The UK privacy regulator, the ICO, has announced its intention to impose the largest fine to date under the GDPR. The announcement follows British Airways’ failure to protect the personal data of 500,000 customers from malicious hackers.
The proposed fine of over £183 million (approximately NZ$346 million) was announced yesterday, and will be issued under the GDPR and the UK Data Protection Act (the UK legislation that complements the GDPR). It represents approximately 1.5% of British Airways’ worldwide revenue in 2017. The previous largest fine issued under the GDPR was a €50,000,000 fine issued to Google by the French data protection watchdog in January this year (see here).
British Airways had notified the ICO of a cyber incident in September 2018. Malware on British Airways' website led to the diversion of users to a fraudulent site. This diversion enabled malicious hackers to harvest customer details. The personal data of approximately 500,000 customers were compromised during the incident, which the ICO found to be the result of ‘poor security arrangements’.
The fine has particular significance given that British Airways cooperated with the ICO investigation. The potential fine could have been even higher if British Airways had been less cooperative.
British Airways now has the opportunity to make written representations to the ICO in response to the ICO’s notice of intent, before the ICO confirms the level of the fine by issuing a penalty notice. British Airways will also have the opportunity to appeal the fine after the penalty notice is issued, and it is expected to do so.
New Zealand Privacy Commissioner John Edwards described the proposed fine as ‘taking privacy seriously’.
Although the ‘teeth’ available to New Zealand’s Privacy Commissioner are nowhere near as ‘sharp’ as those of his UK counterpart, New Zealand-based organisations should know that:
If you need advice about how to mitigate the risk of enforcement action, or you’d like to know about your obligations under the GDPR or under New Zealand privacy law, please contact Hayden Wilson, Hayley Miller, Campbell Featherstone, or Gretchen Fraser.
This article was written with the assistance of Emily Tombs, solicitor.