the penalty actually imposed on BA comes in at under 50% of the CNIL Google fine.
• The ICO’s rejection of the submission that the provisions of the GDPR were in conflict by providing different maximum fines for undertakings infringing Article 32 (2% of global turnover (Art 83(4)) and Article 5(1)(f) (4% of global turnover (Art 83(5)). BA suggested Articles 5(1)(f) and 32 imposed the same core obligations but attracted different fines. Not so, held the Commissioner: they are distinct provisions even if they overlap (§§7.80ff). Given the amount of the fine imposed, this point did not ultimately affect the result but will no doubt be revisited in future cases where it might make a difference.