British Airways penalty - reduction or reformulation?

The UK Information Commissioner Office's (the "ICO") long-running investigation into British Airways ("BA") was concluded last week with a 144-page Penalty Notice and a £20m fine. See part 1 in our series on the BA penalty for a full download. It is fair to say that the ICO’s investigation has come in for a fairly rough landing in the press being described, for instance, as coming to an end "not with a bang, but a whimper".

We're not sure that's fair. Clearly the reduction of the overall fine from the initially intended £183.39m to £20m, a fall of not far off 90%, is dramatic. But this remains a tent pole fine for the regulator. It is far higher than any previous data protection fine imposed in the UK. Whilst not the highest (see the French CNL's €50m (££44m) fine against Google in January 2019 it is one of the largest GDPR fines anywhere in Europe. Moreover, even if this is not a fine that will, in the ICO's words, cause BA "financial hardship" the success or failure of regulatory deterrence is not determined by the penalty alone. BA has been subjected to significant reputational damage and  a class action potentially worth up to £3bn. No rational company could countenance soft-pedalling on their cybersecurity set-up because BA's fine has been lower than expected.

Assuming however the fine is the core element of concern for most firms, the key question for data controllers will be why the BA fine was so much lower than originally intended. That will determine whether the ICO regards a penalty along the lines of that imposed on BA to be appropriate for this type of conduct generally (given that the ICO regards this as a serious, negligent breach) or whether the ICO's initial formulation more closely reflects its future expectations (meaning that this particular penalty notice is not of particular precedent value).

Calculation of the penalty

To answer that question we have to get into the detail of the calculation of the actual fine. As the Penalty Notice makes clear, the ICO will always go through the five-step process outlined in its Regulatory Action Policy (RAP) when determining the level of any fine. This requires it to:

Assessment

There are several notable points here. Most significantly, contrary to a lot of speculation (including our own) and early news reports, the fall in the level of BA's penalty does not seem to have been materially because of COVID-19. Rather the overwhelming majority of the reduction has come as part of Step 2 above: as a result of BA's representations the starting point for the fine was reduced from £183.39m to £30m.

Clearly, following BA, companies under investigation by the ICO will know it is worth vigorously contesting the calculation of any fine. But, the reason for the BA reduction is key for what expectation levels should be for future penalties. This is particularly the case given that the ICO published draft statutory guidance just a week prior to the publication of the Penalty Notice stating that the starting point for its analysis should be turnover based: where you a have a 'serious', 'negligent' breach to which the 'higher maximum amount' (i.e. 4% of annual turnover) applied the starting point should be 1.5% of annual turnover (see the matrix and our article here). Taking BA's 2017 worldwide annual turnover of £12.26bn (as used in the Penalty Notice) gives you a figure of £183.39m, i.e. exactly that originally intended by the ICO.

So, should we expect penalties in future investigations to align with the Penalty Notice (which as above does not appear to have been overtly influenced by COVID-19 to any great degree) or will they reflect the draft guidance just published by the ICO?

Whilst this must inherently be speculative, we do not think that data controllers should take much comfort from the Penalty Notice that fines will be set at a uniformly lower level.

The Penalty Notice makes clear that the ICO relied on an unpublished 'draft' policy in calculating the initial proposed £183.39m fine but notes that the ICO has accepted BA's representations to the effect that the ICO was not entitled to rely on such internal draft guidance. Reading between the lines, this decision appears to have been key. This is a recalculation, not a reduction, based on the ICO having to drop its reliance on the unpublished draft policy.

That unpublished guidance, like the recently published draft statutory guidance, appears to have treated turnover as the core factor in determining the appropriate starting point. Abandoning this approach, and carrying out an exercise where turnover was treated as relevant, but not the central factor has led to a very different result.  

Given that the ICO has not changed its view that the breach was negligent and serious, it seems that this concession - accepting BA's representation that it could not rely on unpublished guidance to guide its starting point for the fine - was a key reason for the radically different final figure.

Precisely why the ICO felt it was necessary to concede that it was unlawful to rely on unpublished guidance is not clear from the Penalty Notice. Regardless of the reason, in this particular case, given the apparent similarities between the outcome from unpublished guidance and the newly published draft statutory guidance that the ICO intends to apply in the future, it does not appear that the ICO stepped back from its initial calculation on the basis that fines at that level were in principle not appropriate. Certainly recent regulatory action abroad gives the ICO cover if it wishes to use it. H&M have just been fined €35.3m (£32.2m) in Germany for a breach in relation to the monitoring of only a few hundred employees (see here). Morgan Stanley has been fined $60m (£46m) by the US Office of the Comptroller of the Currency in relation to data security incidents that happened in 2016 and 2019 (see here). Higher fines from the ICO would not necessarily be 'off market'.

We cannot be certain at this stage what precedent value the Penalty Notice has.  If our speculation above is correct, it means that the starting point for the final BA fine was calculated using a different framework to that we can expect to be used for future fines, which will be based on the now published guidance (focussing on turnover as the core factor). Some greater clarity may arrive with a conclusion to the ICO's investigation into the Marriott data breach. But given the proximity in the timelines between the Marriott and BA investigations it seems likely that the penalty, which is also expected to be much reduced, will also be affected by reliance on unpublished draft guidance in the initial calculation. Certainty may only arrive when further investigations, announced after the publication of the ICO's new statutory guidance, come through.

If you found this interesting, there's a lot more comment you may find helpful on UpData, which provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.