The Information Commissioner’s Office (ICO) – the equivalent of the Cnil in the United Kingdom – has just reduced the fine imposed on British Airways to £ 20 million following the theft of 400,000 customer data in 2018. Originally, the amount of the penalty was set at 184 million pounds, or around 202 million euros, as recalled Techcrunch.
A decision motivated by the Covid-19
It was the financial difficulties caused by the health and economic crisis linked to Covid-19 that motivated the ICO’s decision. The British CNIL said the reduction in the fine had been approved by other national data protection authorities.
The pandemic serves as a justification for relaxing regulatory principles in the face of companies in great financial difficulty. It remains to be seen what consequence will the position of the British authority have on future judgments. But the ICO recalls that the airline remains responsible for this data leak, even if the penalty is lower.
The highest fine ever imposed
“People have entrusted their personal data to British Airways which has not taken adequate measures to ensure the security of this data“said ICO Commissioner Elizabeth Denham in a statement.”Their inaction was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress. We have therefore imposed a fine of £ 20million on BA, the largest to date. When organizations make bad decisions about people’s personal data, it can have a real impact on people’s lives (…)“, she continued.
Admittedly, this £ 20million fine is the highest ever imposed by the ICO … but it’s a big step back from the 184million previously imposed, which still represented 1.5% of the company’s revenues in 2018.