Well over a year since the Information Commissioner's Office (ICO) announced its intention to fine British Airways £183m for contraventions of the General Data Protection Regulation (GPDR), the actual figure has been announced, and it is a considerably reduced (but still large) sum - £20m.
As will be recalled, the ICO investigation arose after BA was subject to a cyber attack in 2018. The ICO's basis for the fine was that, as "BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time", it had failed to comply with its obligations under GDPR to ensure that personal data was processed in a manner that ensured appropriate security, using appropriate technical or organisational measures (see Articles 5(1)(f) and 32 of GDPR).
Analysis of the underlying penalty notice reveals that various factors lay behind the shift from the proposed £183m to the final figure of £20m, but that the financial impact of COVID-19 was not a significant factor. Far more significant, it appears, was the fact that the ICO initially based its fine calculation on an internal document (a "Draft Internal Procedure") for calculating proposed penalties, whose purpose was "to provide a guide, by reference to the turnover of the controller" as to an appropriate penalty for infringements of GDPR. Although GDPR does – famously – provide for maximum fines of up to 4% of an undertaking's annual turnover, it does not say that such turnover information is to be used to calculate the amount of a fine, and it appears that BA strongly argued that it should not be (i.e. a company's turnover can determine where a cap should be set on a fine, but not used to calculate a sum underneath that cap).
Although the ICO says in the notice that it remains of the view that turnover is a relevant consideration in determining an appropriate level of penalty, it appears to have conceded that it could not, or at least should not, use its Draft Internal Procedure for the purposes of calculating the BA fine. Although nowhere does the notice say that this dropping of reliance on the Draft Internal Procedure in itself led to the fall in proposed penalty from £183m to a much lower figure, one can infer that this was the case. What is clear is that BA, and its lawyers, argued strongly against the ICO's initial approach.
Whilst COVID-19 and its effect on BA, was taken into account, it only led to a £4m discount (BA's responsiveness to the original incident, and its cooperation with the ICO's investigation, were also mitigating factors).
We understand that BA will not be appealing the fine, so – for the time being – we will have to wait for any judicial analysis.
Meanwhile, the ICO's proposal to fine Marriott Inc. £99m remains undecided. If Marriott's lawyers have taken a similar approach to BA's, then it would be unsurprising (as we have previously observed) if a smaller final fine emerges in that case as well.