The UK’s data protection authority, the ICO, has announced twice in two days this week that it proposes to levy significant fines on organisations for breaches of the General Data Protection Regulation (GDPR), which took effect in May 2018. First it announced that it intends to fine British Airways some £183 million for a data breach in 2018 that affected 500,000 customers (see our Data Blog here for more details). The following day it announced that it proposed to fine Marriott hotels group nearly £100 million, again for a data breach that affected customers (see our Data Blog here for more details). Both BA and Marriot may make representations to the ICO before final decisions are taken. These proposed fines dwarf previous fines issued by the ICO which were capped at £500,000 under the old privacy regime.
Until now the business world has been waiting to see how the ICO would use its powers under the new GDPR regime. Under the regime, the ICO can now impose a broader range of significant civil penalties for data protection breaches than was previously possible. This includes penalties of up to €20 million or 4% of a company’s global annual turnover, as well as potentially ordering companies to stop processing personal data altogether. The ICO is clearly now baring its teeth.
One issue that companies in the position of BA or Marriott might be considering is whether an ICO fine is covered by any insurance they have. That might shine a light on an unresolved issue namely whether the fines that the ICO can now impose under the new GDPR regime are insurable.
Many insurance policies provide insurance coverage for civil fines to the extent permitted by law. However, what is permitted or prohibited by law is something of a vexed question. The GDPR says nothing about whether such coverage is permitted or prohibited and the ICO has said that it is not aware whether insurance is available for any fines it may impose. Under English law, it is therefore necessary to look to the general principles of the common law.
It is generally accepted that under common law a fine for deliberate, criminal or quasi-criminal conduct is uninsurable (save potentially in respect of strict liability offences). But there is a debate within the insurance market as to whether ICO fines for less serious conduct are insurable. In January 2019 the Global Federation of Insurance Associations called for clarity from the Organisation for Economic Cooperation and Development (OECD) regarding the insurability of fines and penalties following privacy breaches. The OECD’s insurance and private pensions committee is considering the issue.
What is the test to be applied?
Until the issue of insurability of GDPR fines is resolved by policymakers or the courts, the debate will continue. But policyholders and insurers want to know now what the answer might be. What then does the answer turn upon and what guidance might be provided at this stage?
The relevant legal principle in issue is the illegality defence, also known as the “ex turpi causa” doctrine. It prevents a legal right of action from being enforced by the courts when it is founded on “immoral or illegal” conduct. It is directed at both criminal and quasi-criminal conduct. The rationale behind the defence is that it would be contrary to the public interest to enforce a claim if to do so would be harmful to the integrity of the legal system. As such, the issue is whether an insurer is entitled to rely on this defence, and refuse cover, in response to an insured’s claim for indemnity for an ICO fine.
There has been considerable debate in the courts and amongst legal academics as to how precisely the defence should be applied. Guidance as to some of the factors that will be considered can be drawn from the following cases:
In Safeway v Twigger, the judge at first instance determined that anti-competitive acts in breach of the Competition Act 1998 involved the necessary element of moral reprehensibility and were sufficiently serious to engage the illegality defence (this was not disputed by the parties on appeal). In reaching that conclusion he took into account the “quasi-criminal” nature, characteristics and purpose of the penalty imposed, including that a heightened civil standard of proof was applied to serious cases and that for the purposes of the right to a fair trial under the European Convention for the Protection of Human Rights, Competition Appeal Tribunal proceedings are regarded as involving a “criminal charge”.
In Les Laboratoires Servier, the Supreme Court explained that the illegality defence was concerned with acts which were contrary to the public law of the state and which engaged the public interest. These included “quasi-criminal” acts which infringed statutory rules enacted for the protection of the public interest and which attracted civil sanctions of a penal character.
Most recently, in the case of Patel v Mirza, the Supreme Court made clear that even where conduct is “illegal” such that it falls within the remit of the illegality defence, the defence will only be successful if the court considers that it would be in the public interest to allow the defence. The following factors ought be considered:
the underlying purpose of the prohibition which has been transgressed;
any other relevant public policies which may be rendered less effective by denial of the claim; and
whether upholding the defence would be a proportionate response to the illegality, bearing in mind the seriousness of the conduct, its centrality to the contract and whether it was intentional.
What is the answer likely to be in respect of ICO penalties for non-intentional conduct?
The types of behaviour which may lead to penalties under the GDPR are many and varied, ranging from failure to maintain a record of processing activities to failure to comply with any of the key principles underpinning the GDPR itself.
Given the spectrum of behaviours that can give rise to a penalty, it is difficult to conclude in general terms based on the case law to-date how the illegality defence will apply to ICO penalties. This is because the criteria determining the application of the defence are closely tied to factors such as the purpose of the provision which has been transgressed and the seriousness of conduct.
There are some features of ICO penalties which may suggest that they are not insurable:
the GDPR arguably engages the public interest, its purpose being to protect individuals’ “fundamental rights” in relation to the processing of personal data;
the interests of public policy may dictate that companies in breach of the GDPR bear their own responsibility for the consequent penalties in order to dis-incentivise behaviour which would otherwise breach the regulations;
penalties (as opposed to compensation claims) under the GDPR are imposed directly on a company and are paid directly to the ICO rather than the person affected by a breach, which could indicate that the purpose of the penalty (as with a criminal fine) is to punish and deter rather than to compensate; and
the magnitude of the penalties that can be imposed could be said to imply the punitive and quasi-criminal nature of a penalty.
Conversely, however, there are features of ICO fines that suggest they should, in principle, be insurable in certain circumstances. Most significantly, the imposition of a fine for breach of the GDPR does not necessarily require intent and many offences are strict liability offences. It is not clear that the rationale in Safeway is directly analogous because the statute and relevant provisions are different. Case law suggests that the courts are reluctant to engage the illegality defence where an illegal action has been committed without intent (e.g. innocent conduct).
There are some compelling arguments, therefore, that the insurability of an ICO fine may turn on the nature of the GDPR provision that has been breached, and the behaviour that caused the breach, i.e. cases will be very fact specific. The answer may be very different in respect of a fine levied in respect of an unintentional data breach where, for example, a company has fallen victim to a nation state attack, as compared to a fine levied for a company’s decision knowingly to process personal data of its customers without the necessary consent or other legitimate basis.
To the extent the ICO levies fines in relation to non-intentional and strict liability breaches, the courts may have significant reservations about determining that the illegality defence is engaged if they consider that the necessary element of moral reprehensibility is absent.
For the time being at least, the flexibility afforded to the courts by the current legal terrain means that it is difficult to predict precisely how they will respond to the question of the insurability of ICO fines but it may now only be a matter of time before the question comes before the courts or is resolved by policymakers. Even then, the answer may be highly fact specific – but that would nonetheless be a big step forward in advancing the debate. In the meantime, we would urge caution against the school of thought that treats all GDPR fines as uninsurable – they may be in some cases but there is a debate to be had.