British Airways, data breach fines and credibility

We - and indeed many others - have previously written about the UK Information Commissioner's Office's (ICO) intention to fine British Airways the significant sum of £183.39m in respect of its well-publicised data breach, in which, beginning in June 2018, the data of 500,000 customers was compromised. The level of that suggested fine, notwithstanding that at 1.5% of revenue it was far from the top of the range available to the ICO, combined with the announcement (the very next day) of the ICO's intent to fine Marriot International £99.2m, were seen by many as a step change in data protection enforcement. It seemed to go some way towards substantiating the rampant fearmongering in advance of GDPR entering into force and to announce the ICO's arrival as a regulator of real stature. Whilst the scale of those intended fines came as a surprise to the market, they have over the last year set market expectations for the regulatory peril that might follow from a serious cyber incident.

However, the BA and Marriot fines have been repeatedly delayed, both pre and - rather more understandably - post-lockdown. The current deadline, though it has already been rolled over several times, is this August. It is being reported that British Airways has now (through its parent company IAG's filings) revealed it could end up paying a significantly lower fine. In July IAG's Interim Management Report listed a €22m exceptional charge related to the breach (roughly £19.8m, less than 11% of the pre-announced figure). That does not guarantee that the fine has been set at that level. Per IAG's results it "represents management's best estimate of the amount of any penalty issued by the [ICO] ... The process is ongoing and no final penalty notice has been issued".

However, it does mean that in the period since its Annual Report in March something has changed such that (i) IAG is able to put a figure to its potential liability, which it had not done previously, and (ii) presuming that IAG's disclosure is not a complete red herring (which appears unlikely), the final figure is dramatically lower than market expectations. A fall is in and of itself unsurprising. Some moderation from the initial notified figure was always likely to occur in the regulatory process between BA and the ICO. The COVID-19 pandemic was also obviously going to be a factor. The extent of that fall - if €22m does end up being in the right ballpark - is, however, unexpected.

There’s obviously much more to effective regulation than the imposition of large penalties, but given this potentially dramatic reduction, it's worth considering in the round whether the much heralded threat of GDPR enforcement has ever really substantiated itself. Looking at the figures, and comparing internationally, the only possible conclusion is that it hasn't. The only really significant finalised enforcement actions are those of the French CNIL against Google ($57m) and the Italian GDPD against Telecom Italia ($30m). The ICO's largest (and only) GDPR fine is £275,000 against the pharmacy Doorstep Dispensaree. The vast majority of GDPR fines to date have been similarly conservative.

The simple table below, which sets out the ten largest recorded data breach fines globally plus the BA and Marriot fines at the levels initially disclosed, paints a stark picture. If the level of BA's fine as now being suggested is accurate and the equally long delayed Marriot fine takes a similar dive, the ICO disappears from the rankings entirely¹. Moreover, in that scenario, the GDPR "fear factor" appears to be little more than the product of data security consultants and lawyers' fond dreams. As elsewhere in the enforcement sphere, and despite the supposedly less developed data protection framework in the US, it is American regulators who have - by far - packed the biggest punch.

There are many reasons for this disparity, not least the size of the American market and location of the tech giants. It is also impossible to ignore the likely effects of the COVID-19 pandemic and the critical impact this has had on the travel industry. It is also of course perfectly possible that BA has successfully engaged with the process and convinced the ICO that the original intended fine was disproportionate to the actual breach. Some industry calls to the effect that the reduction will "completely undermine" the GDPR are overkill. But, ultimately, given the jump in the ICO’s profile and market expectations generated by the sheer size of the suggested BA and Marriot fines – together with more extensive activity abroad - it is obvious that if those two enforcement actions are dramatically reduced there is more likely to be a perception that the ICO's status, and indeed the threat of GDPR enforcement as a whole, has been overplayed. The context of the damage caused to the airline industry by COVID-19 is important - and the ICO has entirely properly said it would need to "adjust [its] regulatory approach to reflect these extraordinary times" - but there is no doubt that a materially reduced fine for BA (whether or not deserved) has the potential to be damaging to the ICO's status as a regulator of note.

¹ As an aside, this will be far from helpful in advancing the case for an EU-equivalence decision in favour of the UK following the end of the transition period. When combined with the ICO’s sole GDPR fine (compared to 340 across the EU) the UK’s enforcement of GDPR does not appear to be particularly forceful.

If you found this interesting, there's a lot more comment you may find helpful on UpData, which provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.