Brazilian LGPD & European GDPR Compared

Brazilian LGPD & European GDPR Compared 

Brazilian LGPD & European GDPR Compared Brazilian General Data Protection Law (Lei Geral de Protecao de Dados or LGPD), a law with many similarities to the European Union’s General Data Protection Regulation (the “GDPR”) is now effective.  On April 29 of this year, Brazil’s President issued Provisional Measure 959 that, amongst other things, postponed the effective date of the LGPD, which was originally set to be effective August 2020, to May 3, 2021.  Brazil’s Chamber of Deputies amended the measure so that the LGPD would take effect in December 2020.  The Senate then decided that any postponement was void because the effective date had already been decided by Congress.  The amended measure was sent to the President for his signature, providing him with the date of September 17, 2020 to sign the measure, which would make the law effective as of the original effective date, or veto it.  The President sanctioned the law and the LGPD is now effective.  Although the law has taken effect, the LGPD’s enforcement provisions take effect August 1, 2021 (in Portuguese), and the provisions will be enforced by Brazil’s data protection authority, a Autoridade Nacional de Proteção Dados Pessoais (the “ANPD”), which the President established by decree in August (in Portuguese).  However, the LGPD’s private right of action for violations of data subjects’ rights is effective now.  Businesses should continue to take steps to comply with the statute given its effective date and private right of action and should prepare now for when administrative sanctions become enforceable next year.

Businesses that are GDPR compliant may be well on their way to achieving compliance with the LGPD given the similarities between the legal frameworks.  Yet, businesses should be mindful of several differences that may impact how they adjust their GDPR compliance programs to meet the requirements of the LGPD to the extent that businesses process data applicable to both regimes.

At a glance. This post highlights some of the material provisions of the LGPD and compares them to their equivalents in the GDPR.

Applicability.  Similar to the GDPR, the LGPD applies broadly to a wide range of data processing activities, data subjects, and their information.

• The GDPR applies to the processing of personal data if such data is processed in the EU or if the purpose of the processing is to offer goods or services to or monitor the behavior of EU residents.  Arts. 2 and 3 GDPR.
• The LGPD applies to the processing of personal data if such data is processed in Brazil, the purpose of the processing is to offer or provide goods or services to Brazil residents or the personal data processed belongs to Brazilian residents or was collected in Brazil.  Art. 3 LGPD.

Lawful Processing of Non-Special Categories of Personal Data.  Businesses likely will be able to process data under the same legal bases provided under the LGPD and the GDPR.

• Under the GDPR, the processing is lawful if the data subject has consented or processing is necessary to perform a contract, comply with legal obligations, protect a natural person’s vital interests, act in the public interest, or achieve a legitimate interest of the controller or third party under certain conditions.  Art. 6 GDPR.
• The LGPD includes all of the legal bases for processing listed under the GDPR.  In addition, the LGPD provides that controllers may process personal data specifically to exercise rights in judicial, administrative or arbitration procedures and to protect credit.  Art. 7 LGPD.

Lawful Processing of Special or Sensitive Categories of Personal Data.  Although the LGPD and the GDPR share several legal bases for processing sensitive information, the LGPD does not allow businesses to process such data under the bases identified under GDPR for legitimate activities of nonprofit entities and public data.

• Under the GDPR, the processing of special categories of personal data is prohibited unless (i) the data subject has consented; (ii) data is processed under certain conditions in the course of legitimate activities of nonprofit entities in connection with their purposes; (iii) processing relates to data made public by the data subject; or (iv) processing is necessary to comply with employment, social security or social protection law, to protect the vital interest of natural persons, to exercise or defend legal claims or for public interest reasons, including those related to public health or research purposes.  Art. 9 GDPR.
• The LGDP allows processing of sensitive categories of personal data if the data subject consents or processing is necessary for (i) the controller to comply with a legal obligation; (ii) shared processing of data when necessary by the public administration for the execution of public policies; (iii) research purposes, (iv) exercising rights, including in connection with a contract and in a judicial, administrative and arbitration proceeding, (v) protecting vital interests of a data subject or a third party, including health in a medical procedure, or (vi) preventing fraud and protect the security of the data subject.  Art. 11 LGPD.

Data Subject Rights.  The LGPD provides to data subjects the right to data anonymization in addition to the other rights provided under the GDPR and requires businesses to respond to rights requests within fifteen (15) days.

