The introduction of the EU General Data Protection Regulation (2016/679) (GDPR) has raised data protection to a board-level issue, leading to an increase in the take up of cyber insurance policies and some significant administrative fines being levied by European regulators. In particular, the UK Information Commissioner's Office has announced its intention to impose the largest GDPR fine to date on British Airways (£188.38 million) and a fine of £99 million on the Marriott Hotel chain. It seems likely that it will only be a matter of time before fines are imposed by the Irish Data Protection Commissioner (DPC) under the GDPR, with the DPC's 2018 Annual Report strongly suggesting that the first fines are imminent and there is potential for the DPC to impose very significant fines, given the worldwide annual turnover of the companies its regulates.
While some cyber insurance policies expressly exclude cover for fines and penalties, others provide cover "to the extent insurable by law". However, the extent to which GDPR fines are insurable is still uncertain in Ireland and in several other jurisdictions, including the United Kingdom. The Irish Data Protection Act 2018 is silent on the insurability of administrative fines and, as a new regime, the question of whether GDPR fines are insurable has not yet come before the Irish courts.
New regime of fines
The GDPR introduced a new regime of administrative fines for data protection infringements and provided for a tiered penalty structure based on the nature of the infringement. For the first time, the DPC can now directly impose fines on offending organisations, making it much easier for the DPC to target companies that do not meet their data protection responsibilities. Criminal or punitive fines and penalties have long been considered uninsurable for public policy reasons. However, there is less clarity where fines are administrative in nature.
The GDPR splits administrative fines into the following two tiers:
- Fines of up to €10 million or 2% of the company's total worldwide annual turnover of the preceding financial year, whichever is greater ( 'Tier 1' fines). Examples of actions that will attract this level of fine include where a company does not obtain a child's consent before processing their personal data or where a company infringes its data governance obligations, such as:
- failing to communicate a personal data breach to the DPC;
- improperly appointing processors;
- failing to maintain data protection records; or
- failing to implement appropriate security measures.
- Fines of up to €20 million or 4% of the company's total worldwide annual turnover of the preceding financial year, whichever is greater ('Tier 2' fines). Examples of actions which will attract this level of fine include where a company fails to follow one of the core data protection principles (ie, transparency, data minimisation, data retention or accountability) or where a company has no lawful basis for processing personal data, unlawfully processes special categories of personal data or infringes the data protection rights of data subjects.
Third-level fines ('Tier 3' fines) are those which have been specifically implemented by legislation in a member state. In Ireland, these fines are set out in the Irish Data Protection Act 2018. The penalty for committing an offence under this act is a fine of up to €5,000 or up to 12 months' imprisonment on summary conviction (or both the fine and imprisonment) or a fine of up to €250,000 or up to 5 years' imprisonment on indictment (or both the fine and imprisonment). Therefore, while Tier 1 and Tier 2 fines are expressly stated by the GDPR to be administrative in nature, Tier 3 fines are criminal in nature. Examples of actions that will attract a Tier 3 fine include:
- forcing an individual to make a data subject access request (which can often occur in the employment context);
- failing to respond to an information or enforcement notice issued by the DPC;
- not cooperating with a DPC officer during an investigation; or
- disclosing personal data without the prior authority of the controller or processor.
Whether the DPC imposes a Tier 1 or Tier 2 fine will depend on the nature of the GDPR infringement. The level of the fine, within that tier, which is ultimately imposed depends on several factors, including the severity of the infringement. Critically, the GDPR provides that the DPC must ensure that the imposition and amount of all fines under the GDPR is "effective, proportionate" and importantly "dissuasive" (ie, the fines are designed to dissuade companies from infringing their data protection obligations and responsibilities).
Ex turpi causa
The ex turpi causa legal doctrine prevents a claimant from pursuing legal remedies in order to recover or benefit as a result of their own illegal acts. Where a fine or penalty is intended to be a deterrent or dissuasive, public policy would clearly be undermined if a wrongdoer could simply insure against paying a fine. The English courts have considered the ex turpi causa doctrine in other contexts and while decisions of English courts would not be binding on an Irish court, they would likely be persuasive. The English courts have held that some element of "moral turpitude" is required (Safeway v Twigger), suggesting that perhaps a purely innocent breach or wrongdoing would not attract the doctrine and could in theory be insurable (although on appeal Lord Justice Pill considered that the policy of the relevant statute would be undermined if companies were able to pass on the liability to their employees' directors and officers insurance). In another English case, Patel v Mirza, the English Supreme Court considered whether:
- the purpose of the prohibition would be enhanced by refusing the claim;
- there were public policy reasons to do so; and
- it would be disproportionate to refuse the claim for public policy reasons.
Following a recent Irish Supreme Court decision (Quinn v IBRC) the position in relation to ex turpi causa in Ireland remains unclear and the application of the maxim in Ireland depends on the nature of the wrongdoing.
The position on the insurability of GDPR fines remains a grey area and there is a large question mark over whether such GDPR fines will be insurable in Ireland where there is an element of "moral turpitude" in the infringement. The GDPR calls for fines to be "dissuasive" and if all GDPR fines are indemnifiable under insurance, the public policy behind the fines could arguably be undermined. It may be that some element of moral turpitude or wrongdoing would be required for the fine to be uninsurable, which could potentially result in a sliding scale of insurability, with criminal or quasi-criminal fines likely to be uninsurable.
First published by the International Law Office in August 2019.