The UK Information Commissioner’s Office (ICO) on 8 July 2019 issued a notice of its intention to fine British Airways £183.39 million for infringements of the General Data Protection Regulation (GDPR). Such a fine, if levied, would represent around 1.5% of British Airways’ worldwide turnover for 2017, and would be approximately 367 times larger than the next largest fine that the ICO has imposed.
The proposed fine relates to a data breach notified to the ICO by British Airways in September 2018. In late August and early September 2018, British Airways customers attempting to use the British Airways website or app were redirected to a fraudulent website, which then gathered the customers’ personal data. This personal data gathered included payment card information, booking details, and name and address information. The breach affected around 500,000 British Airways customers.
In a statement, the UK’s Information Commissioner Elizabeth Denham said “when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from [the ICO] to check they have taken appropriate steps to protect fundamental privacy rights.”
The proposed fine represents a new record for financial penalties related to breaches of data protection law in the UK. As we note above, the fine is roughly 367 times larger than the previous record: the £500,000 fine imposed on Facebook relating to the Cambridge Analytica affair in July 2018. That fine, which was for the maximum amount available to the ICO at the time, was made under powers contained in the Data Protection Act 1998. The proposed fine against British Airways would be levied under the UK Data Protection Act 2018, which implements the GDPR into national law. The Data Protection Act 2018 empowers the ICO to fine a company up to 4% of its worldwide turnover for the previous year, meaning British Airways could have received a fine of around £500 million.
The knowledge that it avoided an even higher sum will be of little comfort to British Airways, which said that it was “surprised and disappointed” by the decision. British Airways purportedly cooperated with the ICO’s investigation and has since made a number of improvements to its processes and systems. Willie Walsh, chief executive of IAG (British Airways’ parent company), said that the company “intends to take all appropriate steps to defend the airline’s position… including making any necessary appeals.”
British Airways will now have a period within which to make representations to the Information Commissioner as to why it contests the size of the proposed fine. The Information Commissioner will consider these representations, possibly alongside a panel of non-executive advisors, following which she will issue a penalty notice. After confirmation of the size of the penalty, British Airways could choose to appeal the decision to the First-tier Tribunal (General Regulatory Chamber). The company may appeal the size of the penalty notice or the notice itself.
This is a substantial fine by any standards, but particularly for a penalty in the arena of data protection. Many expected the ICO to ease into the use of its new powers more gradually, but today’s announcement charts a bold course for the Information Commissioner, Elizabeth Denham. When the penalty notice is issued, it will be interesting and useful to consider the full range of factors that the ICO took into account when determining the size of fine to impose on British Airways.
What is clear in the wake of this announcement is that the ICO will not hold back from issuing substantial penalties when it determines that there has been a serious breach of data protection law. This announcement may be seen as a statement of intent on the part of the ICO, and executives and board members may wish to look once more at their companies’ data protection compliance programme. The stakes have just been raised dramatically.
 s.157, Data Protection Act 2018, implementing Article 83, GDPR.
 The ICO’s Regulatory Action Policy states that, “For very significant penalties (expected to be those over £1M) a panel comprising non-executive advisors to the Commissioner’s Office may be convened by the Commissioner to consider the investigation findings and any representations made, before making a recommendation to the Commissioner as to any penalty level to be applied. It will be the Commissioner’s final decision as to the level of penalty applied. The panel may comprise technical experts in areas relevant to the case under consideration.”
 s.162, Data Protection Act 1998.