• Under the GDPR, data subjects have the right to access, rectification, erasure, restriction, data portability, and objection, and the right against automated decision-making.  Chp. 3 GDPR.
• In addition to the rights provided under the GDPR, the LGPD provides data subjects the right to request that their data be anonymized.  Art. 18 LGPD.  However, in response to a request to delete under the GDPR, controllers may anonymize data because, similar to the LGPD, anonymized data is not considered personal data under the GDPR.

Children’s Personal Data.  The LGPD has a broader requirement than the GDPR to obtain consent for processing children’s personal data and extends heightened protection to children whose personal data is processed similar to the GDPR.

• Before collecting personal data of children who are younger than sixteen (16) years of age, the GDPR requires controllers to obtain the consent of a child’s legal guardian subject to certain exceptions.  Any information directed to children should be provided using clear and plain language.  Art. 8 GDPR.
• The LGPD broadly requires controllers to obtain the consent of a legal guardian before processing children’s data.  Information directed towards children needs to be appropriate for the children’s understanding.  Art. 14 LGPD.

International Transfer of Data.  The LGPD provides similar mechanisms to the GDPR for transferring personal data to third countries and international organizations.  Unlike the GDPR, the LGPD does not provide a list of specific derogations but many are covered by the law.

• The GDPR allows the transfer of personal data to a third country or an international organization on the bases of (i) an adequacy decision, (ii) appropriate safeguards such as binding corporate rules, standard contractual clauses, and approved codes of conduct and certification mechanisms, (iii) an international agreement; and (iv) derogations for specific situations, which includes when the transfer is made from a register intended to provide information to the public or by any person on the basis of legitimate interests.  Chp. 5 GDPR.
• The LGPD allows the international transfer of personal data on the bases of (i) an adequacy decision, (ii) compliance with the LGPD as shown through contractual clauses, global corporate rules, and stamps, certificates and codes of conduct, (iii) international agreements and cooperation, (iv) the vital interest of the data subject or a third party; (v) ANPD approval, (vi) public interest; and (vii) data subject consent.  Art. 33 LGPD.  Unlike the GDPR, the LGPD does not provide for international transfers on the basis of a register intending to provide information to the public or legitimate interests as provided under the GDPR.

Controller and Processor Obligations.  Generally, the LGDP has similar controller and processor obligations to the GDPR with differences in data record maintenance, data protection impact assessment, and the appointment of data protection officers.

• Under the GDPR, controllers and processors are required to maintain records of processing data activities; implement appropriate and technical measures, including data protection policies, to protect personal data; conduct data protection impact assessments in certain circumstances; provide notice of data breaches to supervisory authorities and data subjects; and designate a data protection offer under certain conditions.  Chp. 4 GDPR.
• Similarly, the LGPD requires controllers and processors to maintain processing records; adopt security, technical and administrative measures to protect personal data; conduct data protection impact reports upon the ANPD’s request; provide notice of certain security incidents; and appoint a data protection officer.  Chp. IV §§ I and II; Chp. VII §§ I and II; and Art. 41 LGPD.

Security Breach Notifications.  The LGPD has a lower threshold than the GDPR for providing notice of security incidents and a potentially longer timeframe than the GDPR in which to provide notice to regulators.

• Under the GDPR, controllers are required to provide notice (a) to supervisory authorities within seventy-two (72) hours unless the security incident is unlikely to result in a risk to data subjects and (b) to data subjects without undue delay if the security incident is likely to result in a high risk to the data subjects.  Arts. 33 and 34 GDPR.
• The LGPD requires businesses to notify within a reasonable amount of time the ANPD and affected data subjects if the incident may cause harm to data subjects.  Art. 48 LGPD.

Administrative Sanctions.  The LGPD imposes significantly less severe fines than the GDPR since they are based on businesses’ revenue in Brazil as compared to fines based on businesses’ revenue worldwide as provided under the GDPR.

• Under the GDPR, controllers and processors may be subject to a fine of two percent (2%) of worldwide revenue up to 10,000,000 EUR for lower-level violations and four percent (4%) of worldwide revenue up to 20,000,000 EUR for higher-level violations.  Art. 83 GDPR.
• Under the LPGD, controllers and processors may be subject to a fine of up to two percent (2%) of revenues in Brazil up to a total of R$ 50,000,000.  Art. 52 LGPD.

