We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
23 July 2019
The introduction of the EU General Data Protection Regulation (2016/679) (GDPR) has raised data protection to a board-level issue, leading to an increase in the take up of cyber insurance policies and some significant administrative fines being levied by European regulators. In particular, the UK Information Commissioner's Office has announced its intention to impose the largest GDPR fine to date on British Airways (£188.38 million) and a fine of £99 million on the Marriott Hotel chain. It seems likely that it will only be a matter of time before fines are imposed by the Irish Data Protection Commissioner (DPC) under the GDPR, with the DPC's 2018 Annual Report strongly suggesting that the first fines are imminent and there is potential for the DPC to impose very significant fines, given the worldwide annual turnover of the companies its regulates.
While some cyber insurance policies expressly exclude cover for fines and penalties, others provide cover "to the extent insurable by law". However, the extent to which GDPR fines are insurable is still uncertain in Ireland and in several other jurisdictions, including the United Kingdom. The Irish Data Protection Act 2018 is silent on the insurability of administrative fines and, as a new regime, the question of whether GDPR fines are insurable has not yet come before the Irish courts.
The GDPR introduced a new regime of administrative fines for data protection infringements and provided for a tiered penalty structure based on the nature of the infringement. For the first time, the DPC can now directly impose fines on offending organisations, making it much easier for the DPC to target companies that do not meet their data protection responsibilities. Criminal or punitive fines and penalties have long been considered uninsurable for public policy reasons. However, there is less clarity where fines are administrative in nature.
The GDPR splits administrative fines into the following two tiers:
Third-level fines ('Tier 3' fines) are those which have been specifically implemented by legislation in a member state. In Ireland, these fines are set out in the Irish Data Protection Act 2018. The penalty for committing an offence under this act is a fine of up to €5,000 or up to 12 months' imprisonment on summary conviction (or both the fine and imprisonment) or a fine of up to €250,000 or up to 5 years' imprisonment on indictment (or both the fine and imprisonment). Therefore, while Tier 1 and Tier 2 fines are expressly stated by the GDPR to be administrative in nature, Tier 3 fines are criminal in nature. Examples of actions that will attract a Tier 3 fine include:
Whether the DPC imposes a Tier 1 or Tier 2 fine will depend on the nature of the GDPR infringement. The level of the fine, within that tier, which is ultimately imposed depends on several factors, including the severity of the infringement. Critically, the GDPR provides that the DPC must ensure that the imposition and amount of all fines under the GDPR is "effective, proportionate" and importantly "dissuasive" (ie, the fines are designed to dissuade companies from infringing their data protection obligations and responsibilities).
The ex turpi causa legal doctrine prevents a claimant from pursuing legal remedies in order to recover or benefit as a result of their own illegal acts. Where a fine or penalty is intended to be a deterrent or dissuasive, public policy would clearly be undermined if a wrongdoer could simply insure against paying a fine. The English courts have considered the ex turpi causa doctrine in other contexts and while decisions of English courts would not be binding on an Irish court, they would likely be persuasive. The English courts have held that some element of "moral turpitude" is required (Safeway v Twigger), suggesting that perhaps a purely innocent breach or wrongdoing would not attract the doctrine and could in theory be insurable (although on appeal Lord Justice Pill considered that the policy of the relevant statute would be undermined if companies were able to pass on the liability to their employees' directors and officers insurance). In another English case, Patel v Mirza, the English Supreme Court considered whether:
Following a recent Irish Supreme Court decision (Quinn v IBRC) the position in relation to ex turpi causa in Ireland remains unclear and the application of the maxim in Ireland depends on the nature of the wrongdoing.
The position on the insurability of GDPR fines remains a grey area and there is a large question mark over whether such GDPR fines will be insurable in Ireland where there is an element of "moral turpitude" in the infringement. The GDPR calls for fines to be "dissuasive" and if all GDPR fines are indemnifiable under insurance, the public policy behind the fines could arguably be undermined. It may be that some element of moral turpitude or wrongdoing would be required for the fine to be uninsurable, which could potentially result in a sliding scale of insurability, with criminal or quasi-criminal fines likely to be uninsurable.
For further information on this topic please contact April McClements, Aisling Kavanagh, Chris Bollard or Finin O'Brien at Matheson by telephone (+353 1 232 2000) or email (firstname.lastname@example.org, email@example.com or firstname.lastname@example.org or email@example.com). The Matheson website can be accessed at www.matheson.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.