The UK Information Commissioner’s Office (“ICO”) announced on 16 October 2020 that it has ultimately decided to fine British Airways (“BA”) £20 million for BA’s contraventions of the General Data Protection Regulation (“GDPR”) associated with the personal data breach BA first disclosed on 6 September 2018, which affected the personal data of over 400,000 customers and staff. This final amount is a substantial reduction from the £183.39 million fine the ICO first announced it intended to issue in its notice of intent in July 2019 (the “Initial Notice”), although the fine still remains a significant sum and the largest issued by the ICO to date under the GDPR.
The £20 million fine is approximately 0.16% BA’s worldwide annual turnover for the year ending on 31 December 2017 (approximately £12.23 billion), coming well under the maximum 4% fine that could have been issued by the ICO using its powers under the GDPR (a £183.39m fine would have been just under 1.5% of BA’s worldwide annual turnover in that year). Before reducing the fine, as part of the lengthy process undertaken by the ICO, the ICO explained that it considered both representations from BA and the economic impact of COVID-19 on BA’s business before setting the final penalty.