Law enforcement

In the case of Brazilian law, the supervisory authority is referred to as the ANPD (National Data Protection Authority) (Article 55). In the case of GDPR, it's the European Data Protection Board (Article 68).

To Conclude

In practice, if your company is already GDPR compliant, it can easily be LGPD compliant as well; and vice versa. There's a very visible convergence between LGPD and GDPR. But a Privacy Expert Lawyer or Law firm needs to evaluate your legal risk and compliance based on emerging case laws. Also, the fact is that both laws still need time to gain maturity and to be better evaluated. 

For training on LGPD in comparison with GDPR or any privacy or Data Protection Laws with case studies around the World email: info@cyberlawcosulting.com

 

What’s changed in the CPRA ? The California Privacy Rights Act of 2020

What’s Changed in the CPRA? The California Privacy Rights Act of 2020 

The California Privacy Rights Act of 2020 (CPRA) is the law now. With some exceptions, the CPRA expands privacy protections afforded under the current California Consumer Privacy Act of 2018 (CCPA), giving consumers more rights over their personal information and requiring greater transparency and obligations from businesses. Beyond new rights, the CPRA establishes a privacy enforcement agency - the California Privacy Protection Agency - that would be the first of its kind state agency dedicated to privacy enforcement. The CPRA also reaches areas of digital privacy untouched by the CCPA, including dark patterns, behavioral advertising, and profiling.

In addition to these remarkable changes, the CPRA significantly amends existing rights and responsibilities presently enforced under the CCPA. The CPRA’s amendments serve to clarify ambiguous areas of the CCPA and, if passed, will better align the law’s text with its intent. By understanding these changes now – and not waiting until the new law takes effect – businesses will gain a leg up on meeting their existing compliance obligations under the CCPA while priming themselves for the future of privacy enforcement under the CPRA.

So, what’s new in the CPRA? A lot more than you think. Definitions are a good place to start. 

New Definitions

The CPRA adds new defined terms and clarifies existing ones.

New Terms added

Among the new terms added in the CPRA – and not currently defined in the CCPA – are:

• Consent
• Contractor
• Cross-context behavioral advertising
• Dark pattern
• Household
• Intentionally interacts
• Non-personalized advertising
• Profiling
• Security and integrity 
• Sensitive personal information
• Sharing

A few of these new terms warrant a closer look, in order of significance. 

Sharing. The most significant addition might be the inclusion of “sharing,” defined as the disclosure of personal information to a third party for purposes of cross-context behavioral advertising (itself a new defined term), also known as targeted or interest-based advertising. “Sharing” therefore includes activity commonly viewed as fitting the definition of a “sale” under the current CCPA, although this has been a gray area of the law. CPRA helps resolve this ambiguity by regulating the activity in its own right, and, as explained below, granting consumers identical rights as they have with regard to a “sale” of their personal information. A business that has sat on the sidelines during the initial months of CCPA enforcement and declined to call this type of sharing a “sale” is well-advised to treat it as such given that CPRA makes clear that consumers are entitled to have a say when their personal information is used for this purpose.

Contractor. Perhaps easily overlooked, “contractor” may not mean what you think it does. Under CPRA, a contractor is similar to a service provider in that a contractor is not a third party, and it is bound by a written contract limiting its use of personal information that a business discloses to it. However, rather than processing information for the business, a contractor is a person to whom the business makes available personal information for a business purpose. The significance of this seemingly subtle distinction is not immediately apparent. But the big takeaway is that the cast of characters under CPRA would include: the consumer; the business; services providers; contractors; and third parties. 

Sensitive personal information. One of the most significant changes in the CPRA is that it adds an entirely new category of personal information – sensitive personal information – the collection of which triggers new rights and obligations described below. Sensitive personal information includes the contents of a consumer’s mail, email and text messages (unless the business is the intended recipient of the communication), a consumer’s genetic data, racial or ethnic origin, and personal information collected and analyzed concerning a consumer’s sex life or sexual orientation, among others. This change will better conform to California’s privacy law to GDPR, which similarly recognizes a special class of highly sensitive personal data. 

Profiling. “Profiling” relates to automated processing of personal information used, for example, to analyze or predict aspects concerning a person’s performance at work, economic situation, personal preferences, and more. Like sensitive personal information, the regulation of profiling – which will be forthcoming as the CPRA only references, but does not establish, the new rules – would likewise conform California privacy law to more robust protections afforded by GDPR.

