Could Cathay Pacific Airways, Hong Kong’s flag carrier, become one of the first companies to face a hefty fine under the recently introduced GDPR regulations?

Following the revelation that the carrier fell victim to a prolonged hacking attack that affected millions of passengers, experts and other companies are waiting to learn exactly what lies ahead for the iconic airline in terms of regulatory enforcement.

On Wednesday during a Legislative Council of Hong Kong hearing addressing the issue, lawmakers grilled senior staff over the company’s handling of the incident. Cathay has faced increased scrutiny after the airline revealed in a written submission that the data breach had, in fact, lasted longer than previously stated.

“The incident is a crisis,” company chairman John Slosar was quoted as saying by Reuters. “It is the most serious one the airline has faced.” 

Under Hong Kong law, Cathay would likely face a penalty of HK$50,000 ($6,400) and receive an enforcement notice from the privacy commissioner for the data breach. Should the company be prosecuted under the European Union-issued GDPR regulations, which came into effect on May 25 and cannot be enforced retroactively, the penalty will be far harsher.

The EU regulations require companies report breaches to supervisory authorities within 72 hours, or face a maximum fine of 20 million euro ($23 million), or four percent of their annual worldwide turnover, whichever is higher.


Paul Haswell, partner and technology specialist at Pinsent Masons, tells Asian Legal Business that because of the threat of EU regulatory action, the timeline of the data breach is critical. 

“They should be worried,” Haswell said, noting that should it be established that the airline lost data belonging to members of EU countries after May 25 “and didn’t do everything that was necessary, there is a chance they’ll be subject to a fine under the GDPR.”

“They need to make sure they’re absolutely clear about when this data was taken, what was taken,” he added.

“In Cathay’s favour, and in their defence, although they were late to come clean about the nature of the breach, they have been good about notifying everybody that’s affected. Not just that there’s been a breach but exactly what was compromised,” Haswell said. “But the trouble is the EU won’t care, if you’re late, you still lost the data. They’re still in a position where they can take action against you.”

The EU is not reluctant to impose fines, having pursued Microsoft and Google for data breaches in the past. “There’s every possibility they could be hit with a massive fine,” said Haswell of the Hong Kong carrier.

Reuters reported yesterday that the airline was working with 27 regulators in 15 jurisdictions to investigate the breach.


To contact the editorial team, please email

Related Articles

Cathay Pacific group GC set to join HKEx

by Aparna Sai |

Hong Kong Exchanges and Clearing (HKEx) has named Paul Chow as its next group general counsel. Chow joins from Cathay Pacific, where he held the roles of group general counsel and company secretary.

Links, DLA, CC advise on Cathay Pacific’s $5 bln bailout

by Aparna Sai |

Linklaters is advising Cathay Pacific Airways on its HK$39 billion ($5 billion) Hong Kong government-backed recapitalisation plan, aimed at shoring up the city’s flag-carrier at a time when airlines globally have been hit by a travel slump triggered by the coronavirus pandemic.

As data hack details come to light, Cathay may face stiff EU fine

by Elizabeth Beattie |

Could Cathay Pacific Airways, Hong Kong’s flag carrier, become one of the first companies to face a hefty fine under the recently introduced GDPR regulations?