UK: ICO's Proposed Largest Ever Fine Of £183 Million Against BA Prompts The Question: Can You Insure Penalties Imposed For Breach Of GDPR?

Last Updated: 16 August 2019
Article by Greig Anderson, Antonia Pegden and Sarah Irons

The UK's data protection authority, the ICO, has announced twice in two days this week that it proposes to levy significant fines on organisations for breaches of the General Data Protection Regulation (GDPR), which took effect in May 2018. First it announced that it intends to fine British Airways some £183 million for a data breach in 2018 that affected 500,000 customers (see our Data Blog here for more details). The following day it announced that it proposed to fine Marriott hotels group nearly £100 million, again for a data breach that affected customers (see our Data Blog here for more details). Both BA and Marriot may make representations to the ICO before final decisions are taken. These proposed fines dwarf previous fines issued by the ICO which were capped at £500,000 under the old privacy regime.

Until now the business world has been waiting to see how the ICO would use its powers under the new GDPR regime. Under the regime, the ICO can now impose a broader range of significant civil penalties for data protection breaches than was previously possible. This includes penalties of up to €20 million or 4% of a company's global annual turnover, as well as potentially ordering companies to stop processing personal data altogether. The ICO is clearly now baring its teeth.

Insurance

One issue that companies in the position of BA or Marriott might be considering is whether an ICO fine is covered by any insurance they have. That might shine a light on an unresolved issue namely whether the fines that the ICO can now impose under the new GDPR regime are insurable.

Many insurance policies provide insurance coverage for civil fines to the extent permitted by law. However, what is permitted or prohibited by law is something of a vexed question. The GDPR says nothing about whether such coverage is permitted or prohibited and the ICO has said that it is not aware whether insurance is available for any fines it may impose. Under English law, it is therefore necessary to look to the general principles of the common law.

It is generally accepted that under common law a fine for deliberate, criminal or quasi-criminal conduct is uninsurable (save potentially in respect of strict liability offences). But there is a debate within the insurance market as to whether ICO fines for less serious conduct are insurable. In January 2019 the Global Federation of Insurance Associations called for clarity from the Organisation for Economic Cooperation and Development (OECD) regarding the insurability of fines and penalties following privacy breaches. The OECD's insurance and private pensions committee is considering the issue.

What is the test to be applied?

Until the issue of insurability of GDPR fines is resolved by policymakers or the courts, the debate will continue. But policyholders and insurers want to know now what the answer might be. What then does the answer turn upon and what guidance might be provided at this stage?

The relevant legal principle in issue is the illegality defence, also known as the "ex turpi causa" doctrine. It prevents a legal right of action from being enforced by the courts when it is founded on "immoral or illegal" conduct. It is directed at both criminal and quasi-criminal conduct. The rationale behind the defence is that it would be contrary to the public interest to enforce a claim if to do so would be harmful to the integrity of the legal system. As such, the issue is whether an insurer is entitled to rely on this defence, and refuse cover, in response to an insured's claim for indemnity for an ICO fine.

There has been considerable debate in the courts and amongst legal academics as to how precisely the defence should be applied. Guidance as to some of the factors that will be considered can be drawn from the following cases:

  • In Safeway v Twigger, the judge at first instance determined that anti-competitive acts in breach of the Competition Act 1998 involved the necessary element of moral reprehensibility and were sufficiently serious to engage the illegality defence (this was not disputed by the parties on appeal). In reaching that conclusion he took into account the "quasi-criminal" nature, characteristics and purpose of the penalty imposed, including that a heightened civil standard of proof was applied to serious cases and that for the purposes of the right to a fair trial under the European Convention for the Protection of Human Rights, Competition Appeal Tribunal proceedings are regarded as involving a "criminal charge".
  • In Les Laboratoires Servier, the Supreme Court explained that the illegality defence was concerned with acts which were contrary to the public law of the state and which engaged the public interest. These included "quasi-criminal" acts which infringed statutory rules enacted for the protection of the public interest and which attracted civil sanctions of a penal character.
  • Most recently, in the case of Patel v Mirza, the Supreme Court made clear that even where conduct is "illegal" such that it falls within the remit of the illegality defence, the defence will only be successful if the court considers that it would be in the public interest to allow the defence. The following factors ought be considered:
    • the underlying purpose of the prohibition which has been transgressed;
    • any other relevant public policies which may be rendered less effective by denial of the claim; and
    • whether upholding the defence would be a proportionate response to the illegality, bearing in mind the seriousness of the conduct, its centrality to the contract and whether it was intentional.

What is the answer likely to be in respect of ICO penalties for non-intentional conduct?

The types of behaviour which may lead to penalties under the GDPR are many and varied, ranging from failure to maintain a record of processing activities to failure to comply with any of the key principles underpinning the GDPR itself.

Given the spectrum of behaviours that can give rise to a penalty, it is difficult to conclude in general terms based on the case law to-date how the illegality defence will apply to ICO penalties. This is because the criteria determining the application of the defence are closely tied to factors such as the purpose of the provision which has been transgressed and the seriousness of conduct.

There are some features of ICO penalties which may suggest that they are not insurable:

  • the GDPR arguably engages the public interest, its purpose being to protect individuals' "fundamental rights" in relation to the processing of personal data;
  • the interests of public policy may dictate that companies in breach of the GDPR bear their own responsibility for the consequent penalties in order to dis-incentivise behaviour which would otherwise breach the regulations;
  • penalties (as opposed to compensation claims) under the GDPR are imposed directly on a company and are paid directly to the ICO rather than the person affected by a breach, which could indicate that the purpose of the penalty (as with a criminal fine) is to punish and deter rather than to compensate; and
  • the magnitude of the penalties that can be imposed could be said to imply the punitive and quasi-criminal nature of a penalty.

Conversely, however, there are features of ICO fines that suggest they should, in principle, be insurable in certain circumstances. Most significantly, the imposition of a fine for breach of the GDPR does not necessarily require intent and many offences are strict liability offences. It is not clear that the rationale in Safeway is directly analogous because the statute and relevant provisions are different. Case law suggests that the courts are reluctant to engage the illegality defence where an illegal action has been committed without intent (e.g. innocent conduct).

There are some compelling arguments, therefore, that the insurability of an ICO fine may turn on the nature of the GDPR provision that has been breached, and the behaviour that caused the breach, i.e. cases will be very fact specific. The answer may be very different in respect of a fine levied in respect of an unintentional data breach where, for example, a company has fallen victim to a nation state attack, as compared to a fine levied for a company's decision knowingly to process personal data of its customers without the necessary consent or other legitimate basis.

To the extent the ICO levies fines in relation to non-intentional and strict liability breaches, the courts may have significant reservations about determining that the illegality defence is engaged if they consider that the necessary element of moral reprehensibility is absent.

Conclusion

For the time being at least, the flexibility afforded to the courts by the current legal terrain means that it is difficult to predict precisely how they will respond to the question of the insurability of ICO fines but it may now only be a matter of time before the question comes before the courts or is resolved by policymakers. Even then, the answer may be highly fact specific – but that would nonetheless be a big step forward in advancing the debate. In the meantime, we would urge caution against the school of thought that treats all GDPR fines as uninsurable – they may be in some cases but there is a debate to be had.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions