GDPR Fines and Cyber Insurance
The General Data Protection Regulation (Regulation 2016/679), the “GDPR”, will come into effect from 25 May 2018, when the present Data Protection Directive 95/46/EC will be repealed.
In the Queen’s Speech on 21 June 2017, the government confirmed its intention to enact a new data protection law, which is expected to give effect to the GDPR after Brexit and replace the present Data Protection Act 1998.
Any business which provides any type of goods or services to individuals within the EU, regardless of whether it stores or processes data within the EU or not, will have to comply with the GDPR.
The GDPR provides that serious infringements of its requirements may be punished by a fine of the higher of 4% of annual worldwide turnover or EUR 20 million.
Insurable Fines and the Illegality Defence
Cyber policies usually grant cover for civil fines provided that these fines are “insurable at law”.
Under English law, the public policy principles enshrined in the “illegality defence” will determine whether fines are “insurable at law”.
In brief, the “illegality defence” prevents a claimant from pursuing a civil claim against another party if the claim is based on the claimant’s own illegal acts.
It follows, as a consequence, that the “illegality defence” also prevents companies and individuals from negating the deterrent effect of fines arising from their own illegal acts, by making an insurance claim for recovery of these fines.
The “illegality defence” clearly applies to prevent recovery of criminal fines by means of insurance claims. There is no doubt about the illegality of a criminal act, which is punished by a fine, and the public policy interest in preventing the wrongdoer’s recovery of an indemnity for a fine by means of an insurance claim.
Lord Hoffman in the House of Lords decision in Gray v Thames Trains  1 A.C. 1339 upheld the application of the “illegality defence” in relation to a criminal fine, stating that a claimant:
“… cannot recover for damage which flows from … a fine or other punishment lawfully imposed … in consequence of [his/her]… own unlawful act…”. [emphasis added]
In relation to civil or regulatory fines, such as a fine under the GDPR, some detailed analysis of the nature of the act giving rise to the fine will be necessary.
The leading authority under English law on whether regulatory fines are “insurable at law” is decision of the Court of Appeal in Safeway Stores Ltd v Twigger  EWCA Civ 1472.
In this case, pursuant the Competition Act 1998, the Office of Fair Trading issued a regulatory fine against Safeway. As a result, Safeway sued its own directors in order to claim under their D&O policy.
The First Instance Judge, Flaux J, noted that:
“…the real target of the present claim is not the assets of the individual defendants, many of whom are of modest means, but the directors’ and officers’ liability insurance available to the defendants…”
Flaux J, after reviewing the previous authorities, held that the “illegality defence” applied to the regulatory fine relating to the breach of the Competition Act 1998. The breach was held to be sufficiently serious and “morally reprehensible”, even where it had been committed without intention.
On appeal, the Court of Appeal held that under section 31(3) of the Competition Act 1998 Act a penalty could be imposed for a breach committed directly by the company itself (not vicariously through its directors) which had been committed negligently, and not only if it had been intentional. Accordingly, this regulatory fine was imposed against the company and did not require “intentional illegality”.
As a result, the Court of Appeal decided that the “illegality defence” applied to prevent the regulatory fine from being recovered by Safeway against its employees or directors and, consequently, its D&O insurers. The regulatory fine was not “insurable at law”.
Pill LJ expressly confirmed the public policy principle that:
“The policy of the statute would be undermined if undertakings were able to pass on the liability to their employees or the employees’ D&O insurers…”
The principle that regulatory fines of a penal character are uninsurable was also recognised by Lord Sumption in the Supreme Court in the case of Les Laboratoires Servier v Apotex Inc  UKSC 55, stating in relation to the “illegality defence” that:
“…non-criminal acts giving rise to the defence includes cases of … the infringement of statutory rules enacted for the protection of the public interest and attracting civil sanctions of a penal character, such as the competition law considered by Flaux J in Safeway Stores Ltd v Twigger…”
This approach has also been supported by the Competition Appeal Tribunal in the more recent case of Sainsbury’s Supermarkets Ltd v MasterCard Inc. and ors  CAT 11, where it was held that:
“(2) Whether an infringement of competition law can trigger an illegality defence depends upon whether that infringement is an “innocent” one (in which case, we consider it cannot) or a “negligent” or “deliberate” one (in which case it may do).
(3) … If Parliament and EU law have determined that the regulatory authorities should have no jurisdiction to punish innocent, as opposed to negligent or intentional, breaches …, then we consider this to be clear guidance as to what would and would not engage the public interest for the purposes of the illegality defence.”
Similarly, this approach is also followed by Financial Conduct Authority under General Provision 6 (Insurance against financial penalties) of the FCA Handbook which forbids any regulated firm from obtaining insurance coverage against financial fines.
Under Art 83(2)(b) of the GDPR, “the intentional or negligent character of the infringement” is one of the several factors to be taken into account by the UK supervisory authority, The Information Commissioner’s Office (“ICO”), for imposing fines.
It is unlikely that the ICO will impose fines under the GDPR for an infringement which was entirely innocent (e.g. hacking causing a data breach).
For a fine to be imposed, it is more likely there must be at least some degree of negligence (or culpability) by the data controller, as envisaged for instance under Art 83(2)(d) and (j) of the GDPR, due to a failure to adhere to approved codes of conduct or approved certification mechanisms as well as technical and organisational measures.
As a consequence, the “illegality defence” is likely to apply so that regulatory fines under the GDPR will not be “insurable at law”.
Nevertheless, in view of the complex nature of the “illegality defence”, all the underlying circumstances, the express terms of the fine and any statements by the ICO regarding the fine will have to be carefully scrutinised in order to determine whether the fine relates to innocent, negligent or intentional conduct.
Further, the question of whether a regulatory fine is “insurable at law” depends on the governing law of the insurance contract and the national policies of the regulatory authority which has the power to impose the fine. Different governing laws and regulatory authorities may yield conflicting decisions as to whether a fine is “insurable at law” either due to the “illegality defence” or some other national legal doctrine or public policy.
In the case of Jetivia SA and another v Bilta Ltd (in liquidation) and others  UKSC 23, relating to a VAT fraud committed by the directors of an insolvent company, some members of the Supreme Court raised some doubts about the Court of Appeal’s decision in Safeway Stores Ltd v Twigger  EWCA Civ 1472, in particular, a company’s right to sue its directors for damages caused by their fraudulent conduct.
It was argued that at least where fraudulent actions by the directors give rise to a liability which is vicariously (not directly) attributable to the company, a company may have a right to claim damages against those directors and, consequently, their D&O insurers.
However, the decision by the Supreme Court in Jetivia v Bilta does not relate to regulatory fines imposed directly on a company (as in Safeway Stores) and the majority of the Supreme Court expressed at least some degree of approval of the correctness of the decision in Safeway Stores. Accordingly, unless the issue is directly brought before the Supreme Court in the future, Safeway Stores remains the definitive authority under English law regarding the non-recovery of regulatory fines under insurance policies.
If you wish to discuss any of the issues in this article, please contact Celso de Azevedo, whose details appear below.