26 October 2020

Data Blast: BA data breach fine of £20 million a reminder that data compliance requires ongoing review & more…

See below for the latest Data Blast from our legal team: BA data breach fine of £20 million a reminder that data compliance requires ongoing review; France’s High Court considers US surveillance risks to personal data post-Privacy Shield; ICO investigating use of Covid 19 contact tracing data for improper purposes; Covid mask seller fined £40K after deleting evidence of marketing emails

British Airways fined £20 million for errors leading to data breach

On October 16th the UK Information Commissioner’s Office (ICO) announced that British Airways (BA) is to pay a £20 million fine for failing to have in place adequate data security measures, as required by the General Data Protection Regulation (GDPR), leading to a data breach affecting hundreds of thousands of BA customers.

This represents the largest fine issued by the ICO to date. However, the £20 million figure is roughly 90% lower than the fine of £183 million the ICO initially proposed in its Notice of Intent (NOI) to BA in July 2019. Such NOIs typically remain confidential between the ICO and the party it intends to fine, however, BA was required to disclose the level of the proposed fine as part of its regulatory obligations as a publically listed company.

The BA data breach (previously covered here) occurred between June 22nd and September 5th 2018, when an unidentified attacker accessed BA’s IT network and redirected payment card data to a fraudulent site controlled by the attacker. Due to the breach, the personal data of approximately 380,000 customers including names, addresses and payment card details, were taken, as well as BA employee and Executive Club log-in details. BA were made aware of the breach by a third party and notified the ICO the following day, on September 6th 2018.

As a result, the ICO found that BA failed to process its customers’ personal data in a manner ensuring appropriate security, as provided for under Art. 5(1)(f) and Art. 32 of the GDPR, in particular:

  • BA ought to have known that a company of its size was a likely target of attackers, and ought to have taken additional measures to protect data against illicit access;
  • The breach continued for a number of months, without BA’s knowledge and was only uncovered following a tip from a third party;
  • Whilst no ‘special category’ data was exposed, names and addresses together with payment card details (including the CVV number) were viewed as particularly sensitive and likely to cause distress to those affected as it posed a considerable risk of identity fraud.

The ICO was critical of BA’s submission in the course of the investigation that credit card breaches are ‘an entirely commonplace phenomenon’ and ‘an unavoidable fact of life.’

In reaching the £20 million figure, the ICO took as a starting position a £30 million fine, which was determined to reflect the seriousness of the breach. The ICO then considered mitigating factors including:

  • The swift steps taken by BA to mitigate damage from the incident, including promptly notifying the ICO and other regulators upon becoming aware of the breach and offering compensation and assistance to individuals affected;
  • Cooperating with the ICO throughout its investigation;
  • Having no relevant previous infringements; and
  • Implementing additional security measures to protect data from future breaches.

Those mitigating factors led to a 20% reduction of the fine, to £24 million, and a further reduction of £4 million was applied to reflect the financial impact of the Covid-19 pandemic. Notwithstanding that the final figure was a fraction of the fine first proposed by the ICO, the result sends a clear message to organisations that data security must be a priority and, as with other data protection compliance measures, must be reviewed and adjusted regularly.

French High Court considers post-Privacy Shield risks and allows France’s Health Data Hub to continue

On October 13th, France’s highest administrative court (the Conseil d’État) rejected requests for the suspension of France’s national health data platform, Health Data Hub (HDH). Introduced in April 2020 to help manage the Covid-19 pandemic, HDH is a consolidated hub of the health data of individuals receiving medical care in France. The French government selected Microsoft to host the associated health data within its EU data centres.

Following the CJEU’s decision in Schrems II (covered here), which invalidated the EU-U.S. Privacy Shield, on September 28th, an application was made to the French courts for a suspension of the health data processing associated with the HDH. The applicants argued that Microsoft, being a US based company, could be required by US intelligence services to transfer personal data to those agencies, regardless of where in the world the data was being processed by Microsoft.

