If you are a regular follower of XPAN Law’s blog for cybersecurity news and updates or have tuned in to hear us at one of our speaking engagements, you know that we have been closely monitoring the European Union’s (“EU”) thorough investigation and corresponding enforcement action against British Airways for violations under the General Data Protection Regulation (“GDPR”). In fact, just this past week, the Information Commissioner’s Office (“ICO”) somewhat predictably reduced its original €183 million fine against British Airways to €20 million (or approximately $26 million). The ICO not only deals with the GDPR but also other privacy laws and regulations, namely in England, Wales, and Northern Ireland. But before rushing to any hasty conclusions that the ICO and other regulatory bodies across Europe are easing up on the severity of, or commitment to, GDPR enforcement, let us first do what any great trial attorney would do before leading a jury through his/her summation and take a breath and systematically examine the reasons that the ICO contemplated this reduction. And, the number one extraordinary reason is likely the rise of a generational pandemic or COVID-19.
1st – The Hack
Back in 2018, British Airways revealed that hackers had breached its website and application to exfiltrate the data of roughly 400,000 British Airways customers. The data taken included customer login and payment card information, as well as names and addresses. The information compromised was the result of a vulnerability in the third-party Javascript used on the British Airways website. From all indications, when users went to book their flights through the application or website, users were directed to a fake website that siphoned off their personal data. It is believed that the hack was done by a group called Magecart.
British Airways later apologized for the data breach, but the damage was already done. This consequently triggered an ICO investigation into the cause of the breach. Thereafter, the ICO investigation revealed that British Airways did not have adequate security measures in place in order to process the sensitive personal information. In originally issuing the €183 fine back in 2019, the ICO determined that British Airways should have identified its security weaknesses that went undetected and unresolved for over 2 months. In explaining the value of strong enforcement, ICO Commission Elizabeth Denham is quoted as saying, “When organizations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
2nd – The Fine
When the ICO initially announced that its original fine of €183 was being reduced to €20, some naysayers rushed once more to comment that the GDPR, and frankly privacy in general, is not being adequately protected. However, these naysayers erroneously examined the ICO’s action in a vacuum instead of analyzing the full contextual picture. Taking into account the current economic climate that includes a severe global pandemic, it is really no surprise that the ICO would cite the COVID-19 pandemic as one of its “considerations” for reducing the original fine. Notwithstanding, a €20 fine is nonetheless still significant. One need only look at the recent layoffs by American Airlines and United Airlines to appreciate the huge impact the global pandemic has had on the travel industry generally and the airline industry specifically. For example, reports indicate that air travel has sharply dropped over 55% since the beginning of the pandemic.
The Aftermath
At the end of the day, the fine to British Airways is still largely significant and a wake-up call t. For the record, it is the largest fine issued by the ICO to date but should by no means be taken as an endpoint. It clearly shows that the ICO is not going to let struggling companies get a free pass when it comes to violations of their obligations under GDPR and data security no matter the circumstance. It provides what many of us appreciate to be a cautionary tale to companies that the ICO, and the data protection authorities across Europe, is not only serious about GDPR but is actively enforcing it too. Take care not to be lulled into a false sense of confidence that just because the ICO reduced British Airways’ fine that it will likewise extend your company the same courtesy. Such a thought would be like rolling the dice.
If we have learned anything from 2020, it is that it is the year of exceptions and the exceptional. So when examining the British Airways case, it is fair to say organizations should take the lesson and never mind the exception. It took an astounding worldwide pandemic and massive unemployment to get the ICO to contemplate a reduction of the British Airways fine. Next time, the odds favor that an organization will not get so lucky. If your organization is concerned about its GDPR compliance, please do not hesitate to reach out.
* * * * * *
Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.