Breakingviews - British Airways hacking fine is painful precedent

British Airways logos are seen on tail fins at Heathrow Airport in west London, Britain, February 23, 2018. REUTERS/Hannah McKay

LONDON (Reuters Breakingviews) - Europe’s data police have new fangs that are turning out to be pretty sharp. British Airways was told on Monday it faced a 183 million pound penalty for the theft of customer information from its website last year. That would be a record hacking fine and dwarfs the 500,000 pound maximum paid by Facebook under old European Union rules. The airline got some credit for notifying the UK Information Commissioner’s Office (ICO), which polices the rules nationally. But the size of the punishment sets a painful precedent.

The British Airways case, in which around 500,000 customers’ personal information was compromised by hackers, is the first high-profile test of the EU General Data Protection Regulation (GDPR), which came into effect last year. In some ways, the penalty was not as severe as it could have been.

Under the new regime, the maximum punishment is 4% of global revenue. Yet the fine announced by the ICO amounts to 1.5% of British Airways’ 2017 sales. That reflects the airline’s owning up to the “sophisticated, malicious criminal attack” on its website. The punishment could also have been harsher had the ICO used revenue from British Airways’ parent IAG, which also owns Iberia and Aer Lingus, as its benchmark. Sensibly, the ICO appears to have decided to exclude revenue from the Spanish and Irish units, which did nothing wrong.

But even for a 9 billion pound company, it’s not small change, representing more than 5% of IAG’s forecast operating profit for this year. That explains the 1% fall in its share price on Monday and Chief Executive Willie Walsh’s hint that he might consider an appeal.

Yet watering down the fine would send the wrong message to the likes of Facebook. Using the same 1.5% of 2017 sales metric, the social media giant would have had to pay $610 million for its role in the Cambridge Analytica scandal, in which the personal data of 87 million people was compromised. Companies this big will only take data privacy seriously if national watchdogs show their bite lives up to their bark.


Reuters Breakingviews is the world's leading source of agenda-setting financial insight. As the Reuters brand for financial commentary, we dissect the big business and economic stories as they break around the world every day. A global team of about 30 correspondents in New York, London, Hong Kong and other major cities provides expert analysis in real time.

Sign up for a free trial of our full service at and follow us on Twitter @Breakingviews and at All opinions expressed are those of the authors.