British Airways to be fined a record £183m for data breach

Posted by Jon Belcher, 8th July 2019
The Information Commissioner’s Office (ICO) has today (8 July) announced its intention to fine British Airways a record-breaking £183 million for a serious breach of data protection law.

This is significant because it would be the first such action taken by the regulator in the UK since the General Data Protection Regulation (GDPR) came into effect in May 2018.  The proposed fine equates to 1.5% of BA’s global turnover, and would dwarf any previous fine issued in the UK under data protection rules.  Before May 2018, the ICO only had the power to issue fines up to £500,000, whereas under the GDPR fines of up to the greater of €20m or 4% of worldwide turnover can be imposed.  Whilst other European regulators have issued fines under the GDPR, until now the ICO has not done so.

This case relates to a major cyber security incident during 2018 which led to the names, addresses and payment card details of approximately 500,000 BA passengers being compromised.  Under data protection law, organisations must put in place appropriate measures to keep the personal data of individuals secure.  The ICO says that BA had failed to protect that data from being stolen.

It is important to note that this is not yet a fine.  Before it imposes a fine under data protection law, the ICO must issue what is known as a ‘notice of intent’.  This is a notice which states the ICO’s intention to impose a fine and gives the organisation the opportunity to make final representations.  It appears from comments in the media today that BA will be making further representations, and so we will not know the precise size of the fine for at least another month.  Nevertheless, this announcement is certainly a timely reminder for organisations to make sure that they are taking adequate security measures and handling personal data appropriately.

Enjoy That? You Might Like These:


22 March - Ben Evans
Adidas has had success protecting its Originals trade mark by cancelling a similar trade mark based on a cannabis leaf. In August 2017, Addicted Original Ltd ("Addicted") registered a UK... Read More


22 March - Paul Caldicott
In a recent decision in the Court of Appeal, two local authorities (the Claimants) lost 'test cases' after attempting to recover business rates arising from empty properties. The impact the... Read More


22 March - Nicola Diggle
When the Court will sort out a mistake in corporate acquisition legal documentation: Recent Court of Appeal Judgment in Persimmon Homes Limited v Hillier & Creed [2019] EWCA Civ 800.... Read More