Go back to menu

Insurability of fines under GDPR

A breakdown for Germany, Italy, the Netherlands and the UK

03 September 2017

One of the aspects of the new EU General Data Protection Regulation ("GDPR") (which will become law in May 2018) which is causing concern is the very serious sanctions for breach, including fines which can go as high as 4% of the global turnover of a group of companies.

For companies faced with this new level of risk in relation to data privacy breaches, what role can insurance play?

In principle, there could be several routes to recovery, including a direct indemnity claim under an E&O policy, or an indirect claim against professional advisers or directors and employees under their respective D&O or E&O policies.

In practice, there are significant obstacles to recovery, and as can be seen the position varies from jurisdiction to jurisdiction.

Looking at direct claims first, the most obvious issue is that there may well be an express exclusion in relation to "fines and penalties" which would be an immediate bar to recovery.  Even where there is not an express exclusion, there is still likely to be public policy concerns about enabling companies to insure in respect of fines arising out of breach of GDPR.

Germany

The insurability of fines has been intensely discussed in Germany in the past years. Whereas there is agreement that direct insurance of fines would conflict with public policy and would therefore be void under German civil law, the situation is less clear as regards the insurance of recovery claims against directors and employees under D&O policies.

It is disputed in Germany whether an employer may take recourse against directors and employees for damages resulting from fines. Some commentators take the position that directors and employees are liable for such damages within the general frameworks of managers and employees liability, others argue that the liability should at least be limited to take into account that the fines are determined based on the financial position of the employer and a third group excludes such recourse claims entirely.

In January 2015, the Higher Labour Court Düsseldorf denied a recourse claim of a company that was part of a rail cartel against its managing director. The court held that the fine was not an indemnifiable damage on the basis that the addressee of the fine was the company and not the persons acting on its behalf. The determination and purpose of the fine under administrative law should not be undermined under civil law by a recourse claim against a third party. This decision, however, did not become effective, as it was annulled by the German Federal Labour Court in June 2017 which held that the Labour Courts where not competent as the case required the answering of questions of cartel law.

Therefore, the question whether the employer may take recourse against directors and employees for damages resulting from fines is still open. However, if such recourse claim would be given, the second question would arise whether their insurance under D&O policies would be effective. Legal commentators are at variance also in this regard. Whereas some deny insurability as against public policy, others point out that the recourse claim does not have the same quality as a fine and should therefore be insurable. In any case, it will need to be distinguished between the degrees of fault. Intentional breaches of duty may not be insured whereas an insurance of negligence should be conceivable.

Italy

In Italy the position is clear, because it has been expressly addressed in the Insurance Code.

Article 12 of legislative decree no. 209/2005 (the Insurance Code) expressly stipulates that insurance in respect of administrative sanctions is not permitted. Any contract purporting to insure against administrative sanctions is null and void. However, pursuant to Article 167, paragraph 2, of the Insurance Code (to which Article 12 cross-refers), only the policy holder and/or the insured party (not the insurer) can take action to have the contract declared null and void. Moreover, amounts paid by the insurer before the contract is declared null and void are not reversed.

The Netherlands

There is no provision in Dutch law which prohibits companies from insuring in respect of regulatory penalties.

The ex turpi causa doctrine, as applied in the UK, is not embedded in Dutch statutory law and has scarcely been commented on. Although Dutch civil law provides that "an insurer shall not pay any damages to the insured who caused the damage intentionally or through recklessness" this provision is not binding and insurers may deviate from that rule in their policies and offer insurances for damages that were caused intentionally or recklessly.

Eventually, the legal backstop is the rule of civil law that a legal act that by its content or its scope is contrary to public policy or accepted principles of morality is void. This rule might be applied to insurances which cover fines and penalties. This was acknowledged by the Dutch Cabinet back in 2007 when it responded to parliamentary questions about an insurer that offered insurance for personal traffic fines. This however is a rather clear example of an insurance that may be considered void in the Netherlands.

Insurance coverage for regulatory penalties incurred by a company, under D&O or E&O policies, is more of a grey area. It has been argued that even though for civil liability purposes acts or omissions of employees may be attributed to a company, such that the company may be deemed to have acted intentionally or recklessly and be liable for damages, this does not mean that a company could not have insurance coverage for such damages. The reasoning is that companies may be held liable under civil or regulatory law, but that the faulty acts of the relevant employees may be more serious than the company's. For instance, if a company has established compliance programs that were ignored by certain employees, a claim under insurance policies may well be justified. The circumstances of the case, including the knowledge of a company's board and evidence of sound compliance programs, will be relevant.

The UK

In relation to companies which carry on regulated business in the financial services sector, the FSA (now the FCA) included a provision in its rules as long ago as 2004 to make it clear that companies were not allowed to insure in respect of regulatory penalties. But what is the position for non-regulated companies?

The fundamental question is whether the legal doctrine of ex turpi causa (no claim arises from an illegal act) applies.

This is the doctrine which is used to prevent a claim being brought where it is in some way related to the claimant's own illegal act.

Of particular relevance here is the 2011 Court of Appeal case of Safeway –v- Twigger. This arose out of the OFT's investigation into exchanges of pricing information among supermarkets and dairies. It resulted in the OFT imposing a fine of £16.5 million on Safeway. Safeway then brought an action against 11 of its former directors and employees to recover the amount of the fine and the costs it had incurred during the course of the OFT's investigation. Safeway alleged that the directors and employees, in causing Safeway to breach the Competition Act, had acted in breach of their employment contracts and/or fiduciary duties. It was assumed for the purpose of the hearing that the defendants were responsible for the alleged breach. It was also recognised by the court that Safeway's motivation in bringing the claim was to recoup the fine and costs from ex-D&O insurance policies.

It was held that contraventions of the Competition Act were sufficiently serious to engage the ex turpi causa doctrine, and that a penalty imposed under Section 36 of the Competition Act 1998 was akin to a fine. The court further held that Safeway was personally liable for the penalty imposed on it, and once the ex turpi causa doctrine is engaged, it precluded Safeway from seeking to recover from the defendants either the amount of the penalty or the costs incurred during the investigation.

Further comments were made specifically addressing the policy implications of Safeway's claim. It was noted that the policy of the Competition Act (to deter and punish undertakings infringing competition law) would be undermined if undertakings were able to pass on the liability to their employees or the employees D&O insurers.

Although the subsequent Supreme Court case of Jetivia vs Bilton cast doubt on some aspects of the Safeway case, several members of the Court did refer to the public policy aspects of that case approvingly, so it is our expectation that the same analysis would be applied in relation to insurance claims in respect of GDPR fines, whether direct or indirect.