If the UK Information Commissioner's Office wanted to send a message that companies need to treat personal information data breaches seriously in the post-GDPR era then it has certainly done that.
BA suffered a serious hack where hackers harvested personal information from approximately 500,000 customers, including credit card information. Once it became aware of the breach BA acted very responsibly, and dealt with the breaches and its obligations under the GDPR. Despite this, they are likely to be fined $350M.
The size of the proposed fine has caught most commentators by surprise. For example, last year Facebook was fined £500,000 for a data breach (under the old UK Data Protection Act) which impacted 87 million users in the Cambridge Analytica scandal.
However, the penalties available under the GDPR are significantly higher, for this type of breach they are the greater of €20M or 4% of global turnover.
The proposed BA fine reflects approximately 1.5% of global turnover, and so could have been a lot worse. However if the ICO finalises its proposed penalty, it is inevitable BA will appeal.
The message from the ICO is clearly 'if you aren't taking your obligations under the GDPR seriously, you should be'.
This is a good example of a regulator wielding a big stick to drive compliance and corporate behaviour. Consumer advocates in New Zealand must be looking on in envy at the level of fines being meted out. The penalties under the New Zealand’s Fair Trading Act (FTA) are paltry in comparison.
A recent example is 2 Cheap Cars, which was found to have breached the FTA. This is not 2 Cheap's first run in with the Commerce Commission or the FTA. Its behaviour in this case was described as "plainly unfair conduct", "deliberately misleading rather than just plain careless" and was "extensive offending".
Yet, despite its conduct it was only fined $438,000 largely due to the maximum penalties available under the FTA.
many people's first reaction to the £183m fine that the Information Commissioner plans to levy on British Airways will have mirrored mine - surely the decimal point must be in the wrong place? After all the proposed penalty is roughly 367 times as high as the previous record fine, the £500,000 imposed on Facebook over the Cambridge Analytica scandal.