The UK's Information Commissioner's Office ("ICO") today (8 July 2019) announced its intention to fine British Airways ("BA") £183.39m under the General Data Protection Regulation ("GDPR") for a personal data breach. This is the highest fine issued so far by a European Union data protection supervisory authority for a personal data breach under the GDPR.

The breach, described as a "sophisticated, malicious criminal attack", was first disclosed on 6 September 2018. Details of approximately 500,000 BA customers were compromised during the breach, which involved the diversion of user traffic from the BA website to a fraudulent website. The personal information compromised included names, email addresses and payment card details used during the booking process. The ICO indicated that BA cooperated with the ICO investigation and has made security improvements following the incident.

The penalty is reported to amount to about 1.5% of the global annual turnover of BA in 2017.

The GDPR established two tiers of penalties that can be issued by data protection supervisory authorities – the standard maximum and the higher maximum. The standard maximum allows for a fine equal to the greater of 10 million Euros or 2% of total annual worldwide turnover in the preceding financial year of the relevant undertaking for a violation of certain provisions, whereas the higher maximum allows for the greater of 20 million Euros or 4% of the total annual worldwide turnover in the preceding financial year of the relevant undertaking for a violation of other provisions, including data protection principles or data subjects' rights.

The penalty issued to BA falls under these thresholds, which may reflect BA's cooperation with the ICO investigation and that it has made improvements to its security practices since the incident was discovered. BA has 28 days to make further representations to the ICO about the calculation of the fine before the ICO makes its final decision. The ICO has said that it will carefully consider any representations made by BA and the other European data protection authorities before it takes its final determination.

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2019. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.