How does the Information Commissioner’s Office determine the level of fine?

In October 2020 the Information Commissioner’s Office (ICO) imposed a penalty of £20 million on British Airways following a data breach involving more than 400,000 customers - a significant reduction from its original intention to issue a fine of £183 million. What factors does the ICO considers in determining the appropriate level of a fine?

23 September 2021

In October 2020 the Information Commissioner’s Office (the “ICO”) announced that it was issuing a Penalty Notice to British Airways (“BA”), imposing a financial penalty of £20 million following a data breach that resulted in hackers obtaining the personal data of 400,000 BA customers. This was a significant reduction from the ICO’s original intention to issue a fine of £183 million. 

This article discusses the factors that the ICO considers in determining the appropriate level of any financial penalty, including any mitigating or aggravating factors, and what can be learnt from this case. 

British Airways’ data breach

As is now well-known, in June 2018, BA fell victim to a cyber-attack in which the attacker was thought to have accessed the personal data of approximately 429,612 customers and staff. The breach went undetected by the company for two months. In June 2019, the ICO issued a Notice of Intention to fine BA £183 million, equalling around 1.5% of BA’s revenue in 2018. 

The penalty notice for the BA data breach was the most significant to be proposed by the ICO under the Data Protection Act 2018, for which penalties can be as high as 4% of an organisation’s worldwide turnover or €20 million. Up until this case, the largest fine imposed by the ICO was £500,000 – the maximum permitted under the predecessor Data Protection Act 1998 – on Facebook, for its involvement in the Cambridge Analytica controversy. 

How does the ICO determine the level of a monetary penalty?

In considering whether to impose a monetary penalty, and in calculating that penalty, the ICO had regard to factors set out in the General Data Protection Regulation (the “GDPR”), as well as the steps outlined in its Regulatory Action Policy. 

Article 83 of the GDPR provides a number of factors to be considered, including:

  • the nature, gravity and duration of the infringement;
  • the number of data subjects affected and the level of damage suffered by them;
  • the intentional or negligent character of the infringement;
  • any relevant previous infringements;
  • the degree of cooperation with the supervisory authority; 
  • the categories of personal data affected by the infringement;
  • the manner in which the infringement became known; and 
  • any other aggravating or mitigating factors applicable to the case. 

The Regulatory Action Policy sets out a five-step approach for the ICO to consider when determining the amount of penalty for a breach. The Policy also states that, generally, the penalty will be higher where: vulnerable individuals or critical national infrastructure are affected; there has been deliberate action for financial or personal gain; advice, guidance, recommendations or warnings (including those from a data protection officer or the ICO) have been ignored or not acted upon; there has been a high degree of intrusion into the privacy of a data subject; there has been a failure to cooperate with an ICO investigation or enforcement notice; or there is a pattern of poor regulatory history by the target of the investigation.

Step 1 – removing any financial gain

The GDPR requires that any financial gain that the data controller may have obtained from the breach is removed. This is consistent with ensuring that the penalty is effective, proportionate and dissuasive under Article 83(1), and has regard to Article 83(2)(k), which refers to “financial benefits gained, or losses avoided, directly or indirectly, from the infringement”. 

Step 2 – censure based on scale and severity

The ICO was particularly concerned in this case about the nature of the failure, stating that BA was processing a significant amount of personal data in an insecure manner. There were multiple measures that BA could have put in place to prevent or mitigate the attack. 

Step 3 – aggravating factors

The ICO did not consider that there were any aggravating factors and so BA’s penalty was not increased to reflect this. 

Step 4 – deterrent effect

The ICO is under an obligation to impose a penalty that is dissuasive. The ICO did not increase the penalty imposed on BA because of the amount of the penalty that had been identified under Step 2 above. 

Step 5 – mitigating factors, including ability to pay and financial hardship

The ICO took into account gaps in BA’s IT security systems that could have been addressed without the company incurring excessive cost or overcoming technical barriers. The fact that it was a third party that discovered the cyber-attack and breach, rather than BA itself, was also significant. 

However, in mitigation the ICO also took into account the steps that BA had taken since the breach, including investment in its IT security systems, notifying data subjects, implementing remedial measures, and co-operating fully with the ICO’s enquiries. The ICO also learned that the events leading to the attack meant that BA was less blameworthy than had originally been thought. 

Having regard to these mitigating measures, the ICO determined that it was appropriate to reduce the proposed penalty of £30 million by 20% to £24 million. 

What impact did the COVID-19 pandemic have? 

The impact of the COVID-19 pandemic on the airline industry, and the consequent financial hardship, were also factors in the ICO’s decision. In addition to hearing arguments from BA, the ICO has published guidance on its regulatory approach during the COVID-19 public health emergency. This policy required it to undertake an assessment of the state of the company in the current market, and before issuing  fines, to take into account the economic impact and affordability. 

The ICO said that the level of fine would have been £24 million, but for the application of its COVID-19 policy. Having regard to the impact of the pandemic (on BA and more generally), and consistently with the ICO’s published guidance, a further reduction of £4 million was deemed appropriate and proportionate. 

Therefore, the final penalty payable by BA was set at £20 million. 

Key learnings from this case

Though reduced from its original proposed amount, the fine to BA is still significant and reflects how seriously data breaches are now treated. Businesses will take some comfort from the fact that the ICO took into account mitigating measures and reduced the fine by 20% accordingly. It will be important, therefore, for any business that becomes aware of a data breach to consider what steps it can take to mitigate the effects or harms caused, if it wants to mitigate the financial penalty likely to be imposed. 

However, prevention is better than cure and another takeaway from this case is that BA could have taken steps to prevent or even mitigate the breach, had it kept its IT systems up to date and taken a more proactive approach to IT security. 

For further information please contact Ruairidh Leishman or Seraphine Wuersch, of our commercial disputes team, or your usual Shepherd and Wedderburn contact.