Anatomy of a 90% fine reduction: How BA saved $200M on GDPR penalty

The fine is still the largest the U.K.’s data privacy regulator has handed out, but it is nearly 90 percent less than the figure the regulator originally touted last year for BA’s failure to protect the personal and financial details of more than 400,000 customers. Mention of the original fine—which would have been a record under the GDPR—is conspicuously absent from the regulator’s press statement Friday.

The penalty notice does not provide details why the two figures are so far apart, other than to say the regulator is not obliged to rely on the sum it initially quoted in its intention to fine notice. The ICO maintains the reduced penalty remains “proportionate” while “dissuasive.”

Speculation has been rife that the airline had cut a deal with the ICO prior to July, when International Airlines Group (IAG), BA’s parent company, posted in its half-yearly results it had set aside €22 million to satisfy any fine. At the time, the ICO refused to comment on the surprisingly prescient figure.

Neither BA nor IAG have issued any comment on Friday’s announcement. The ICO also declined to add anything further.

One lawyer, who declined to be named, told Compliance Week, “It’s clear that challenging the ICO’s intention to fine appears to be an investment worth making, because it can save you over £160 million if you play your cards right.”

Several lawyers now expect a similar reduction to the £99.2 million (U.S. $126 million) enforcement action against hotel chain Marriott that is also overdue to be finalized.

BA’s case for a reduction

In its penalty notice, the ICO said it had proposed to fine BA £30 million (U.S. $38.9 million) but reduced this to £24 million due to “mitigating factors” the company took, including immediate steps remedy the breach, cooperating with regulators and investigating authorities, informing affected customers, and offering to provide compensation to anyone adversely financially affected by the cyber-attack. The airline has since committed to further upgrading IT systems and cyber-security measures.

The penalty was further reduced to £20 million due to the airline’s dented financial position because of the coronavirus pandemic.

The penalty notice also acknowledges BA’s spirited defense against the ICO’s original record fine. In a 76-page response (plus annexes), BA called into question the way the regulator calculated the penalty based on the company’s revenues, challenged how the ICO had interpreted its enforcement powers under the GDPR, and flagged that the level of actual harm caused by the breach was minimal.

In short, BA questioned much of the investigatory process.

BA also pointed out other companies fined by other EU supervisory authorities were handed much less substantial sanctions for similar—or even more serious—breaches.

“It’s clear that challenging the ICO’s intention to fine appears to be an investment worth making, because it can save you over £160 million if you play your cards right.”

Unnamed lawyer

The company cited the examples of Romania’s DPA imposing a €130,000 (U.S. $152,000) fine on UniCredit Bank, which had revenues of €18 billion (BA’s revenues were €13.5 billion), and Bulgaria’s DPA hitting the country’s revenue agency with a €2.6 million (U.S. $3 million) fine for a cyber-attack that left over five million data subjects vulnerable.

In reply, the ICO said that while the purpose of the GDPR is to secure a harmonized regime—where “equivalent” breaches should attract “equivalent” penalties—“in practice, each case must turn on its own particular facts.” As such, the ICO determined the comparisons do not show signs Information Commissioner Elizabeth Denham erred in her application of the GDPR.

In fact, the commissioner said it would be “premature” and “not necessarily helpful” to “rely heavily … on a survey of the action taken by other supervisory authorities, given the relatively few decisions that have been taken under the new regime.”

The ICO said there were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access its network—all without excessive cost. These include limiting access to applications, data, and tools to only what is required to fulfill a user’s role; undertaking rigorous testing; and using multi-factor authentication.

“[BA’s] failure to act was unacceptable and affected hundreds of thousands of people,” said Denham in a statement.

Reaction to the reduction

Lawyers are divided over the approach the ICO has taken. Some are supportive of the “pragmatic” way the regulator reduced the fine so substantially to consider the work BA has taken to remedy the problems, as well as its current financial woes because of the impact of the pandemic. Others are simply baffled a fine could be cut by nearly 90 percent so quickly.

Jonathan Compton, partner at law firm DMH Stallard, believes that “the ICO has adopted a common-sense approach to dealing with breaches and with fines in the age of COVID-19. In so doing, the ICO is to be applauded.”

Vanessa Barnett, commercial and intellectual property partner at Keystone Law, agrees that “it’s great to see the ICO continuing with its attitude of proportionality that existed pre-GDPR.” While Barnett points out that a maximum fine previously available to the regulator under the U.K.’s Data Protection Act 1998 was just £500,000, she believes “a jump to £20 million is a big jump that will still very much focus organizations’ minds on compliance.”

Robert Lands, head of the IP and commercial practice at law firm Howard Kennedy, says that “companies are going to seriously question the penalties that the ICO comes up with in its intention to fine notices after this.” And Gareth Oldale, partner and head of data privacy and cyber-security at law firm TLT, says “the reputational impact of the reduced fine is definitely damaging for the ICO. [The reduction] cannot look like anything other than a huge capitulation on the part of the regulator.”