In the run-up to its effective date, companies invested significant amounts of time and money in an effort to comply with the GDPR, but questions have remained about the sweeping EU data protection and privacy regulation.
One of the biggest: would regulators actually use their full power under the GDPR to punish businesses that are found to be in violation of its provisions?
Today, the answer appears to be “yes”, as the UK Information Commissioner’s Office (ICO) announced that it intends to levy a whopping £183m fine on British Airways (BA) for a data breach that enabled attackers to retrieve the personal information of approximately 500,000 of the airline’s customers.
In deciding to fine BA 1.5% of its 2017 worldwide turnover — less than the 4% permitted by the law — the ICO determined that the data breach, which is believed to have started in June 2018, was in part the result of poor security practices. Those practices allowed attackers to obtain personal information that is said to have included names, email addresses and credit card numbers.
Not surprisingly, BA plans to appeal the ICO’s fine and says it is “surprised and disappointed” at the regulator’s decision. It likely isn’t the only company feeling that way given the enormity of the fine, which is the first announced publicly since the GDPR came into effect.
Notably, the BA penalty dwarfs the £500,000 fine levied on Facebook for the Cambridge Analytica scandal, which involved the unauthorized acquisition of data associated with tens of millions of individuals. That fine was the largest ever under the data protection rules that existed prior to the GDPR, raising an obvious hypothetical question: if another Cambridge Analytica happened today, how much would the ICO fine Facebook?
A fine of 1.5% of Facebook’s worldwide turnover would approach a billion dollars. If the ICO decided to be really aggressive and fine Facebook 4% of its worldwide turnover, the amount would be staggering — more than $2bn.
While much uncertainty has existed around regulators’ willingness to wield the full power of the GDPR to penalize companies that fail to live up to the regulation’s standards, very few if any would have predicted that the first public fine would be a nine-figure penalty against a large, high-profile company that was victimized by hackers.
Instead, many would have predicted that the first fine would be far more modest and target a company that seemed to have wilfully flouted the GDPR’s rules or callously disregarded the need to safeguard its customers’ data and/or privacy.
In going after BA for a hacking-related data breach, it would seem that the ICO is trying to send a very strong message.
Despite the fact that the ICO could decide to reduce its fine upon BA’s appeal, its action is a warning shot across the bow of all companies subject to the GDPR: if you thought the new law was a paper tiger, think again. Businesses that haven’t taken compliance seriously or aren’t sure whether their compliance efforts are sufficient would be wise to react accordingly.