On 23 October 2016, the government announced that it would amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) in “spring 2017” to give the Information Commissioner’s Office (ICO) the power to fine directors personally, up to £500,000 for nuisance calls. If multiple directors were culpable, then each could be liable for a fine, in addition to any fine imposed on the company.
This reflects the government’s intention to strengthen the ICO’s enforcement powers in order to protect individuals’ rights and, follows the recommendation of the UK Information Commissioner, Elizabeth Denham, at a parliamentary meeting about the Digital Economy Act (passed on 27 April 2017). The Commissioner noted that the ICO had issued a total of GBP 4 million in fines in 2016 but only collected a small percentage of that figure. The Commissioner welcomed the proposal as, “Making directors responsible will stop them ducking away from fines by putting their company into liquidation. It will stop them leaving by the back door as the regulator comes through the front door”.
Increased ICO powers
The ICO does not yet have the power to fine directors, although it recently imposed a fine of GBP 400,000 on Talk Talk, its largest ever fine for a breach of data protection law. Enforcement of the General Data Protection Regulation (“GDPR”) commences on 25 May 2018. This gives the ICO the power to impose fines of up to the greater of EUR 20 million or 4% of worldwide turnover. In the event that personal liability is extended to directors for all data protection breaches (as recommended by the Information Commissioner) then it could be extremely costly for individuals who receive these fines.
Impact on insurance for regulatory fines and the costs of the associated investigations
Insurance cover for fines is typically limited, either by any applicable levels of indemnity or by wording which limits cover for fines and costs “to the extent that they are conclusively determined to be legally insurable”. Whether a cyber policy will cover a fine imposed by the regulator following, for instance, a data breach depends on what is meant by “legally insurable”. The difficulty with insuring fines arises from the law on public policy (often referred to, by lawyers at least, as the ex turpi causa rule). Broadly speaking, this prevents companies and individuals negating the deterrent effect of fines for wrongful conduct by insuring their exposure. The application of the rule to criminal behaviour is clear. However, the position becomes more difficult in respect of behaviour which is wrongful without being criminal. In addition, it is not simply the fine that poses a risk to the assured as the costs of responding to the regulator’s investigation could also be significant.
There is currently no precedent which establishes how a fine flowing from a breach of data protection legislation may be treated, however Safeway v Twigger (2010)1 suggested that the ex turpi causa principle can be engaged by conduct which reaches a certain level of moral turpitude falling short of criminal behaviour. Although the case law is not entirely clear cut, it is likely that conduct falling short of deliberate or reckless (and possibly negligent) acts will not be sufficient to engage the principle. The GDPR, as well as the current form of the Data Protection Act 1998, focus on the nature of the conduct in question when considering whether to impose a fine, and provide that when fines are assessed, the nature of the conduct will be taken into account setting the level of the fine2. There may therefore be the possibility that the most serious fines under the GDPR will not be recoverable, but each case will of course turn on its own facts.
With the scale of fines about to dramatically increase beyond current levels (up to 4% of worldwide turnover under the GDPR), Insurers may wish to review their policy wordings and sub-limits on fines and the associated investigation costs and consider their approach for future policy years.