Have $57 million (or more) to spare? You’re going to need it if you run afoul of the EU’s General Data Protection Regulation (GDPR) without cyber insurance.
In late January 2019, the French data protection authority, CNIL, imposed a fine of €50 million—or roughly $57 million—on Google for violations of the GDPR. The fine is the largest imposed to date under the GDPR, since it came into effect in May 2018. The Google fine highlights a couple of things: the GDPR has teeth, and regulators in the EU won’t hesitate to enforce the regulation. Possibly more frightening to companies subject to the GDPR is that the fine was not imposed because of any data breach or disclosure of sensitive information but, rather, on account of Google’s ordinary data privacy practices.
This fine is not only a reminder that companies need to take a close look at their GDPR compliance, but also that they should look into whether their cyber insurance covers GDPR fines and, if not, whether they should purchase such coverage. A year ago—before the GDPR went into effect—we wrote about whether cyber insurance may cover GDPR liabilities. In the wake of the largest fine handed down in the GDPR’s (minimal) history, it is worth examining how the regulation was applied and how cyber coverage may or may not respond.
The GDPR—which applies to companies, regardless of where they’re located, that collect or process personal data of individuals located in EU countries—empowers regulatory authorities to take various enforcement actions, including imposing fines. The regulation provides for a two-tiered sanctions regime that includes aggressive potential fines as follows:
- For breaches of key provisions, fines may be imposed up to €20 million or 4% of global turnover for preceding year, whichever is higher.
- For less severe breaches, such as procedural infringements, fines may be imposed up to €10 million or 2% of global turnover, whichever is higher.
The regulation describes the types of infractions that could be subject to the higher sanctions category, including, among others:
- Failing to adhere to data processing principles;
- Failing to demonstrate that data subjects consented to collection;
- Failing to provide data subjects with transparent, concise, intelligible and easily accessible information about their data; and
- Failing to provide required information, including the purpose and legal basis for processing, at the time data is collected.
The CNIL fine targeted Google’s ads personalization program. CNIL noted that “essential information” like the data processing purposes, the data storage periods, and the categories of personal data used are “excessively disseminated across several documents” containing various buttons and links. CNIL noted that an individual may have to go through five or six steps to access relevant data privacy information. CNIL also commented that the information provided was not always clear or comprehensive, and users “are not able to fully understand the extent of the processing operations carried out by Google.” The regulator described the stated purposes of data processing as “generic and vague.” CNIL also alleged that Google did not validly obtain users’ consent to process data for ads personalization purposes because consent was not sufficiently informed and was neither “specific” nor “unambiguous.” The regulator again pointed to the difficulty for the user to understand what it was consenting to as a result of the confusing way the information was provided, and that users were asked to provide consent in full for all Google processing operations, not specific to ads personalization.
So, would your cyber insurance policy cover you if you ended up on the wrong end of a GDPR fine? It depends. Cyber policies commonly cover regulatory fines for violation of privacy laws involving an unauthorized disclosure of personal information (such as a data breach). But regulators can impose fines under the GDPR for various violations of the regulation, including those that do not involve unauthorized disclosure of information—like the fine against Google. If your policy limits coverage for fines to those resulting from a data breach, you may not be covered for certain GDPR fines. GDPR’s far-reaching provisions are a good reason to press for broader coverage for fines when purchasing your next cyber policy.
Moreover, cyber policies often exclude coverage for regulatory fines when they are uninsurable by law. And policies differ with respect to which law is considered in determining whether fines are insurable. Some policies provide that the governing law is the law of the jurisdiction imposing the fine. Other policies direct you to the law of the jurisdiction in which the policyholder is domiciled. Still other policies apply the law of whichever of multiple relevant jurisdictions most favors coverage—the most beneficial formulation for policyholders. In the United States, whether fines are insurable as a matter of law varies by state. Some allow coverage; others do not. The same is true with respect to the law of EU countries, so policies that point to the law of the jurisdiction imposing the fine may not cover GDPR fines.
Aside from these coverage issues, a practical consideration is whether your cyber policy provides sufficient limits to cover a significant GDPR fine. The first-tier fines imposed by GDPR—the higher of €20 million or 4% of the company’s revenue in the prior year—could be enormous for larger companies. The potential severity of a GDPR fine is something companies should consider when deciding how much cyber coverage to purchase.
Finally, companies should be aware that insurers have begun offering GDPR-specific coverage—often as a modification or endorsement to a cyber policy. But companies need to pay close attention to the specifics of the GDPR coverage being offered, as it may not be comprehensive and may not cover all potential GDPR liabilities. Companies looking to purchase GDPR-specific coverage should consult with coverage counsel, review the offered policy language closely, and push for revisions as appropriate.
Companies would be wise to either start thinking about buying or expanding their applicable cyber coverage—or else checking under those couch cushions for that spare $57 million….