LONDON - Europe’s data police have new fangs that are turning out to be pretty sharp. British Airways was told on Monday it faced a 183 million pound penalty for the theft of customer information from its website last year. That would be a record hacking fine and dwarfs the 500,000 pound maximum paid by Facebook under old European Union rules. The airline got some credit for notifying the UK Information Commissioner’s Office (ICO), which polices the rules nationally. But the size of the punishment sets a painful precedent.
The British Airways case, in which around 500,000 customers’ personal information was compromised by hackers, is the first high-profile test of the EU General Data Protection Regulation (GDPR), which came into effect last year. In some ways, the penalty was not as severe as it could have been.
Under the new regime, the maximum punishment is 4% of global revenue. Yet the fine announced by the ICO amounts to 1.5% of British Airways’ 2017 sales. That reflects the airline’s owning up to the “sophisticated, malicious criminal attack” on its website. The punishment could also have been harsher had the ICO used revenue from British Airways’ parent IAG, which also owns Iberia and Aer Lingus, as its benchmark. Sensibly, the ICO appears to have decided to exclude revenue from the Spanish and Irish units, which did nothing wrong.
But even for a 9 billion pound company, it’s not small change, representing more than 5% of IAG’s forecast operating profit for this year. That explains the 1% fall in its share price on Monday and Chief Executive Willie Walsh’s hint that he might consider an appeal.
Yet watering down the fine would send the wrong message to the likes of Facebook. Using the same 1.5% of 2017 sales metric, the social media giant would have had to pay $610 million for its role in the Cambridge Analytica scandal, in which the personal data of 87 million people was compromised. Companies this big will only take data privacy seriously if national watchdogs show their bite lives up to their bark.
- Britain’s Information Commissioner’s Office (ICO) said on July 8 it would fine British Airways 183 million pounds for infringing European Union data-protection rules, called GDPR, that came into force in 2018.
- The fine came after the personal data of approximately 500,000 customers was compromised by hacking that was believed to have begun in June 2018 and which the airline notified the ICO about in September 2018.
- British Airways Chairman and Chief Executive Alex Cruz said he was “surprised and disappointed” by the decision. The airline’s parent, International Airlines Group, said it would defend the airline’s position vigorously, including making any necessary appeal.
- IAG shares were down 0.6% at 453 pence by 0825 GMT on July 8.
(Editing by Swaha Pattanaik and Bob Cervi)
© Reuters News 2019