British Airways data breach results in a potential fine of £183m.

British Airways (‘BA’) are facing a historic fine of £183m following a major data breach  reported by the Information Commissioner’s Office (‘ICO’) on 6th September 2018 in which hackers successfully stole customers’ personal data consisting of passenger login details, card details, addresses and travel booking information. The ICO had previously reported that the personal data of around 500,000 passengers was stolen from BA’s website and the mobile app in a different data breach which purportedly started in June 2018.

Following the entry into force of the General Data Protection Regulation (‘GDPR’) on 25th May 2018, this is the first penalty for a personal data breach that has been made public and it demonstrates the serious nature of the approach undertaken by the ICO when personal data is not treated with the upmost care.

Although this constitutes a significant fine for BA, the ICO has the power to penalise a company for a serious data breach for the higher of either up to 4% or €20m of annual turnover, which could have resulted in a fine of around £460m.

To put the impact of the GDPR into context, some insight is provided by comparing this penalty to the one faced by Cambridge Analytica. Cambridge Analytica was fined £500,000 for a personal data breach that affected around 87 million users; the BA breach affected around 0.6% of the number of people affected by the Cambridge Analytica breach. However, at the time the fine facing Cambridge Analytica was governed by the Data Protection Act 1998, which set the maximum fine for a data breach at £500,000.

Elizabeth Denham, the Information Commissioner, said in relation to the BA data breach that “people’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. The law is clear, when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Following the issue of the notice, Willie Walsh, Chief Executive of IAG, stated that British Airways would be making representations to the ICO and that “we intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals”.

© 2019 Whitestone Chambers


Heathrow’s third runway mass expansion

The potential knock-on effect for the rest of the UK’s airports if the plan for a 3rd runway at Heathrow gets the green light have been revealed and it does not look promising.

If Britain wants to meet its climate targets, then no further airport expansions will be possible until 2050. Given that carbon-neutral plane engines are still some way away from becoming the norm, further expansions seem impossible.

The Head of the committee on climate change, Lord Deben told Sky News “If Heathrow is built it has to be built within the envelope of emissions which we have allowed for aviation. It has knock-on effects. It means you can’t build similar things elsewhere in the country… It is for the government to decide what we as a nation put our priorities in. But it has to realise that it can’t move outside those parameters.”

In opposition to this view, Karen Dee, Chief Executive from the Airport Operators Association, also told Sky News that she was confident that as long as the industry kept pushing new technology to improve plane efficiency then she didn’t believe the aviation limits would prevent expansion of activity for other UK airports.

As well as the estimated 800 homes that will need to be destroyed to allow the new runway, it seems that the effect of the proposals will extend much further than the immediate vicinity and potentially impact upon the whole of the United Kingdom and the expansions plans of any airports therein.   

© 2019 Whitestone Chambers