As many of our readers know, the General Data Protection Regulation (GDPR) imposes significant obligations and responsibilities on entities with regard to data protection and privacy for all individuals within the European Union and the European Economic Area. Violations of GDPR can result in fines up to €20 million, or up to 4 percent of annual global turnover, for the most severe violations and fines of up to €10 million, or up to 2 percent of global turnover of the preceding fiscal year—whichever is higher—for less severe violations. Given the substantial magnitude of these potential fines, businesses may want to be proactive in determining what resources will be available to them in the event of a GDPR violation.
Varying types of policies will provide different forms of coverage which will often include specific language with regard to what types of fines, if any, will be covered. Generally, under a commercial general liability policy, fines may not be covered. See, Indep. Petrochemical Corp. v. Aetna Cas. & Sur. Co., 944 F.2d 940, 947 (D.C. Cir. 1991) (noting that “[a] fine or penalty, in contrast [to damages], is not understood to be dollar-for-dollar recompense. Rather, it is a pecuniary form of punishment for the commission of an act society finds repugnant and seeks to deter”); Travelers Ins. Co. v. Waltham Industrial Laboratories Corp., 722 F.Supp. 814, 828 (D. Ma. 1988), aff’d, 883 F.2d 1092 (1st Cir. 1989) (“We agree with and adopt fully that portion of the district court opinion holding that because the amount paid by the defendants in the Commonwealth suit was for ‘civil penalties’ not ‘damages’ the payment was not covered by the insurance policy’s ‘damages’ clause.”).
However, under cyber insurance policies, coverage is typically provided for:[C]ivil fines or penalties imposed by a governmental agency and arising from a Regulatory Action, unless the civil fine or penalty imposed is uninsurable under the law of the jurisdiction imposing such fine or penalty.
Similarly, “Penalties” are commonly defined as:
[A]ny civil fine or money penalty payable to a governmental entity that was imposed in a Regulatory Proceeding by the Federal Trade Commission, Federal Communications Commission, or any other federal, state, local or foreign governmental entity, in such entity’s regulatory or official capacity; the insurability of Penalties shall be in accordance with the law in the applicable venue that most favors coverage for such Penalties.
Given the wide variety of coverages that may be implicated, it will be important for both insurers and insureds to consult the specific language of the policy that is arguably implicated.
In Europe, there are only a few jurisdictions where GDPR fines will be eligible to be covered by insurance. For example, Finland and Norway would generally permit this type of coverage. However, many jurisdictions, like the United Kingdom, would likely not consider a GDPR fine to be insurable, and others would likely endeavor to evaluate the specific conduct at issue and the nature of the fine—i.e., criminal, quasi-criminal, or civil.
As a result of the foregoing, the issue of whether or not a fine will be insurable is likely to be a moving target, depending on the type of policy implicated, the law of the forum jurisdiction, and the conduct at issue. Moreover, as violations are cited and fines are subsequently issued, there is likely to be an evolving body of case law on the issue as well. Insurability of GDPR fines will present an interesting question for insurers, insureds and the courts to tackle in the coming years.