Blog

Record Fine Proposed Under GDPR

Sébastien Gittens, Martin Kratz and Michael Whitt
July 11, 2019
Social Media
Download
Download
Read Mode
Subscribe
Summarize

Any doubt that the world of data protection changed profoundly when the European Union’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018, were solidly dispelled when the United Kingdom’s Information Commissioner’s Office (ICO) issued a notice of its intention to fine British Airways a record £183.39 million (C$300 million) for infringements of that law. While the GDPR allows penalties of up to 4.0 percent global annual turnover of an organization, the proposed British Airways fine is close to 1.5 percent of its 2017 global turnover.

The ICO’s investigation found that British Airways’ “poor security arrangements” was responsible for a cyber incident in June 2018, that allowed user traffic to the airline’s website to be diverted to a fraudulent site where the personal information of approximately 500,000 individuals was harvested by attackers.

The airline will have opportunity to make representations to the ICO as to the proposed findings and sanction; but this and other recent announcements by the UK regulator highlights the potentially large liability that may be imposed under GDPR?—not only for organizations that have an establishment in the European Union, but other organizations as well. Indeed, the GDPR has extraterritorial effect as it is intended to apply to any natural or legal person, public authority, agency or other body outside of the European Union who:

  1. targets individuals in the European Union by offering goods or services (regardless of whether a payment is required); or
  2. monitors the behavior of individuals in the European Union (where that behaviour takes place in the European Union).

Given the sweeping extraterritorial application of the GDPR, together with significant fines that may be issued thereunder, Canadian organizations are cautioned to be mindful of the potential application of the GDPR, and periodically evaluate whether this law may apply to their operations.

If you would like to learn more about the effects of GDPR or other data protection and privacy regulatory regimes on your business, members of our Data Protection and Governance team can assist, and where required, can direct you to experienced European counsel.

Social Media
Download
Download
Subscribe
Republishing Requests

For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com.

For informational purposes only

This publication provides an overview of legal trends and updates for informational purposes only. For personalized legal advice, please contact the authors.

From the Same Authors

See All
AI Notetaking in the Boardroom
Blog

AI Notetaking in the Boardroom

September 17, 2025
Stephen D. BurnsMatthew FlynnJ. Sébastien A. Gittens
& 2 more
Alberta OIPC Issues Report Regarding Responsible AI Governance
Blog

Alberta OIPC Issues Report Regarding Responsible AI Governance

August 28, 2025
Stephen D. BurnsJ. Sébastien A. GittensDavid Wainer
Stephen D. Burns, J. Sébastien A. Gittens & David Wainer
AI Notetaking in the Legal and Business Context
Blog

AI Notetaking in the Legal and Business Context: Does It Risk Confidentiality or Privilege?

July 21, 2025
Benjamin K. ReingoldStephen D. BurnsJ. Sébastien A. Gittens
Benjamin K. Reingold, Stephen D. Burns & J. Sébastien A. Gittens