In its July 31 results statement for the first six months of 2020, British Airways parent company International Airlines Group (IAG) noted in its accounts that it had made a provision of only £20 million to cover potential financial sanctions that the UK data regulator might impose for a breach of the EU’s General Data Protection Regulation (GDPR) in 2018.
IAG commented that the figure, reduced by almost 90% from the initial £183.4 million sum that the Information Commissioner’s Office (ICO) said it intended to charge the company in a statement last July, “represents management’s best estimate of the amount of any penalty issued by the ICO” relating to the 2018 British Airways breach that allowed customer data to be stolen.
Commenting on the news, an ICO spokesperson said: “The regulatory process is ongoing, and we will not be commenting until it has concluded.”
However, speaking to the Telegraph, Fieldfisher’s Judy Krieg remarked that the new figure did not “come out of thin air” and was likely the result of negotiations between IAG and the ICO, implying that the eventual fine will be far lower than the ICO’s initial suggestion.
Your Lawyers is a consumer action law firm that has been appointed a Steering Committee position by the High Court of Justice against British Airways in the GDPR case. Aman Johal, Director of the firm, commented that the indication of a vastly reduced fine “is an affront to data protection and the GDPR.”
“The ICO’s decision last year to issue a record provisional intention to fine was a landmark decision that could set the standard for organisations and act as the candid warning that is so desperately needed in today’s age of continual breaches,” he said.
“Such a substantial reduction could seriously undermine the purpose of the GDPR, which was to act as a credible deterrent for organisations to ensure that they protect the information they store and process.”
