The Insurability Of GDPR Fines

The introduction of the General Data Protection Regulation (EU) 2016/679 ("GDPR") has raised data protection to a board level issue, as companies are faced with potentially vast fines in the event of an infringement of the GDPR. This level of focus has also led to an increase in the take up of cyber insurance policies. As the first fines are imposed across Europe, a question will now be asked of insurance companies: are GDPR fines actually insurable?

In January 2019, a fine of €50 million (the most significant fine to be imposed under the GDPR regime to date) was imposed by the French data protection authority (the CNIL) on Google LLC. More recently on 8 July 2019, the UK Information Commissioner's Office announced its intention to fine British Airways £183.39 million (which will be the largest fine to date under the GDPR regime if imposed) for infringements of GDPR relating to a cyber-security incident which occurred in September 2018 and the following day (in response to a statement made by Marriott in a regulatory filing) announced its intention to fine the Marriott hotel chain £99 million fine for infringements of the GDPR relating to a cyber incident in November 2018.

Although the Irish Data Protection Commission (the "DPC") is yet to impose any fine under the GDPR, it seems likely it will only be a matter of time before we see the first fine imposed in Ireland. In 2018, the DPC received 4,113 complaints and a number of statutory investigations have since been commenced under the GDPR.1 It appears it will not be long before we see the first Irish administrative fine under the GDPR and, indeed, the DPC's 2018 Annual Report strongly suggests this to be the case.

While some cyber insurance policies expressly exclude cover for fines and penalties, others provide cover "to the extent insurable by law". However, the extent to which GDPR fines are insurable is still uncertain in Ireland and in a number of other jurisdictions, including the UK. Such uncertainty has prompted the Global Federation of Insurance Associations to call for guidance from the Organisation for Economic Cooperation and Development (the "OECD"). While such guidance would not be binding, it would be a helpful starting point for both insurers and insureds to consider their potential exposure.

GDPR Fines

The GDPR introduced a new regime of administrative fines for data protection infringements and provided for a tiered penalty structure based on the nature of the infringement. Under the old regime, the DPC was required to initiate court proceedings in order to prosecute offending organisations. It would then be the Irish Courts, rather than the DPC, that would impose the (often modest) monetary sanction on the offending company. Under the GDPR, the DPC can now directly impose fines on offending organisations.2 This makes it much easier for the DPC to target companies that do not meet their data protection responsibilities.

The GDPR splits administrative fines into two tiers. The lower-tier administrative fines, which we will...