6. Does the ICO have real teeth?

October 19th, 2020

Ladies and gentlemen, I ask the question above because today we finally have news on the ICO’s penalty to British Airways, regarding their 2018 personal data breach. We know the history – in July 2019 the Information Commissioner issued British Airways with a notice proposing to impose a fine of £183m. It really looked like the world of commerce would be finding unequivocally that if it could not keep customer personal data secure, the consequences would be severe. Today it has been revealed that the fine is to be £20m, a reduction of over 90% from the first figure. Why the reduction? After three rounds of submissions from BA, the ICO has stated: 

The ICO regarded the data breach as serious in terms of nature and duration, but:

• BA did not gain financially as a result of the breach
• The infringement was not intentional or deliberate, but BA was responsible for the infringements found
• BA had no relevant previous infringements or failures to comply with past notices
• BA fully co-operated with the investigation
• No “special category” data were affected
• BA acted promptly when notifying the Commissioner

 Further consideration was given to:

• The immediate remedial actions taken by BA, both technical towards its customers, including the offer to reimburse financial losses resulting from the attack, and making available a free credit monitoring service
• The fact that BA promptly informed the affected data subjects and law enforcement/regulatory agencies, and cooperated with the investigation
• The fact that BA’s brand and reputation were adversely affected

It’s thought that the economic consequences of Covid-19 contributed a minority part, £4m, to the reduction to the tariff. However, the main reason is thought to be a change in ICO ideology: a penalty shouldn’t simply be a percentage of the defaulting corporation’s turnover. BA had attacked this method, saying it was based on an unpublished policy, and hence unlawful. Is percentage of turnover a simple metric, or could it make ICO fines simply a penalty on success? 

Other points we’ve learnt are that:

• It is wrong to rely on cases issued under the previous regime
• There will probably continue to be arguments about ‘legal certainty’
• BA thought that parts of GDPR were in conflict with each other – different fines for the same obligations. The ICO disagreed. 

I’m sure some of these points will be argued about in future cases! But I come back to my original question – is this drastic reduction from £183m to £20m a sign of ICO pragmatism or weakness? If weakness, can the ICO’s teeth be sharpened before the next big case?