Security Market Segment LS
Friday, 20 July 2018 07:55

British Airways accused of GDPR violation over data leaks


A security researcher has asked British Airways to explain why its online check-in page leaks booking references and surnames to a number of third parties, among them Twitter, LinkedIn and Google Doubleclick.

Mustafa al-Bassam, a former member of Anonymous and now a doctoral researcher in the UK, said in his letter to the airline that he had not consented for his information to be shared in this manner, adding that it appeared to be a violation of an article of the European Union's General Data Protection Regulation.

This article says, "where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data" and "the data subject shall have the right to withdraw his or her consent at any time", he pointed out.

He wrote that he was attaching some network logs from the Chrome Web developer console as evidence of his claim.

Bassam said that when he had initially tried to check in on the BA website, he could not do so. After finding out that this was because he had an adblocker enabled, he disabled the extension. It was then that he noticed the information leak.

"Note that even though your privacy policy states that you may share my personal information with third-party advertising agencies, you must still ask for consent explicitly," he wrote. "Article 7 of GDPR states: 'if the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language'.

"I do not recall being requested for consent for you to share my data with third parties in a clearly distinguishable way."

He posed three questions to BA:

  • Why did you not explicitly ask for my consent to share my data, in a clearly distinguishable way?
  • How do I exercise my right to opt-out from consenting for you to share my data with third parties for advertising purposes, in accordance with GDPR?
  • How will you remedy or compensate customers who have had their privacy rights violated because you have not explicitly asked for their consent?

Bassam said that under article 15 of the GDPR and UK Data Protection Act, he was exercising his right to request all the data the airline held about him and a list of the recipients to whom his personal data had been, or would be, disclosed.

He gave the airline a month to respond. "I understand that before reporting my concern to the Information Commissioner’s Office I should give you the chance to deal with it," he wrote. "If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider."

Contacted for comment, British Airways responded: "We are transparent with customers about our cookie terms and conditions, and always ask them to review the details before choosing whether to accept or opt out."


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments