UK: Insurability Of Fines And Penalties For Breaches Of The GDPR: A UK And German Perspective

Last Updated: 5 February 2019
Article by Helen Bourne and Henning Schaloske

Most Read Contributor in UK, March 2019

The increasing powers of regulators, together with the heightened focus on corporate governance and individual accountability, means that companies and their directors and officers are increasingly exposed to investigations which may lead to the imposition of fines and penalties. The question of whether these fines are insurable is one which (while not new) has been brought into sharp relief by the introduction of the General Data Protection Regulation (GDPR), under which supervising authorities (the Information Commissioner's Office (ICO) in the UK and the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) and the various state level Landesbeauftragte für den Datenschutz (LfD) in Germany) can, amongst other things, impose fines of:

  • up to €10million or 2% of annual global turnover, whichever is higher, for breaches of provisions of the GDPR, such as the obligations on data controllers and data processors;
  • up to €20million or 4% of annual global turnover, whichever is higher, for breaches of the provisions of the GDPR, such as the principles for processing, the conditions for consent and the rights of data subjects.

It is worth noting that not all infringements of the GDPR will lead to the large fines that have captivated the press. Whilst there has been the recent €50 million fine imposed on Google by the French data regulator, CNIL, for "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation", the 41 fines that have thus far been imposed in Germany have largely been low value, with the highest fine being in the amount of €80,000. The UK has yet to issue significant fines, though an enforcement notice has been issued to the Canadian company AggregateIQ Data Services ("AIQ"), as part of a wide-ranging investigation by the ICO into the improper use of personal data analytics for political purposes (involving Cambridge Analytica and Facebook), which may, in time, lead to a significant fine under the GDPR. 

The question is: will GDPR fines be insurable? There is a huge degree of uncertainty on this point, an uncertainty which has recently led the Global Federation of Insurance Associations to call for clarity from the Organisation for Economic Cooperation and Development (OECD) about whether insurers can pay out for fines imposed under the GDPR - not a declaration one way or another, but a guide on how different supervisory authorities will consider the issue.

Until such clarity comes, we examine the question of insurability in this article from the perspective of the UK and Germany.

Insurability of fines and penalties

As a preliminary point, it should be noted that the UK and German authorities have not themselves declared whether or not any fines they issue should be capable of being insured, unlike, for example, the Financial Conduct Authority (FCA) in the UK, which expressly prohibits the insuring of fines it imposes for breaches of financial regulations.  Therefore, we must first consider general principles, which can then be applied to the GDPR.

The first port of call is the policy language. Under some wordings, there is no coverage for any fines and penalties whatsoever but, under other common formulations, only criminal fines are excluded and fines are covered to the extent they are "insurable by law". If it is not "insurable by law" then the courts will consider it void and unenforceable.

In the UK, whether an insurance policy will cover a fine imposed by the ICO following, for instance, a data breach, depends on the public policy question of whether it is possible to recover for a loss which results from your own wrongdoing.  This statement, often expressed in the Latin maxim ex turpi causa and known as the "illegality defence", is a well-known common law public policy doctrine (based on the ex turpi causa dictum of Lord Mansfield in Holman v Johnson   (1775)). In the insurance context, the making of an insurance claim for the recovery of fines imposed on companies and individuals for illegal acts would remove the deterrent effect of such fines; the "illegality defence" prevents this. After many conflicting cases as to how to apply the illegality defence, the Supreme Court in Patel v Mirza [2016] UKSC 42, laid down the factors that should be taken into account when deciding whether it would be in the public interest to enforce a claim despite some "illegality" on the part of the claimant:

  1. the underlying purpose of the prohibition which has been transgressed;
  2. any other relevant public policies which would be rendered ineffective or less effective by the denial of the claim; and
  3. the need for proportionality

There are three broad categories of conduct for which any fine or penalty might be imposed:

  • intentional or reckless wrongdoing;
  • strict liability situations, where no particular fault is required; and
  • negligence.

Broadly, the position in the UK is as follows:

  • Fines resulting from intentional wrongdoing will not be indemnifiable whatever the type of fine, and might also, in any event, be excluded by other policy provisions, such as fraud or dishonesty, or personal advantage exclusions. However, where the fine is "indirect", a company might still be able to recover from a director a corporate fine resulting from intentional conduct, if the company can show it was only vicariously liable for that conduct (leading to complicated questions of attribution).  The Court of Appeal in Safeway v Twigger (2010) said that, in that case, the issue of attribution was irrelevant as the fine was personal to the company – the offence was not one which could be committed by an individual (including the directors). This could be contrasted with other statutory provisions which contain criminal offences which can only be committed by individuals. 
  • Strict/no fault liability fines will likely be indemnifiable, as there is no requirement that the insured's conduct involves an element of moral turpitude (subject to the caveat that fines imposed by certain regulators, such as the FCA, mentioned earlier, are uninsurable in all cases).1
  • Fines imposed for negligent conduct are more complicated. Civil fines or penalties imposed for purely negligent conduct should, in theory, be insurable. In Safeway, the Court of Appeal concluded that for the illegality defence to apply there must be an element of moral turpitude or moral reprehensibility involved in the relevant conduct.  In the subsequent Supreme Court case of Les Laboratoires Servier v Apotex Inc (2014), the court supported this by stating, "... non-criminal acts giving rise to the [illegality] defence includes cases of ... the infringement of statutory rules enacted for the protection of the public interest and attracting civil sanctions of a penal character, such as the competition law considered by Flaux J in Safeway Stores Ltd v Twigger ..." Further, in Sainsbury's Supermarkets Ltd v MasterCard Inc and ors (2016), the Competition Appeal Tribunal further held that, "whether an infringement of competition law can trigger an illegality defence depends upon whether that infringement is an "innocent" one (in which case, we consider it cannot) or a "negligent" or "deliberate" one (in which case it may do)." As such, the ex turpi causa principle is engaged by conduct which reaches a certain level of moral turpitude falling short of criminal behaviour. If it is engaged, the fines are not insurable, if it is not, then they may be insurable. An assessment will therefore need to be made as to the degree of moral turpitude involved in the conduct leading to the infringement.

In Germany, it is still not decided whether, and to what extent, fines and penalties are insurable. The decisive legal test, as in the UK, will be whether it is in breach of public policy. The German Civil Code, section 138(1), states that any legal transaction which is contrary to public policy is void. Arguably, the insuring of fines generally contradicts public policy as the coverage of fines can impair the preventative purpose of the fine. Furthermore, it is considered that the insuring of fines interferes with the effectiveness of the regulation if the threatened fine is covered by an insurance policy.

However, some scholars and authors distinguish, in particular, between fines for intentional conduct and those for negligent offences, arguing that the civil law should only sanction a behaviour that is also punishable under criminal law and, therefore, intentional. Accordingly, negligent conduct may be insurable under this reasoning.

However, the prevailing opinion in Germany, in the absence of authority on the point, is that the coverage of fines is contrary to public policy and there are many indications that the coverage of fines and penalties under German law is void. If so, providing such coverage would primarily lead to the unenforceability of the respective insurance claims and might also lead to regulatory action by the German supervisory authority, the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin).

Also, in Germany, there may be a distinction to be made where there is no negligence or intentional wrongdoing by the entity personally, as opposed to liability of the entity for acts by management which have caused the entity to be in breach of the GDPR. Section 103 of the German Insurance Contract Act (VVG) provides that the insurer shall not be obligated to effect payment if the policyholder has intentionally and unlawfully caused the loss suffered by the third party. This wording does not specify where the intent of the policyholder has to come from, but it is established in case law that this provision takes intent to mean the intent of the management and higher of the company. Could an inference therefore be drawn from Section 103 to assist with addressing the question of the insurability of fines where culpability is placed on management and higher? This is yet to be addressed by the German courts.

How does this analysis apply to GDPR fines?

Fines flowing from criminal conduct will not be insurable as it is clearly against public policy for fines resulting from intentional/reckless criminal wrongdoing to be indemnifiable. In the UK, for example, fines imposed in relation to the two new criminal offences of (i) intentionally or recklessly re-identifying individuals from anonymised data, and (ii) altering records with the intention of preventing disclosure of that information pursuant to a subject access request (introduced into the Data Protection Act 2018 (DPA 2018) by way of the GDPR's permitted derogations), will not be insurable.2

How administrative fines under the GDPR, however, will be addressed is less clear.

When deciding whether to impose an administrative fine, as opposed to an alternative enforcement measure such as a reprimand, one of the key considerations regulators shall have regard to under the GDPR (as set out in Article 83(2)) is the intentional or negligent character of the infringement. This is alongside factors such as the severity and duration of the data breach; whether the company has had a previous data breach; the type of personal data involved in the breach and whether the breach affects the rights and freedoms of the individuals affected.

Clearly intentional conduct (which is not necessarily criminal) will be uninsurable for offending public policy both in the UK and Germany. It is our view, however, that it can be strongly argued that a GDPR fine may be insurable if the conduct was negligent and the degree of negligence leading to the infringement was low on the moral reprehensibility scale. In the UK, the Safeway decision supports this position and whilst there is no equivalent case in Germany on this point, it is our view that section 138 of the German Civil Code is open to interpretation and negligent conduct on the lower end of the scale may not be held to offend public policy and thus be capable of being insured.

With regard to the largest fines that may be imposed, it may be that, in practice, they will only be issued in the most egregious of cases where there is a clear intentional conduct, such that the question of insurability is moot on the basis that these cases are clearly against public policy and thus uninsurable. But it is our view that the position is not clear cut as regards cases not involving intentional conduct and it is not sufficient to say conclusively that GDPR fines will never be insurable in the UK or in Germany.

Further, insurance will still play a part, responding as it may do to investigation costs, defence costs, and breach response costs, depending on the policy in question. These costs could well be significant and public policy concerns would generally not preclude coverage for such costs.3

Where does this leave insurers? For the time being it remains to be seen how this will be dealt with on a European level and we are left with uncertainty and little guidance from regulators. The ICO has said that "a focus on insurance rather misses the point, and organisations should be looking to recognise the benefits of good information rights practices to their efficiency, reputation, and competitive edge." German regulators, too, have stated that they aim to educate and assist entities to comply with the GDPR regime, especially smaller entities, and that fines are not the focus. As the OECD remit is only to provide a guide on the approaches of the different supervisory authorities and in lieu of these issues being examined by the courts, certainty may be a way off.

Footnotes

1 In Geddes (D) (Contractors) Ltd v Neil Johnson Health & Safety Services Ltd [2017] CSOH 42, a Scottish case, the court held that an insured may be entitled to indemnification for strict liability criminal fines or regulatory financial sanctions.

2 These offences will incur unlimited fines and may be 'reportable' offences (i.e. they may be included on a criminal record check). Where an offence under the DPA 2018 has been committed by a company and it is proved that it has been committed with the consent or connivance of, or is attributable to neglect on the part of a director, manager, secretary or similar officer, or person purporting to act in such a role, that person is also guilty of the offence and liable to be proceeded against and punished accordingly.

3 Ex turpi causa principle does not apply to indemnity for the costs and expenses of defending an action brought by a third party: Coulson v News Group Newspapers Ltd [2012] EWCA Civ 1547

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Henning Schaloske
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions