The introduction of the General Data Protection Regulation (EU) 2016/679 (GDPR) has raised data protection to a board level issue, as companies are faced with potentially vast fines in the event of an infringement of the GDPR. This level of focus has also led to an increase in the take up of cyber insurance policies. As the first fines are imposed across Europe, a question will now be asked of insurance companies: are GDPR fines actually insurable?
In January 2019, a fine of 50 million (the most significant fine to be imposed under the GDPR regime to date) was imposed by the French Data Protection Authority (the CNIL) on a large global technology company. Although the Irish Data Protection Commission (the DPC) is yet to impose any fine under the GDPR, it seems likely it will only be a matter of time before we see the first fine imposed in Ireland. In 2018, the DPC received 4,113 complaints and a number of statutory investigations have since been commenced under the GDPR. 1 It appears it will not be long before we see the first Irish administrative fine under the GDPR and, indeed, the DPC's 2018 Annual Report strongly suggests this to be the case.
While some cyber insurance policies expressly exclude cover for fines and penalties, others provide cover to the extent insurable by law. However, the extent to which GDPR fines are insurable is still uncertain in Ireland and in a number of other jurisdictions, including the UK. Such uncertainty has prompted the Global Federation of Insurance Associations to call for guidance from the Organisation for Economic Cooperation and Development (the OECD). While such guidance would not be binding, it would be a helpful starting point for both insurers and insureds to consider their potential exposure.
The GDPR introduced a new regime of administrative fines for data protection infringements and provided for a tiered penalty structure based on the nature of the infringement. Under the old regime, the DPC was required to initiate court proceedings in order to prosecute offending organisations. It would then be the Irish Courts, rather than the DPC, that would impose the (often modest) monetary sanction on the offending company. Under the GDPR, the DPC can now directly impose fines on offending organisations. 2 This makes it much easier for the DPC to target companies that do not meet their data protection responsibilities.
The GDPR splits administrative fines into two tiers. The lower-tier administrative fines, which we will call 'tier 1' fines, allow for fines of up to10...