Dark pattern. Along with the newly defined term “consent” - a term relevant any time an opt-in is required, such as for selling or sharing the personal information of consumers under 16 years old - is the prohibition on obtaining consent through manipulation via the use of “dark patterns,” or user interfaces designed to impair user autonomy.

Changes To Existing Terms

In addition to adding new definitions, the CPRA amends defined terms that already exist in the current CCPA. Of these changes, the following are most significant.

Business. The thresholds for a business to be subject to regulation under the law would include buying, selling or sharing the personal information of 100,000 or more consumers or households. This amends - and relaxes - the previous threshold related to 50,000 or more consumers, and clarifies that (1) collection alone does not trigger this threshold, and (2) devices do not count toward the number of consumers, as they did under CCPA. Notably, the amended definition of “business” also expressly contemplates voluntary self-certification with – and agreement to be bound by – the CPRA for businesses that do not meet any of the threshold requirements. Self-certification might become a future badge of honor for businesses of all sizes – and consumers may come to expect compliance, regardless of annual revenue.

Business purpose. The CPRA’s amendments somewhat clarify the CCPA’s vague reference to “short-term, transient use” and add a new business purpose of “providing advertising and marketing services.” The new purpose expressly excludes cross-context behavioral advertising, meaning that such advertising is not considered a “business purpose” under the law.

Deidentified. The CPRA substantially revises this definition to address that de-identified information cannot be used to make inferences about the consumer. The new definition requires a public declaration by the business that it will maintain and use the information in the deidentified form and contractually requires any recipients to comply with this.

Personal information. This definition is largely the same except that, as amended, it applies to information that is “reasonably capable of being associated with” a consumer, which weakens the required connection between the consumer and the information. Practically speaking, however, this change is unlikely to have a big impact. The amended definition also, of course, includes the additional category of sensitive personal information described above.

Significantly, the CPRA excludes certain additional information from “personal information”:

• Lawfully obtained, truthful information that is a matter of public concern. This exclusion appears to exempt speech protected under the First Amendment. 
• In addition, “publicly available” information excluded from the definition of “personal information” would include – in addition to information lawfully made available in government records – information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.

Under these new exclusions, it appears that a business would no longer disclose when it collects widely available information such as a consumer’s social media handle or online profile.

Sell. The definition of “sell” includes several changes, but the most notable is the removal of the service provider exception. That exception, however, no longer appears necessary, as the definition now only pertains to disclosures of information involving third parties – and therefore, not service providers or contractors. It still is not clear under the CPRA whether all disclosures of information to third parties necessarily constitute a “sale” of information. Arguably they would not, as the definition retains the requirement of “monetary or other valuable consideration.”

Service provider. Under CPRA, service providers can be legal or natural persons - a change from CCPA, which applies the term only to legal entities. The amended definition expressly precludes a service provider from selling or sharing personal information a business discloses to it – a change that harmonizes the law’s text with its clear intent – and prohibits service providers from combining information received from a business with the information they receive from another business or from the service provider’s interaction with the consumer. The amended definition, however, references future regulations that will allow for certain exceptions to this rule for limited business purposes.

New Rights

It’s no secret that the CPRA creates several new privacy rights for consumers. Here they are:

Right to Correct Inaccurate Information. This right is self-explanatory, but notably the law endeavors to balance the consumer’s right with burdens on businesses by simply requiring businesses to use “commercially reasonable efforts to correct the inaccurate information.”

Right to Access. This is actually a right that already exists under the CCPA - the right to know specific pieces of information a business has collected about a consumer - but the CPRA introduces the new “access” terminology, which helps distinguish a request for specific information from a general request for categories of personal information.

Right to Opt-Out of Sharing. Along with the new concept of “sharing” information for purposes of cross-context behavioral advertising is the consumer’s right to opt-out of such sharing.

Right to Limit Use and Disclosure of Sensitive Personal Information. Alongside the establishment of “sensitive personal information” is the consumer’s right to limit a business’s use of such information specifically where the information is used to infer characteristics about a consumer. This new right would not apply when a business uses sensitive personal information for purposes other than inferring characteristics.

New Responsibilities

The CPRA makes numerous changes to the compliance obligations of businesses. Here’s a rundown of the more meaningful ones.

