On July 8, 2019, the Information Commissioner's Office (ICO), the UK data protection authority, announced its intention to fine British Airways over EUR 200 million for violations of the General Data Protection Regulation (GDPR). British Airways had previously made a respective announcement to the London Stock Exchange.

The fine proceedings was initiated after a notification to the ICO in September 2018. User traffic to the British Airways website and app was diverted to a fraudulent site which had been "harvesting" personal data from some 500,000 customers, allegedly since June 2018. According to the ICO, this also included log-in, payment card, and travel booking details as well as name and address information. British Airways cooperated with the ICO investigations and has improved its previously, according to the ICO, inadequate security measures.

Nevertheless, the ICO issued a notice of its intention to hear British Airways on the proposed fine of GBP 183.39 million (more than EUR 200 million). According to the GDPR's principle of a one-stop shop, the ICO is to be solely responsible for sanctioning the breach of data protection obligations by British Airways. Following the announcement to the London Stock Exchange of the announced fine, which represents about 1.5% the worldwide annual revenue of British Airways in the year preceding the infringement, the company's share price fell.

The ICO has not yet imposed the fine. British Airways has an opportunity to comment. Its parent company has already announced that it will take steps against the fine.

Practical tip:

Data protection authorities are stepping up sanctions for violations of data protection. The French supervisory authority imposed a fine of EUR 50 million on Google. Now the UK supervisor is announcing a fine of EUR 200 million against British Airways, which did no benefit from the infringement. Numerous fine proceedings are also under way in Germany.

For all those who do not (yet) want to believe it: It is recommended, not least for financial reasons, to implement the requirements of the GDPR strictly and in full.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.