When the General Data Protection Regulation (“GDPR”) passed into English law on 25 May 2018, one of the headlines that heralded the new legislation was the Information Commissioner Office’s (“ICO”) new power to impose fines of up to €20million, or 4% of global turnover (whichever is the higher) on organisations that breach the GDPR. Given the dramatic increase of the ICO’s power to impose fines, one of the questions asked by insurance market participants was whether these fines could be covered by insurance?
The question was repeated earlier this month following on from the announcement of the fine of €50million imposed on Google by the French data regulator for breach of GDPR. Some answers may soon be available, if only in part.
The Global Federation of Insurance Associations has this week called on the Organization for Economic Cooperation and Development (“OECD”) for clarity, saying, “there is international confusion as to the insurability of fines and penalties. OECD work to clarify this issue would benefit consumer and insurer contract certainty.” The OECD has responded by saying that it will now look at the issue and guidance could be forthcoming in the near future.
But for now, the position at least under English law as to the insurability of GDPR fines remains unclear. That is (to say the least) unhelpful for policyholders, brokers and insurers alike, particularly as the ICO becomes increasingly active with fining organisations for breaches of data protection law.
The starting point here is that many English law insurance policies say that they will insure against fines and penalties, provided that these are insurable under the law of the policy. Insurance against fines imposed by a regulator or official body for criminal or quasi-criminal conduct is not permitted under English law for public policy reasons (an indemnity from an insurer would negate the fines deterrent effect). Indeed, some regulators like the Financial Conduct Authority (“FCA”) expressly ban the regulated from insuring against FCA fines.
What is criminal conduct is clear, but quasi-criminal conduct less so. The Court has provided some limited guidance and has referred to “infringement of statutory rules enacted for the protection of the public interest and attracting certain actions of a penal character” (per Sumption LJ in Les Laboratoires Servier v Apotex  AC 430). So penalties or fines for quasi-criminal conduct may be regarded as involving some moral turpitude or reprehensibility by the transgressor.
An ICO fine is intended to have both a punitive and deterrent effect. The legislation sets out the matters that the ICO must take into account when considering the fine, including whether it would be effective, proportionate and dissuasive. This suggests that an ICO fine under GDPR would be regarded by the court as a civil sanction of a punitive nature, quasi-criminal, designed to punish reprehensible conduct and to deter others. As matters presently stand therefore, that makes ICO fines for breach of GDPR probably uninsurable under English law.
But it could still be that fines for breaches at the most egregious (intentional or reckless breaches) end of the spectrum are regarded as punishment for quasi-criminal conduct (and therefore uninsurable). ICO fines imposed for much less serious breaches could be regarded in a different category and could still be insurable. Therefore, a case-by-case approach could emerge from the Court on the issue.
These very important issues are still to be directly tested before the English Court and therefore so the position remains unclear. OECD guidance in this regard would certainly be welcome (albeit not in any sense binding on the English Court), particularly as the ICO has refused to be drawn on the issue. Last year the ICO said that this was not a matter for the ICO and that “a focus on insurance rather misses the point, and organisations should be looking to recognise the benefits of good information rights practice to their efficiency, reputation and competitive edge.”
Therefore, for the moment, the message to participants in the insurance market is not to assume fines or penalties will be covered by an English law insurance policy. But value is clearly still to be found in, for example, cyber risk insurance policies when it comes to, for example, insuring the costs of responding to a data breach or cyber-attack, dealing with related third party claims and complaints and repairing damaged software.