The credibility of GDPR could be “completely undermined” if it reduces British Airways’ fine by 90pc, experts have warned.
The Information Commissioner’s Office announced its intention to fine the airline a record £183.3m last year after hundreds of thousands of customers’ financial and personal details were stolen during a cyber attack in 2018.
Discussions between British Airways and the ICO around the fine are still ongoing, however, the airline’s parent IAG set aside €22m (£20.1m) in its interim results published last week.
GDPR was introduced by the European Commission 2016 as a way to give consumers more control over their data and make companies take the storage of user data more seriously. Under the legislation, businesses can face fines of up to 4pc of their annual revenue for a serious breach.
BA said the exceptional expense was in relation to the “theft of customer data” two years ago. If correct, it would represent a 90pc write-down in the original fine.
Director of consumer action firm Your Lawyers Aman Johal said such a reduction would be an “affront” to data protection.
“Given the volume of breaches that have taken place in recent years, it is clear to us that the importance of data protection is still not at the top of the agenda,” Mr Johal said.
“Such a substantial reduction could seriously undermine the purpose of the GDPR, which was to act as a credible deterrent for organisations to ensure that they protect the information they store and process.”
Mr Johal said that he understood the “significant issues” facing the aviation industry but that fair punishment for the breaches in 2018 “cannot be avoided”.
In April, British Airways’ owner IAG warned that it could cut up to 12,000 jobs as the coronavirus grounded flights across the world.
Co-head of data governance at Forensic Risk Alliance Britt Endemann said the impact the pandemic has had on aviation could have influenced the final fine.
“I feel for the ICO in this because what would the reaction have been if they had stuck to the massive fine? They would crush an industry that had already been crippled,” she said.
“We thought the original fine looked a little high but we never thought there would be that much of a reduction. The ICO doesn’t want to be seen as weak and they want to send messages tom the larger corporations especially.”
Ms Endemann said that in the future the ICO should announce a “minimum” intention to fine first and then add to it over time.
“I think they really have to re-think the order of how they’re sending these messages out and leveraging provisional fines,” she said.
Head of data privacy at Pillsbury Law Rafi Azim-Khan said the initial announcement by the ICO may have set “false expectations”.
“Although big businesses are always likely to appeal and any heavily-reduced fine will no doubt attract ‘toothless’ headlines, this would provide false comfort and is somewhat missing the point,” he said.
“Whatever fine level is settled on, with any reduction in part to reflect Covid-19’s financial hit to airlines, it will still be a multi-million pound fine, possibly forty times higher than under the prior law.”
When revealing the original intention to fine, the ICO said the airline was compromised by “poor security arrangements.
The regulator said that the figure of £183.4m, was arrived at after an “extensive investigation”.
In June 2018, user traffic to the British Airways site was redirected to a fraudulent site where customer details were harvested by attackers. The ICO said that around 500,000 customers were compromised during the incident.
When asked about the potential write-down in the fine, a spokesman for the ICO said: “The regulatory process is ongoing and we will not be commenting until it has concluded”.
British Airways said it was providing no comment on the matter at this time.
Losses in the industry are expected to top around £66bn this year, according to the International Air Transport Association.
This week, Sir Richard Branson’s Virgin Atlantic warned that it could run out of cash next month if creditors did not agree to a £1.2bn rescue deal.
Under GDPR rules, companies are obliged to inform the ICO of a cyber breach that affects personal data. Businesses can be fined up to 4pc of their annual turnover.