Privacy Principles

• Like the guiding principles of the GDPR, the CPRA injects certain reasonableness and proportionality standards into the law. Specifically, a business’s collection, retention, and disclosure of personal information must be necessary and proportional to achieve the intended purpose for collecting and processing it.

Notice at Collection

• The CPRA clarifies that if a business involuntarily accesses personal information, it need not provide notice of that collection at or before the point of collection.
• If a business collects sensitive personal information, it must disclose that fact.
• A business must disclose not only the business purposes for which it collects personal information, but also the purposes for which it sells or shares it.
• A business must disclose the length of time it intends to retain information collected, or, if not feasible to do so, the criteria used to determine the length of time.

Contractual Requirements

• CPRA imposes obligations on businesses to have in place contractual agreements with not only service providers and contractors, but also third parties to whom the business sells, or with whom the business shares, personal information.
• The law makes clear that a business generally will not be liable for any violations committed by these other parties if such agreements are in place.
• The CPRA requires that the contract cover several grounds, including compliance with CPRA and granting the business the right to ensure that the service provider, contractor, or third party is using personal information in a manner consistent with the business’s obligations under the CPRA. In this way, the CPRA contemplates annual audits and similar automated or manual checkups by businesses.

Security Procedures

• The CCPA currently includes a private right of action for security breaches and references definitions and rules set forth in a different part of the Civil Code – Section 1798.81.5. CPRA adds a new requirement for businesses that collect personal information: they must implement reasonable security measures to prevent unauthorized access or disclosure of personal information in accordance with Section 1798.81.5. This change more closely links the law’s affirmative requirements with the private right of action it establishes.

Handling a Request to Delete

• Businesses are required to notify not only service providers and contractors, but also third parties, about deletion requests - triggering those parties’ obligation to delete information in their possession, and directing their service providers and contractors to do the same - unless it proves “impossible or involves disproportionate effort.”
• The CPRA removes the general, catchall exception to deletion that currently exists under the CCPA at Section 1798.105(d)(9). Arguably, this exception was overbroad, unnecessary, and abuse-prone to begin with.

Handling a Request to Know

• Under the CPRA, a business may comply with a consumer’s request to know when it seeks categories of information regarding collection by including such disclosures in its online privacy policy, so long as the information would be the same as for the requesting consumer. 
• However, it does not appear that a business can satisfy its right to know obligations related to sharing and selling (if the business sells or shares personal information) via its online privacy policy only. The business must still respond to individualized requests.
• In response to individual consumer requests, a business must disclose categories of third parties involved in selling or sharing, and also categories of service providers and contractors. This clarifies an ambiguous area of the CCPA, which appears to require that businesses categorize third parties only.

Handling Opt-Outs

• As noted above, businesses that “share” information must respect the same consumer opt-out rights that exist for a “sale” of personal information under the CCPA. Relatedly, the CPRA also requires businesses to include a “Do Not Sell or Share My Personal Information” link on their homepage where consumers can exercise this right.
• Similarly, a business that collects sensitive personal information must also provide a clear and conspicuous link titled “Limit the Use of My Sensitive Personal Information.”
• Significantly, the CPRA gives businesses an alternative manner of satisfying these “conspicuous link” requirements: they can allow consumers to opt-out through an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism based on forthcoming technical specifications to be published by the Office of the Attorney General.

Exemptions

• The CPRA adds new provisions permitting exemptions from the law where necessary to comply with court orders, subpoenas, and directions from law enforcement, including in emergency situations.
• The CPRA clarifies how the exemption for the Fair Credit Reporting Act applies and adds an exemption for the Federal Farm Credit Act of 1971.
• It also adds exemptions for discrete circumstances involving education information and where a business has incurred a financial expense in reliance on a consumer’s consent to create a physical object, like a yearbook, or where compliance with a request to delete or opt-out would not be commercially reasonable.
• Importantly, the CPRA makes clear that the B2B exemption - which CPRA would extend to January 1, 2023 - would not apply to opt-out or non-discrimination rights.

Passage of the CPRA is sure to trigger a new set of compliance questions, such as how to meet CCPA obligations until CPRA is enforced, what to do until new regulatory guidance is issued, and how a business can navigate through differences in the two laws.

For training in CPRA, GDPR, or in any Privacy / Data Protection Laws across the world with certifications from CLC email : info@cyberlawconsulting.com 

Can GDPR Fines be covered under Cyber Insurance in India?

