The £183m fine imposed by the Information Commissioner’s Office (ICO) on British Airways has been announced today

July 8, 2019

2019 was looking likely as the year in which the ICO would flex its muscles - the £500k fine imposed on Facebook now looks pretty paltry, especially given the relative scale of Facebook and BA (Facebook’s revenues are about 4 times that of BA’s, which were £12.2Bn in 2017).

The ICO has the power to impose a fine of up to 4% of a business’s worldwide annual revenue. The BA fine, although eye watering, is only approximately 1.5% of the airline’s annual revenue, a long way short of the maximum 4% level.

This asks the question - did the ICO conclude the cause and/or the impact of the loss of personal data by BA not as severe as some of the scenarios envisaged. Perhaps the loss of personal data in medical records, rather than credit card information would attract a higher %, or perhaps the ICO considered the speed at which BA responded and subsequently co-operated with the investigation should be reflected in the % applied.

The introduction of General Data Protection Regulation (GDPR) has had some of the desired effects; data owners and processors have reviewed their approaches and changes have been made. But it’s to be expected that the regulator should demonstrate its powers in its first few years - the key question now is when we’ll see a maximum 4% fine being applied and why, as opposed to whether it will be applied.