In its six-month results announcement released July 31, BA’s owners—International Airlines Group (IAG)—said in the notes to the accounts it had made a provision of just $26 million to cover any financial sanction the United Kingdom’s data regulator may impose on it for a 2018 breach of the EU’s General Data Protection Regulation (GDPR).
That figure amounts to a nearly $200 million reduction of the original sum the Information Commissioner’s Office (ICO) said it wanted to fine the company last July.
IAG said the greatly reduced figure “represents management’s best estimate of the amount of any penalty issued by the ICO… relating to the theft of customer data at British Airways in 2018”.
The process is ongoing, and no final penalty notice has been issued, though Elizabeth Denham, the Information Commissioner, told a virtual conference in May a final decision would be announced this month.
In response to this news, an ICO spokesperson said: “The regulatory process is ongoing, and we will not be commenting until it has concluded.”
Neither British Airways nor IAG could be reached for further comment.
However, Judy Krieg, privacy partner at law firm Fieldfisher, was quoted in “The Daily Telegraph” as saying the figure did not “come out of thin air”.
“The remaining conclusion is that this number must be based on the negotiations with the ICO,” she told the newspaper, adding that “this is a strong indication that it will be far less than the £183.4m (U.S. $230 million) suggested barely more than a year ago.”
On July 8, 2019, the ICO issued a notice of its intention to fine BA $230 million for GDPR-related infringements following a cyber-attack that saw around 500,000 customers’ details—including log-in, payment card, and travel booking information—being diverted to and harvested by a fake website between June and September 2018.
Despite the airline’s protests that it had found no evidence of fraud or financial loss on accounts linked to the theft of customer data, the regulator slapped it with the largest GDPR-related fine to date anywhere in the European Union—equivalent to 1.5 percent of the company’s worldwide turnover for 2018. The maximum fine could have been 4 percent.
The company said in its last annual report that “it would vigorously defend itself in this matter, including using all available appeal routes should they be required.”
Under the terms of the GDPR, a final decision should have been due within six months of the ICO’s notice to fine, which would have been January, but the regulator agreed to extend the deadline. In April the ICO pushed the deadline back further after the COVID-19 pandemic made it clear BA’s priority was to work out how to stay in business with a grounded fleet, while the ICO also said it needed to scale back on enforcement work to focus on more immediate matters.
Lawyers have been divided by the size of the BA fine and the rationale behind it. Some believe the ICO has wanted to make an example of large companies and thus handed out an eye-watering penalty as a way of making GDPR compliance a priority for all businesses. Others thought the fine was too high a price to pay for what was essentially an external hack, and the ICO’s credibility could be damaged if the fines were significantly reduced on appeal.