On October 8th, the French data protection authority (CNIL) submitted comments on the proceedings, taking a very wide view of the implications of the Schrems II decision. The CNIL stated that, in its view, not only should personal data (in this case sensitive health data) not be transferred to the US following Schrems II, but that such data should not even be processed by US companies within the EU, as such companies would remain subject to US laws, thereby potentially being required to transfer data to US intelligence agencies. Accordingly, CNIL submitted that the Conseil d’État should act to prevent Microsoft from hosting HDH, and that HDH should be hosted by companies not subject to US law. The CNIL did opine that contractual mechanisms might be used in order to ensure that a US based company could provide hosting services, without itself having access to the personal data of EU individuals.

In the Conseil d’État decision, the judge stated that it was not for the court to decide by way of the summary proceedings whether EU law prevented the processing of personal data inside the EU, from being contracted to a US based company. The judge acknowledged the CNIL’s view that US authorities could potentially request of Microsoft or its Irish affiliate to access certain personal data from the HDH. However, such request remained entirely hypothetical, and supposed that Microsoft would not be in position to refuse such a request. The judge also noted that the health data at issue was pseudonomised before being hosted and processed within the HDH, and that there was a strong public interest in permitting the use of technologies such as the HDH in the context of the ongoing Covid 19 pandemic. Accordingly, in the absence of serious and manifest illegality, the judge declined to order that the HDH be suspended.

The judge did, however, ask that HDH continue, under the supervision of the CNIL, to work with Microsoft with a view to strengthening data subject rights, and to explore options (including the licensing arrangement proposed by the CNIL) to eliminate risks of US surveillance service access to the HDH data.

Pub and restaurant contact tracing data reportedly being sold

On October 11th, the Times reported that several companies are exploiting QR barcodes in order to collect names, addresses, phone numbers and email addresses of pub and restaurant visitors, and subsequently sharing them with marketers, credit card companies and insurance brokers.

Due to the Covid-19 pandemic, since September 24th certain businesses in the UK have been required to take patrons’ contact information, and may have done so using QR codes for the purposes of contact tracing. Patrons are then intended to be alerted if they have visited a venue where they may have been exposed to the virus. However, some firms providing QR Code Services to businesses have clauses in their terms and conditions which state that they can use their information for purposes other than contact-tracing, including sharing information with third parties. Security experts have warned that data collected may not only be sold onto advertisers, but that it could also be used in text and email scams.

Suspect privacy terms reportedly relied upon by some QR code tracing services include:

  • That personal data may by default be used for unspecified marketing purposes;
  • That data may be shared with unnamed third parties;
  • That data may be linked with venue CCTV records; and
  • That data may be retained for 25 years.

The ICO has stated that it is currently assessing 15 such companies which ‘provide services to venues to collect customer logs.’

ICO fines company for sending face mask spam emails

On October 8th, the ICO announced that it had fined Studios MG Ltd. (SMG), a London-based software consultancy, £40,000 for sending spam emails selling face masks during the peak of the Covid-19 pandemic.

According to the ICO, SMG attempted to exploit the pandemic by sending roughly 9,000 unlawful marketing emails on April 30th to individuals without their consent. Upon investigation, the ICO found that SMG was not carrying on business supplying PPE, but that the company’s director had decided to buy face masks to sell on for a profit.

In a statement, the ICO explained that they have ‘investigated a number of companies during the pandemic with the aim of protecting people from being exploited by unlawful marketing attempts. Nuisance emails are never welcome at any time, but especially when people may be feeling vulnerable or worried and their concerns heightened.’

An aggravating aspect of the matter was that SMG was found to have ‘deleted a database of key evidence which would have shown the full extent of the volume of emails they had sent.’ As previously reported here, the ICO has fined firms aiming to capitalise on the pandemic through the use of spam emails and text messages.

For more information please contact Partner, James Tumbridge at