Can GDPR Fines be covered under Cyber Insurance coverage in India?

By Prashant Mali, 
Cyber Law & Privacy Expert.

Cyber policies usually grant cover for civil fines provided that these fines are “insurable at law”.

Where insurance for fines and penalties is available, this is usually as part of an operator’s general liability policy, although, as set out above, there is no general rule and some such policies routinely exclude such cover). In addition, prudent directors of port and terminal operators who are faced with the possibility of personal exposure to civil fines will take steps to ensure that their D&O policy will cover them if they are investigated personally. 

Example Policy Terms

Insurance coverage is available for fines and penalties. A popular form of cyber insurance includes, as an item of covered loss:

[C]ivil fines or penalties imposed by a governmental agency and arising from a Regulatory Action, unless the civil fine or penalty imposed is uninsurable under the law of the jurisdiction imposing such fine or penalty.

Another popular policy form provides coverage for "Penalties," defined as:

[A]ny civil fine or money penalty payable to a governmental entity that was imposed in a Regulatory Proceeding by the Federal Trade Commission, Federal Communications Commission, or any other federal, state, local or foreign governmental entity, in such entity's regulatory or official capacity; the insurability of Penalties shall be in accordance with the law in the applicable venue that most favors coverage for such Penalties.

Based on these definitions (which are typical), several features are prominent:

• The fines or penalties must be "imposed by" a governmental agency.
• The fines or penalties must be insurable under the applicable law.
• The fines or penalties must be paid to a governmental entity or to a consumer redress fund.

While it is not an inbuilt coverage, fines and penalties can be covered under a D&O policy by suitably modifying the definition of loss or in other appropriate manner. Reproduced below is one of the definitions as found in the policy wording.

“Loss also includes civil and administrative fines and penalties, awarded against Insured Persons, to the extent such are insurable by law, and the multiplied portion of multiple damages”

There is no express law in India including Companies Act, 2013 which declares any fine and penalty as uninsurable.

Sec 197 of Companies Act, 2013, reproduced below for brevity

Section 197(13) of Companies Act, 2013:

“(13) Where any insurance is taken by a company on behalf of its managing director, whole-time director, manager, Chief Executive Officer, Chief Financial Officer or Company Secretary for indemnifying any of them against any liability in respect of any negligence, default, misfeasance, breach of duty or breach of trust for which they may be guilty in relation to the company, the premium paid on such insurance shall not be treated as part of the remuneration payable to any such personnel:

Provided that if such person is proved to be guilty, the premium paid on such insurance shall be treated as part of the remuneration.”

Surprising as it seems, there appears to be no section in the Companies Act 2013 which prohibits indemnification of any nature .

It needs to be clearly understood that as in the case of other payments, prior approval of insurance company is a prerequisite for claiming this loss. One of the policy wordings is reproduced below. Provision relating to non-admission of liability is present in all policy forms, while the language may vary from insurer to insurer.

“The Insured shall not admit or assume any liability, enter into any settlement agreement, or consent to any judgment without the prior written consent (which shall not be unreasonably delayed or withheld) of the Insurer. Only liabilities, settlements and judgments resulting from claims defended in accordance with this policy shall be recoverable as a loss under this policy”

It is good for the directors to seek, in their letter of appointment, appropriate and adequate indemnity provisions – indemnity against all losses and expenses incurred by them in relation to the discharge of their duties unless such loss/ expense is caused by their own deliberate and malicious actions. It pays to be explicit and have more inclusive provisions.

Insurability

A looming question in the case of insurance for fines and penalties is whether such items can be insured despite policy language expressly providing for such coverage. As with the insurability of punitive damages, there is no uniform view. However, one can make several general observations:

1. Fines or penalties that are based on intentional or willful conduct are likely to be challenged by the insurer based upon public policy arguments.
2. Fines or penalties that are "punitive" in nature are more likely to be challenged by the insurer than those that are "compensatory" in nature.
3. Penalties that are assessed vicariously against a policyholder (such as when a corporation is held liable for an unauthorized act of its employee) are less likely to be challenged.

Case law exists under a variety of statutes, and in a variety of state and federal jurisdictions, that assesses whether particular fines or penalties are punitive or compensatory, or are insurable. Cyber policies address insurability through choice of law and choice of venue. As can be seen from the example language quoted above, there are two basic approaches:

1. One version permits coverage except to the extent that the law of the jurisdiction imposing the penalty forbids such coverage;
2. The other version permits coverage so long as the most favorable applicable venue permits such coverage.

