Data Protection In Air Travel: The British Airways Case

BA photo .jpg

Following a 2018 cyber-attack, British Airways received a notice of intention, from the Information Commissioner’s Office (ICO), outlining a fine proposal of approximately £183m.

However, a review in 2020 led to a significant decrease of the penalty. The aviation business will now be required to pay £20m for its misconduct when handling customers’ data.


What was the legal rationale behind the fine?

The fine was issued under the Data Protection Act 2018, for a lack of compliance with GDPR rules. EU regulators found that the company failed to protect personal and financial details of over 400,000 customers. Hackers were able to retrieve information from both the company’s website and its mobile app.

 The ICO concluded that the company did not ensure adequate security measures. The ICO has outlined policies, BA ought to have acted upon in order to protect its customer base. These included limiting access to applications, undertaking rigorous testing and ensuring multi-factor authentication.

 The final alteration towards the penalty was predominantly the results of further circumstantial investigation, which revealed that less responsibility should be placed on BA. Approximately £4m of the deducted sum also accounts for ICO’s COVID-19 policy, which acknowledges the current trend of economic decline. Luis Gallego, chief executive of BA’s parent company IAG, has said the industry has been subject to the “worst crisis”.

BA upheld it position, stating that it “alerted customers as soon as… (it) became aware of the criminal attack”.

 Despite the review, the fine remains the highest in ICO’s history. Elizabeth Denham, the Information Commissioner, has underlined that the company’s “failure to act was unacceptable and affected hundreds of thousands of people”. Data protection officer, Carl Gottlieb emphasized that £20m in the current economic sphere is “massive”. In his view, this implies “ICO means business and is not letting struggling companies off the hook”.

 Since the introduction of GDPR rules in May 2018, any data breaches, within the European territory, have been subject to greater scrutiny. The EU is now able to fine companies up to 4% of their global revenue. Indeed, the original value of the proposed fine was to equate to around 1.5% of BA’s annual turnover. 

 Denham believes that the law introduced in 2018 provides the “tools to encourage businesses to make better decisions about data, including investing in up-to-date security”. The case presents a shift in regulatory action and highlights that GDPR rules aren’t directed exclusively towards the supervision of Big Tech firms.

By: Zuzanna Potocka

 

The Corporate Law JournalComment