Stewarts’ Head of Media Disputes, Ryan Dunleavy, spoke last week to the New Statesman and the Daily Mail about the potential impact of the Virgin Media data breach affecting nearly a million people, and about the UK’s Information Commissioner’s Office (ICO) announcement last week that it will impose the maximum fine possible under the law for a data breach by Cathay Pacific Airways Limited, albeit under the pre-GDPR data privacy regime.


Ryan’s quotes in full last week to the media were:

On Virgin Media

“I suspect that, like other regulators, the Information Commissioner’s Office is overwhelmed with investigating data incidents at the moment and that this incident is likely to be initially processed then shoved in its in-tray for a bit.

“It will be interesting to see where this goes from a regulatory perspective. Companies may be admitting to incidents and self-reporting to the ICO but once regulatory investigations start, many push back hard against regulators with lawyers and their superior financial resources.

“Virgin Media is also likely to get some credit for shutting down access to the particular marketing database quickly, and the information accessed did not include passwords or financial details, which might mean that fines will not be at the very top end.

“Fines can still be eye-wateringly high under the GDPR however, even for an incident like this, so Virgin could be facing a fine of multiples of millions of pounds.

“This is an opportunity for the ICO also to put down another benchmark to indicate how high fines should be in the UK for a breach of this nature.”


On Cathay Pacific

“I have been following the Cathay Pacific Airways Limited data breach case closely and have been wondering when the Information Commissioner’s Office would issue a monetary penalty notice like this. The breach was large-scale and went on for several years, although the airline only became aware in March 2018.

“The GDPR came into force on 25 May 2018. Cathay Pacific is lucky that the last unauthorised access to the personal data was on 11 May 2018, because that meant that pre-GDPR laws, and more importantly fines, applied to the breach, even though the Information Commissioner’s Office did not become aware of the breach until 25 October 2018.

“The airline has still been fined the maximum amount under the old data protection regime, but that is only £500,000. Under the GDPR I expect it would have been in the multiples of millions of pounds instead, although it is hard to put an accurate figure on this.

“Sometimes when I see a maximum £500,000 fine under the old rules by the UK’s regulator it gives me the impression that it is saying, ‘We would fine you much more if it was legal to do so!’ After reading the factual details in this monetary penalty notice, I suspect that this is one of those instances.

The lesson here for corporates that have had data breaches that are after 25 May 2018 is that the ICO is still processing some pre-GDPR claims like this one but as time goes on it will start focussing more on the post-GDPR breaches, and we can expect much, much larger fines when it does so.”

Please view “Value of UK regulatory fines for data privacy breaches may rise in 2020” article here.




You can find further information regarding our expertise, experience and team on our Media Disputes page.

If you require assistance from our team, please contact us or alternatively request a call back from one of our lawyers by submitting this form.



Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.

Key Contacts

See all people