Insurability Of Fines And Penalties For Breaches Of The GDPR: A UK And German Perspective

The increasing powers of regulators, together with the heightened focus on corporate governance and individual accountability, means that companies and their directors and officers are increasingly exposed to investigations which may lead to the imposition of fines and penalties. The question of whether these fines are insurable is one which (while not new) has been brought into sharp relief by the introduction of the General Data Protection Regulation (GDPR), under which supervising authorities (the Information Commissioner's Office (ICO) in the UK and the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) and the various state level Landesbeauftragte für den Datenschutz (LfD) in Germany) can, amongst other things, impose fines of:

up to €10million or 2% of annual global turnover, whichever is higher, for breaches of provisions of the GDPR, such as the obligations on data controllers and data processors; up to €20million or 4% of annual global turnover, whichever is higher, for breaches of the provisions of the GDPR, such as the principles for processing, the conditions for consent and the rights of data subjects. It is worth noting that not all infringements of the GDPR will lead to the large fines that have captivated the press. Whilst there has been the recent €50 million fine imposed on Google by the French data regulator, CNIL, for "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation", the 41 fines that have thus far been imposed in Germany have largely been low value, with the highest fine being in the amount of €80,000. The UK has yet to issue significant fines, though an enforcement notice has been issued to the Canadian company AggregateIQ Data Services ("AIQ"), as part of a wide-ranging investigation by the ICO into the improper use of personal data analytics for political purposes (involving Cambridge Analytica and Facebook), which may, in time, lead to a significant fine under the GDPR.

The question is: will GDPR fines be insurable? There is a huge degree of uncertainty on this point, an uncertainty which has recently led the Global Federation of Insurance Associations to call for clarity from the Organisation for Economic Cooperation and Development (OECD) about whether insurers can pay out for fines imposed under the GDPR - not a declaration one way or another, but a guide on how different supervisory authorities will consider the issue.

Until such clarity comes, we examine the question of insurability in this article from the perspective of the UK and Germany.

Insurability of fines and penalties

As a preliminary point, it should be noted that the UK and German authorities have not themselves declared whether or not any fines they issue should be capable of being insured, unlike, for example, the Financial Conduct Authority (FCA) in the UK, which expressly prohibits the insuring of fines it imposes for breaches of financial regulations. Therefore, we must first consider general principles, which can then be applied to the GDPR.

The first port of call is...