Covid-19 and a new ICO enforcement approach?

EasyJet announced yesterday a recent cyber attack on its systems which enabled hackers to access the emails and travel information of around 9 million customers, including credit card details in some 2,200 cases.  The ICO is currently investigating the breach and it remains to be seen whether any enforcement action will be taken.

The incident increases speculation as to how the ICO might respond to this type of personal data breach from another large airline, particularly at a time when the aviation industry is struggling with the effects of the current coronavirus pandemic. The record-breaking £183m fine proposed against British Airways last year for its 2018 data breach (involving the loss of 380,000 customers’ credit card information) has yet to be finalised by the ICO and it will be interesting to see what impact, if any, the financial effects of the pandemic on BA will have on the ICO’s final determination. The same can be said for the delayed £99m fine on the Marriott hotel chain, a player in the hospitality industry which has also been hit hard by the current situation.

The ICO’s Regulatory Action Policy sets out a five-step approach for determining the value of its monetary penalties, the final step being to reduce the sum to reflect any mitigating factors, including the target’s ability to pay. Although the ICO has acknowledged that it is likely the level of fines will reduce as a consequence of the pandemic, it is not clear whether this extends to fines already notified but not yet imposed on organisations which would now suffer significant financial hardship as a result of the penalty that was not originally anticipated.

Recent guidance from the ICO says that in deciding whether to take any formal regulatory action, including issuing fines, it will consider whether the organisation’s difficulties result from the Covid-19 crisis and is empathetic to the issues currently being faced. However, the message remains that robust action will be taken where necessary, particularly in cases of serious or deliberate non-compliance with the data protection regime.

This article is for general awareness only and does not constitute legal or professional advice. Law and guidance relating to the COVID19 pandemic is continually being updated and the law may have changed since this page was first published. If you would like further advice and assistance in relation to any issues raised, please contact us today by telephone or email

Posted in Coronavirus (COVID-19), Data Protection, ICO, Information Commissioner.