British Airways hints at massive reduction in proposed GDPR fine

The legal news subscription service MLex has reported (in a subscriber-only update) that British Airways’ parent company, IAG, appears to be expecting a fine under the General Data Protection Regulation (GDPR) from the Information Commissioner’s Office (ICO), but which it thinks may be at least 90% lower than ICO initially intended.

IAG’s Q2 2020 Financial Results indicate that it is setting aside €22m to cover any impending fine:

The exceptional charge of €22 million represents management’s best estimate of the amount of any penalty issued by the Information Commissioner’s Office (ICO) in the United Kingdom, relating to the theft of customer data at British Airways in 2018. The process is ongoing and no final penalty notice has been issued“.

We have previously written about the ICO’s intended fines for British Airways, and for Marriott Inc., (both of which gained significant media coverage when they were announced last summer). We have pointed out that the sums announced were merely in respect of “Notices of Intent” to fine, and were subject to potential change. We also noted recently that the effect of COVID-19 on the global travel sector was almost bound to lead the ICO to review the matters.

It is notable that IAG talk about “any penalty”. Given the length of time which has elapsed since the original trigger hacking incident, and since the ICO announced its intention to fine, it must be far from certain that, ultimately, a fine of any sort will be issued.