British Airways Fined $230 Million for Data Breach - What It Means for American Companies

Article Placeholder Image
By Laura Temme, Esq. on July 31, 2019 2:00 PM

Between June and September of 2018, hackers diverted around 500,000 British Airways customers to a fake site that collected their names, addresses, payment information, and other personal data. Now, Britain’s Information Commissioner’s Office has announced they intend to fine the company nearly $230 million for failure to comply with the European Union’s data privacy regulations. According to the New York Times, the fine represents roughly 1.5% of British Airway’s annual revenue.

Although British Airways is by no means the first organization to face fines in the wake of a data breach, its penalty is one of the highest so far – and the first levied by the British government against a company housed on its own soil.

As hackers continue to target data held by companies all over the world, understanding data privacy regulations becomes more and more critical. And none are currently as far-reaching as the EU’s General Data Protection Regulation (GDPR).

What the GDPR Does

The GDPR, which took effect in May 2018, overhauled data privacy laws across Europe and impacts organizations all over the world. It imposes strict regulations for the use and processing of personally identifiable information (PII), aimed at giving EU residents more control over their data in three significant ways:

  • Mandatory breach notification: In all EU member states, customers must be notified of any data breaches likely to put their “rights and freedoms” at risk
  • Right to access: Data subjects can ask data controllers to confirm whether or not their data is being held or processed, and for what purpose
  • Right to be forgotten: Consumers can request to have their personal data erased from a company’s records and cease further dissemination of their data

Regulators in EU countries can issue a fine equal to up to 4% of a company’s global revenue for breaching the GDPR.

Why American Companies Should Pay Attention

The GDPR applies to any organization that collects, stores, or processes personal data from EU residents, whether it operates within the EU or not. Any data controller or processor offering goods or services to EU citizens, even if those services are free, must comply with the GDPR. It even applies to “cookie walls,” the pop-up windows that require users to consent to tracking cookies for access to content. Not only are these windows annoying, but the Dutch data protection agency recently found they violate the GDPR because the permission for tracking isn’t freely obtained.

Additionally, companies may begin seeing “subject access” requests, where someone asks the organization to turn over information they hold on them. Companies that work in business-to-business transactions, as well as those interacting directly with consumers, should examine how GDPR provisions will impact their operations.

Related Resources: