July 10, 2019

British Airways facing a £183m fine for breach of GDPR

If the UK Information Commissioner's Office wanted to send a message that companies need to treat personal information data breaches seriously in the post-GDPR era then it has certainly done that.

British Airways (BA) suffered a serious hack where hackers harvested personal information from approximately 500,000 customers, including credit card information. Once it became aware of the breach BA acted very responsibly, and dealt with the breaches and its obligations under the GDPR. Despite this, they are likely to be fined $350m.

The size of the proposed fine has caught most commentators by surprise. For example, last year Facebook was fined £500,000 for a data breach (under the old UK Data Protection Act) which impacted 87 million users in the Cambridge Analytica scandal.

However, the penalties available under the GDPR are significantly higher, for this type of breach they are the greater of €20m or 4% of global turnover.

Fine for GDPR breach


If you aren't taking your obligations under the GDPR seriously, you should be. (UK Information Commissioner's Office)

No items found.

The proposed BA fine reflects approximately 1.5% of global turnover, and so could have been a lot worse. However, if the ICO finalises its proposed penalty, it is inevitable BA will appeal.The message from the ICO is clearly 'if you aren't taking your obligations under the GDPR seriously, you should be.

This is a good example of a regulator wielding a big stick to drive compliance and corporate behaviour. Consumer advocates in New Zealand must be looking on in envy at the level of fines being meted out. The penalties under the New Zealand's Fair Trading Act (FTA) are paltry in comparison.

A recent example is 2 Cheap Cars, which was found to have breached the FTA. This is not 2 Cheap's first run in with the Commerce Commission or the FTA. Its behaviour in this case was described as "plainly unfair conduct", "deliberately misleading rather than just plain careless" and was "extensive offending".

Yet, despite its conduct it was only fined $438,000 largely due to the maximum penalties available under the FTA.

Article Link


Get in Touch