Potential penalty of $230 million would be biggest initiated under new EU privacy rules

By Robert Wall and Parmy Olson 

This article is being republished as part of our daily reproduction of WSJ.com articles that also appeared in the U.S. print edition of The Wall Street Journal (July 9, 2019).

A U.K. privacy watchdog has proposed a potentially record $230 million fine against British Airways, alleging the carrier failed to protect passenger data after a hack last year.

The move, which British Airways parent International Consolidated Airlines Group SA said it would fight, represents the latest and by far biggest penalty initiated by national-privacy regulators across the European Union since the enactment last year of new privacy rules for the bloc.

France, in January, imposed a EUR50 million ($56 million) fine -- the largest to date -- against Alphabet Inc.'s Google . In that case, France said Google didn't go far enough in getting user consent to gather data for targeted advertising. Google said Monday it planned to appeal the decision in the coming weeks.

The EU's General Data Protection Regulation, or GDPR, aims to hold companies accountable for safeguarding the personal data increasingly swept up in today's digital world. It falls to national regulators -- in Britain, the Information Commissioner's Office -- to enforce the rules for companies within their jurisdiction.

The proposed fine against the airline amounts to about 1.5% of its 2017 revenue and more than 6% of IAG's forecast 2019 operating profit. International businesses have been gearing up for GDPR compliance for years, but the scale of the ICO proposal -- the agency's first under the new regulation -- serves as a warning in making clear the price of falling short.

The ICO's action against British Airways is the "tip of the iceberg," said Tony Pepper, chief executive of email-encryption service Egress Software Technologies Ltd. He said the British regulator has health-care businesses, government agencies and financial services in its crosshairs and will issue more big fines over the next six to 12 months. The ICO doesn't oversee the privacy practices of the big U.S. tech giants that have chosen Ireland as their European base.

The proposed British Airways fine stems from an increasingly common corporate hazard -- a breach of customer data. Airlines, in particular, have faced frequent attempts to penetrate their records. Last year, Cathay Pacific Airways Ltd., one of Asia's largest long-haul carriers, and Air Canada both reported instances of unauthorized access to some customer information.

In the U.S., there is no central authority for probing and punishing failures at consumer data protection. In many cases, companies subject to such hacks can be liable for customers' financial losses stemming from unauthorized access to their data. States have also taken firms to task for data breaches.

Target Corp. agreed two years ago to pay $18.5 million to resolve state investigations of a massive 2013 hack that was an early, high-profile corporate data breach.

Companies have also been held to account for failing to disclose such hacks, and other, broader privacy issues. Uber Technologies Inc. last year reached a $148 million nationwide settlement with U.S. states over allegations it concealed a 2016 data breach. Facebook Inc. in April set aside $3 billion for an expected fine from the Federal Trade Commission over alleged privacy violations.

Regulators in Europe have gained increasing authority to fine companies for specifically failing to safeguard customer information or privacy. Ireland has more than 50 privacy investigations under way, including against tech companies such as Facebook and Apple Inc. A spokeswoman for Britain's ICO said it also has several more investigations proceeding.

Under GDPR, regulators can fine a company as much as 4% of annual sales, though most fines so far have been far smaller, typically less than $1 million.

Shares in IAG fell 1.4% on Monday in London.

British Airways last year said about half a million passenger records were accessed in a cyberattack that took place between August 21 and Sept. 5. The airline carried more than 45 million passengers in 2018. The airline group said Sept. 6 that it had discovered and resolved the breach of its website and app and that police were notified.

The ICO said Monday that a variety of information was compromised by poor security arrangements at the company, including login, payment-card and travel booking details as well as name and address information.

"We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals." IAG Chief Executive Willie Walsh said Monday.

The ICO said the airline has cooperated with its investigation and made improvements to its security. It also said it would take into account feedback from British Airways and other data-protection authorities as it makes a final determination on the fine.

The airline has 28 days to make its case. The regulator said the company can appeal against any final determination.

Write to Robert Wall at robert.wall@wsj.com

 

(END) Dow Jones Newswires

July 09, 2019 02:47 ET (06:47 GMT)

Copyright (c) 2019 Dow Jones & Company, Inc.
Alphabet (NASDAQ:GOOG)
Historical Stock Chart
From Feb 2024 to Mar 2024 Click Here for more Alphabet Charts.
Alphabet (NASDAQ:GOOG)
Historical Stock Chart
From Mar 2023 to Mar 2024 Click Here for more Alphabet Charts.