British Airways owner IAG expects 90 percent cut in proposed UK GDPR fine

British Airways' owner has slashed the amount it's set aside for a UK fine for its major data breach in 2018 by almost 90 percent from the 183 million pounds ($240 million) originally proposed by the country's data regulator.

After a year of negotiations with the Information Commissioner's Office, International Airlines Group now estimates that it may need to pay 22 million euros ($26 million) as a result of the watchdog's probe.

"The exceptional charge of 22 million euros represents management’s best estimate of the amount of any penalty issued by the Information Commissioner's Office (ICO) in the United Kingdom, relating to the theft of customer data at British Airways in 2018," IAG said in a filing today on its financial results for the six months to June 30.

"The process is ongoing and no final penalty notice has been issued," the group said.

Last July, the ICO proposed the 183.4 million-pound fine for the UK flag carrier for breaching the UK's Data Protection Act 2018, which implements the EU's General Data Protection Regulation.

The ICO said that poor security practices led to the exposure of about 500,000 customers' data, including log-in, payment-card and travel-booking details as well as names and addresses. The incident partly entailed user traffic to the BA website being diverted to a fraudulent site, where hackers harvested the information.

BA lawyers have had since last July to argue down the fine and show how the airline has complied with its obligations under the UK law and the GDPR.

In a Feb. 28 report, BA said its directors expected "a considerably lower amount than the initial Notice of Intent" last July.

Since then, it's expected that the airline will have added fears over the economic consequences of the Covid-19 pandemic to its arguments for a lower fine or even a reprieve.

After repeatedly missing deadlines — in December, March and May — to hand BA a final penalty, the ICO is expected to finalize the amount in coming months.

Under the GDPR, EU privacy watchdogs can hand infringing companies penalties of up to 4 percent of their annual global revenue. The ICO's proposed fine would have represented 1.5 percent of BA's global sales in 2017, while the airline's new provisions suggest a fine equivalent to just over a tenth of that.

IAG, which also owns Iberia and Air Lingus, said in its filing today that the Covid-19 outbreak had a significant impact on its results, especially from late February onward. It reported a record loss of 1.36 billion euros in the second quarter. It's proposing to raise 2.75 billion euros to boost its balance sheet.