When General Data Protection Regulation was implemented on 25th May 2018, the European Commission welcomed the new regulation as an essential step to strengthen both individuals’ fundamental rights in the digital business age and sanctioning tools held by the single national authorities. And despite all the difficulties due to the uncertainty surrounding the Brexit issue, GDPR somehow unfolded its effects also in United Kingdom.
One year later, we are finally witnessing how the new European legislation has shifted the balance. Or so it appears, because the sanctioning tools are likely to hit not only the company that has committed the violation, but also – indirectly – its customers.
As everyone is probably well aware, British Airways is to be fined more than £183 million by the Information Commissioner’s Office after hackers stole the personal data of half a million of the airline’s customers. In response to an announcement to the London Stock Exchange in which it was reported the intention of the Information Commissioner’s Office (hereinafter also referred to as “ICO”) to fine British Airways for breaches of data protection law, UK’s independent authority confirmed that, following an extensive investigation, a record penalty notice was actually issued in order to punish British Airways for infringements of the General Data Protection Regulation.
The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018.This accident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the hackers. The personal data of approximately 500,000 customers were seriously compromised in this incident, which is believed to have begun in June 2018. Consumers’ data was stolen from British Airways website and mobile app, where security arrangements were deemed “poor” by Information Commissioner’s Office.
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.” said the Information Commissioner Elizabeth Denham.
ICO, like other national data protection authorities around EU, has of course been strengthened by GDPR, which provides that each supervisory authority shall ensure the imposition of administrative fines pursuant to the dispositions of the Regulation concerning infringements. “The ICO”, says the Guardian, “is now a regulator to be feared – and tech giants should take fright at BA’s potential £183m hit”.
Therefore, such a high amount is absolutely justified by the application of the rules relating to the GDPR, which provide for a maximum fine of 4% of the company’s turnover. Until today, however, the fines imposed had remained very far from that limitwith a peak of 50 million euros inflicted on Facebook by the French control authority for “unfair tracking”.
There is no doubt that the size of the proposed fine will make company leaders in all the boardrooms up and down the United Kingdom fall from the chair, while the IT chief will be summoned to explain if the back door of the company is securely locked to hackers. For International Airlines Group, the parent company of BA, it could mean sending directly to HM Treasury a sum equal to 5% of the profits of this year. It seems difficult to wipe it off as a daily cost of doing business.
And as Willie Walsh, the chief executive of International Airlines Group, says BA may appeal since the ICO’s enhanced powers have yet to be tested, there is a far more critical question to be assessed here: is the personal data of 500,000 customers “only” worth £183 million?
To answer this question we need to ponder, first of all, on the fact that the penalty amounts to about 1.5% of British Airways’ £11.6bn worldwide turnover last year, so, although huge, is still not even close to the maximum rate of 4% that can be imposed, since May 2018 for infringements, under Article 83.4 of the GDPR (“Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year”).
With reference to the fine and the real extent of the damage for the British company, let’s take the following into consideration: according to British Airways Plc Annual Report and Accounts of 2017 and to other statistics institutes, BA uplifted 44 million passengers in 2018 and has had an average of 40.9 million passengers per year during the 2008-2018 decade.
Considering the abovementioned figures and the trend of the latest years, we can easily assume that a ticket price increase of about 5 pounds per passenger would be already more than enough to cover the total amount of the fine (!). As a matter of fact, passengers are most likely to suffer the consequences of BA’s misconduct.
It seems, at the end of the day, that GDPR has actually strengthened the existing safeguards, but it is still far from finding an effective solution for consumers who, seemingly mocked by fate, might pay out of their own pockets the fine issued to BA for stealing their own personal data.
Then why, at least, don’t passengers give up flying with a company that has reportedly lost their credit-card data? The answer here is much easier: they have few alternatives. New airlines simply cannot take market share away from BA at Heathrow as the share of slots at Heathrow owned by BA’s parent has risen from 36% in 1999 to 54%. However, it is true that competition is so fierce that if BA was actually to increase ticket prices in a manner that is readily apparent, then a lot of people would manage to find another solution.
 S. Cedrola, “Il nuovo scenario in tema di protezione dei dati personali alla luce dell’imminente applicazione del GDPR”, Nov. 9, 2017, https://www.iusinitinere.it/nuovo-scenario-dati-personali-applicazione-gdpr-6131
 Intention to fine British Airways £183.39m under GDPR for data breach, Jul. 8, 2019,
 International Cons Airlines Group, Theft of customer data at British Airways – Update, Jul. 8, 2019, https://www.londonstockexchange.com/exchange/news/market-news/market-news-detail/IAG/14139234.html
 “British Airways admits that over 380,000 customers had their data stolen”, Sep. 9, 2018, https://www.economist.com/gulliver/2018/09/09/british-airways-admits-that-over-380000-customers-had-their-data-stolen
 G. Calzetta, “Multa da 204 milioni di euro a British Airways per il furto dei dati dei suoi clienti”, Jul. 8, 2019, https://www.ilsole24ore.com/art/multa-204-milioni-euro-british-airways-il-furto-dati-suoi-clienti-AC8ESSX
 J. Titcomb, “France fines Facebook €150,000 for ‘unfair tracking’”, May 16, 2017, https://www.telegraph.co.uk/technology/2017/05/16/france-fines-facebook-150000-unfair-tracking/
 N. Pratley, “British Airways fine shows GDPR has given watchdogs teeth”, Jul. 8, 2019, https://www.theguardian.com/business/nils-pratley-on-finance/2019/jul/08/british-airways-fine-shows-gdpr-has-given-watchdogs-teeth
Nato a Genova nel 1992, si laurea in Giurisprudenza nel 2017 ed è abilitato alla professione forense dal 2021. Da sempre amante di cinema, sport, musica ed attualità politico-economica, durante gli anni universitari sviluppa un forte interesse per la tecnologia e l’informatica giuridica. Ha conseguito nel 2020 il master LL.M. in Law of Internet Technology presso l’Università Luigi Bocconi, incentrato principalmente su proprietà intellettuale, protezione dei dati personali e diritto della concorrenza nel mondo digitale. Dopo un’esperienza di un anno presso lo European Patent Office, dove si è occupato principalmente di brevetti, design, intelligenza artificiale e strategie legate alla proprietà industriale, attualmente lavora nel dipartimento legale di Google Italy.