The Information Commissioner’s Office (the “ICO”) has issued a notice of its intention to fine British Airways (“BA”) £183.39 million for breaching the General Data Protection Regulations (the “GDPR”). While not a final decision, the ICO felt that it needed to respond after statements were made to investors about the investigation. The ICO was investigating on behalf of other European regulatory authorities and the fine will therefore be split among the others. The money received on behalf of the ICO will go to the Treasury.

The incident for which BA was fined occurred around June 2018, during which hackers stole personal details of customers. The details included customers’ names, email addresses and credit card details.

Alex Cruz, BA’s chief executive, said:

"British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused."

The fine is the largest which a company has been subject to under the GDPR, and represents 1.5% of turnover. The maximum penalty which can be imposed under the GDPR is 4% of a company’s turnover. The decision is a reminder of the importance which companies need to attach to implementing the spirit of the GDPR.

By issuing its intention to penalise, the ICO is sending out a message that if companies do not protect personal data as they could or should, then there will be consequences.  BA intends to appeal the decision, for which it has 28 days to do so.

There is concern among the business community as to the injustice of the GDPR turnover tax, which the ICO and regulatory bodies can impose on companies, regardless of whether the company makes a profit. Additionally, if seen to be unfairly targeting US tech companies, it could well stoke unintended tensions between the 2 jurisdictions.

Meanwhile, the ICO’s annual report reveals that data protection complaints have increased by 100% in the last year.

The GDPR came into force last year on the 25th May and the ICO is the regulatory body in the United Kingdom. Under the GDPR, businesses must have a lawful reason before they can use or process personal data belonging to individuals. 

At Markel Law we regularly comment on SME related matters.

Follow this link to find out more about Markel Law and how we can assist your business.