Insurability of GDPR Fines and Related Expenses – A Need for Reassessment in the Light of Recent Enforcement Action
16 August 2019
Authors: Erkko Korhonen and Anton Pirinen
The Financial Supervisory Authority in Finland (the “FIN-FSA”) found the provision of insurance against administrative fines prohibited well in time before the issuance of any significant fines. The underlying basis of the prohibition was the premise that it would be contrary to good insurance practice and generally accepted social values to provide insurance against a risk where the insurance might encourage actors’ indifference to regulatory compliance and compromise actors’ obligation to comply with the respective regulations. In some countries, enforcing such insurance may also fall under a public policy exception, such as the ex turpi causa doctrine, the purpose of which is to prevent a legal right of action from being enforced by the courts when it is founded on “immoral or illegal” conduct.
The question of insurability has recently been reignited in connection with the intensifying enforcement elsewhere and the establishment of the Finnish Data Protection Supervisory Authority’s Sanctions Board, meaning that GDPR fines can at last also be issued in Finland. How does the FIN-FSA’s reasoning for the prohibition succeed in the light of the recent enforcement action?
British Airways, Marriot, and the Advent of Strict Liability
The United Kingdom’s data protection authority (Information Commissioner’s Office, “ICO”) recently announced its intention to impose significant fines on British Airways (£183 million) and Marriott (£100 million). The fine proposed to Marriot relates to its alleged failure to undertake sufficient due diligence when it acquired Starwood Hotels group and to secure its systems, allegedly leading to the compromise of approximately 339 million guest records. The British Airways fine relates to an incident where user traffic to the British Airways website was diverted to a fraudulent site, whereby customer details of approximately 500,000 customers were allegedly harvested by the attackers.
In both cases, the ICO’s approach appears rather rigorous. Under Article 32 of the GDPR, organisations are required to implement measures to ensure a level of security appropriate to the risk, i.e. the risks inherent in the processing should be evaluated and measures implemented to mitigate those risks. In contrast, the statements recently issued by the UK’s Information Commissioner Elizabeth Denham suggest that in the authorities’ view, personal data should be secured in an absolute sense. In the Marriot case, the Information Commissioner stated that “organisations have a legal duty to ensure personal data’s security”. Similar reasoning is present in British Airways case, where the Information Commissioner stated that “when you are entrusted with personal data you must look after it” and (more in line with Article 32 of the GDPR) that “those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights”. It should be noted that the ICO acted as a lead supervisory authority on behalf of other European supervisory authorities in both of these cases, and its approach may therefore reflect the views of these other authorities as well.
In addition to the ICO, also the Romanian Supervisory Authority has recently issued fines for data breaches. Based on the publicly available information, the Romanian authorities seem to have found that if a data breach has occurred, appropriate technical and organisational security measures have not been implemented.
In the light of the above, the liability for data breaches in the context of administrative fines appears to be strict. On this premise, it seems that an organisation could face fines for a data breach despite its diligent efforts to implement measures to ensure a level of security appropriate to the risk. It can be questioned whether insuring against this type of incidents where the controller has made its very best to avoid the data breach would encourage indifference to regulatory compliance.
IDDesign and PWC– Business Risks Realised?
The GDPR establishes that personal data cannot be stored for longer than is necessary for the purposes for which the personal data are processed. This has been criticised and even ignored by many, particularly in the context of information systems that pre-date the GDPR. Such omission recently realised in Denmark, where furniture company IDDesign A/S was fined €200,000 for having processed personal data of its customers for longer than necessary in an older system, which had already been replaced by a newer one in some of its stores. This type of (mis)conduct is probably the kind of conduct that the FIN-FSA had in mind when it issued its interpretation on insurability of GPDR fines.
In addition to omissions, the FIN-FSA’s reasoning is also likely to hold its ground where an organisation has actively engaged in unlawful conduct. This was the case in the Hellenic Data Protection Authority’s recent decision, where PricewaterhouseCoopers Business Solutions S.A. was fined €150,000 for the selection and application of an inappropriate legal basis to its processing of employee personal data.
The FIN-FSA had earlier found the provision of insurance against administrative fines prohibited on the basis that it would be contrary to good insurance practice and generally accepted social values to provide insurance against a risk where the insurance might encourage actors’ indifference to regulatory compliance and compromise actors’ obligation to comply with the respective regulations.
In the light of recent enforcement action, the FIN-FSA’s reasoning seems mostly solid: the insuring of fines and related expenses where they result from the actor’s negligence or wilful misconduct would undermine the GDPR’s effectiveness and ultimately the protection of fundamental rights and freedoms of natural persons with regard to the processing of personal data. However, as the recent data breaches suggest, a fine could also be issued in connection with diligent conduct – or at least diligent at the moment when, for example, the actor considered the adequacy and appropriateness of the data security measures. As insuring against this kind of incidents does not encourage indifference to regulatory compliance, there might be a need to revise the FIN-FSA’s guidance.