Under conventional choice of law procedures, an "applicable venue" is likely to be one that has some sort of relationship to the parties or to the underlying facts. A standard provision for punitive damages directs that the applicable law is

"the law of the jurisdiction most favorable to the insurability of such [punitive] damages, provided such jurisdiction has a substantial relationship to the relevant Insured, to the Company, or to the Claim giving rise to the damages."

This type of formulation appears to provide more flexibility for coverage of such penalties than one in which the penalty-imposing jurisdiction is selected.

International variation

Internationally the position is likely to be similar, albeit with some noteworthy differences, in other jurisdictions. For example, it is common in Australia for cover to be provided in respect of civil fines and some insurers have extended liability insurance to include criminal fines imposed in circumstances other than where the insured has behaved in a reckless manner (or worse). Whether or not such policies are legally enforceable remains a hotly contested issue, but despite the difference in approach from the English position, the underlying public policy issues are the same.

In the US, a number of products are available which provide cover in respect of investigations under the Foreign Corrupt Practices Act, although in keeping with the policy considerations described throughout this article, cover is limited to the costs of such an investigation and coverage for any fines or penalties is specifically excluded.

In UK the leading case law under on whether regulatory fines are “insurable at law” is decision of the Court of Appeal in Safeway Stores Ltd v Twigger [2010] EWCA Civ 1472. In this case, pursuant the Competition Act 1998, the Office of Fair Trading issued a regulatory fine against Safeway.  As a result, Safeway sued its own directors in order to claim under their D&O policy.

The First Instance Judge, Flaux J, noted that:

“…the real target of the present claim is not the assets of the individual defendants, many of whom are of modest means, but the directors’ and officers’ liability insurance available to the defendants…”

Flaux J, after reviewing the previous authorities, held that the “illegality defence” applied to the regulatory fine relating to the breach of the Competition Act 1998.  The breach was held to be sufficiently serious and “morally reprehensible”, even where it had been committed without intention.

Although potential exposure to fines and penalties is an important risk management consideration for port and terminal operators, it appears that the extent to which insurance for liabilities of this nature can be obtained is limited, at least in England and Wales. It is clear that as a matter of English law, criminal fines and penalties cannot be insured for public policy reasons and, although there is no law in this area, similar considerations are likely to apply in the case of civil fines, so that these will only be insurable where the conduct in respect of which they are incurred does not involve deliberate wrongdoing.

The ex turpi causa maxim means that even where such cover can be obtained, an insured will be precluded from making a claim if the conduct to which the fine or penalty attaches involved intentional or negligent conduct.

Conclusions

Legally: While many insurance policies provide cover so far as insurable by law the reality is that GDPR fines themselves will likely not fall for cover. There may be cover for the costs associated with complying with, defending or appealing investigations from the ICO. And insurers may, of course, elect to pay out an amount in respect of the fine (potentially leading to issues in respect of reinsurance recovery). Note, also, that Bermuda legislation does not prohibit passing on liability for fines and may therefore provide some excess options worth considering.

Commercially: Regardless of any debates around the legal position in coverage of fines, the commercial reality is that the value of cyber cover comes in the knowledge and expertise that can be provided by the insurer, particularly in terms of responding to a data security breach. Cyber policies will generally cover systems failure, data restoration, as well as third party claims for damages for lost data or breaches of security and privacy and may also cover amounts paid in response to cyber extortion. Crucially, they will usually also provide access to necessary and pre-approved vendors and a package of cover that includes: 

• pre-breach offerings; 
• disaster recovery costs; 
• communication and notification costs; 
• paying for forensic investigations to determine the cause of the breach; 
• legal advice; 
• engaging experts to manage public relations and protect the company's reputation; 
• lost income and payroll as a result of a breach; and 
• credit monitoring for customers.

Of course, insurance can be no substitute for robust data protection policies - and the potential to be on the wrong end of a GDPR penalty makes it all the more important for companies to invest in such policies and procedures. However, in today's climate of increased cybercrime, it is vital for businesses to arrange cyber-cover and to partner with insurers in order to assess its exposures and be in a position to respond swiftly and effectively as and when a security breach occurs. Just don't have an unrealistic expectation that it will provide indemnification in respect of any GDPR fines.