Are fines imposed by the Luxembourg Data Protection Authority for breach of data protection regulations insurable?
There is no shortage of recent examples of cyber-attacks and the current COVID-19 pandemic is undoubtedly contributing to an intensification of this phenomenon1. While such attacks can be devastating for a company and paralyse its operations, they can also be accompanied by personal data breaches within the meaning of the General Data Protection Regulation2 (GDPR) that may give rise, on the one hand, to an investigation on the protection of personal data carried out by the competent administrative authority and, on the other hand, to pecuniary sanctions at the end of that investigation.
In Luxembourg, the Luxembourg Data protection Authority (the “CNPD”) has in particular3 the power to impose substantial administrative fines in the event of a breach of the applicable data protection regulations, the amounts of which may be as high as EUR 20 million or 4% of a company's annual turnover, whichever is higher4.
Given the level of fines and the economic stakes for businesses, the question of insurability of such fines is of definite practical interest. While there has been the development of so-called "cyber-risk" insurance contracts whose purpose goes well beyond compensation for damage suffered by the insured and/or caused to third parties, but also aim to offer a genuine crisis management solution, an analysis of existing clauses shows a certain hesitation on the part of insurers to offer cover of financial penalties imposed by an administrative authority.
By way of illustration, an extract from the general terms and conditions of a cyber-risk insurance issued by a Luxembourg provider concerning this issue states:
“DATA PROTECTION FINES
The insurer will pay to or on behalf of any insured all data protection fines which are legally insurable in the most favourable jurisdiction, and that the insured is legally liable to pay upon the conclusion of a regulatory investigation by a regulator for an infringement of the data protection legislation”.
By referring to an expression such as "which are legally insurable in the most favourable jurisdiction" in the context of fines imposed by an administrative authority, the insurer thus intends to protect itself against legislation, or even case law, which would enshrine the uninsurability of such sanctions.
The question of whether the hesitation of the insurers is well-founded requires a review of the applicable laws and related case law.
Under Luxembourg law, insurance contracts are governed by the amended law of 27 July 19975 which is itself based on the Belgian law of 25 June 1992 on non-marine insurance contracts6. Both Luxembourg and Belgian laws are silent on the question of the insurability of administrative fines.
Only the principle of the uninsurability of criminal sanctions is expressly provided for in Article 977 which states: "No fine or penal transaction can be the subject of an insurance contract, except for those which are borne by the civilly liable person".
This prohibition to insure such fines is a matter of public policy and derives from Article 6 of the Luxembourg Civil Code which provides that: "No derogation may be made, by special agreements, from laws which concern public order and morality". As the specific doctrine clearly expresses it, "When, traditionally, it is explained that insurance cannot run counter to criminal sanctions, it is because in this case it would call into question the personal scope of criminal sanctions, which are a matter of public policy embodied here by the decisions of the public service of justice. (...) Fines imposed by a criminal court and the related costs are never covered by insurance, as there is a public policy prohibition on compensating criminal debts. Indeed, these debts are personal and are therefore attached to the convicted person, who is the only person who can pay them”8.
It is also on the basis of this same ground of violation of public order that the majority of case law and doctrine have traditionally concluded that administrative sanctions are in principle uninsurable. In this respect, a judgment of the French Court of Cassation9 adds a nuance to this categorical view: public policy is no longer the basis to be taken into account in order to exclude the insurability of such fines, but rather the criterion of the intentionality of the act. In other words, pursuant to this judgment, administrative penalties would no longer be "uninsurable per se, but would be so only if the act giving rise to them was committed intentionally. One could then consider a policy that would stipulate that only administrative sanctions that did not result from an intentional fault would be covered. It is indeed theoretically possible to have an administrative sanction without intentional fault"10.
In this spirit, administrative fines would therefore be insurable provided that the infringement giving rise to such sanctions was not intentional. This view seems to us to be authorised by Luxembourg law on insurance contracts insofar as, as we have seen above, the law does not in any way regulate the question of the insurability of administrative penalties. It nevertheless declares the consequences of intentional or fraudulent fault uninsurable by stating that "Notwithstanding any agreement to the contrary, but without prejudice to Article 103 point 1, the insurer may not be required to provide cover in respect of any person who has caused the loss intentionally or fraudulently"11. The deliberate or non-contingent nature of an intentional or fraudulent breach explains the penalty imposed by the legislator.
Although the French Court of Cassation seems to be paving the way and pleading in favour of the insurability of certain administrative fines or, at the very least, the rejection of the systematic uninsurability of such sanctions, it seems to us that another element must be taken into account before a conclusion can be reached concerning the particular case of fines imposed by the CNPD.
As indicated above, Luxembourg law enshrines the uninsurability of criminal sanctions. Consequently, if, by its nature, the sanction imposed by the CNPD is of a criminal or quasi-criminal nature, it could not be covered by insurance.
To our knowledge and to date, there is no normative text or case law dealing specifically with the (quasi-)criminal or non-penal nature of an administrative fine imposed by the CNPD.
In order to determine whether or not an administrative sanction – such as that imposed by the CNPD – is of a (quasi-)criminal nature, an analysis of the so-called "Engel" criteria identified by the European Court of Human Rights12 and used to determine, on the one hand, what actually falls within the scope of a criminal charge and, on the other hand, what the scope of the ne bis in idem principle13 is, is relevant. These three criteria are as follows:
- the classification of the offence under national law;
- the nature of the offence; and
- the degree and severity of the sanction.
In this respect, we can only agree with the analysis made by the doctrine with regard to the GDPR: "as explained by the doctrine based in particular on the Grande Stevens v. Italy case law of the European Court of Human Rights, the sanctions provided for in the Regulation meet these three criteria, since the sanctions are administrative sanctions under the Regulation, they are intended to have a deterrent and repressive effect and to protect the general interest, and the amounts of the fines reflect an undeniable severity. These elements sufficiently convince of the penal nature of the sanctions provided for by the Regulation, at least of the fines. It follows that the administrative fines imposed by the CNPD should be subject to some of the procedural guarantees applicable in criminal matters (...)"14.
The fine imposed by the CNPD, in that it meets the three Engel criteria and is therefore of a criminal nature, must therefore be subject to the same rules and principles as those governing criminal sanctions. This leads us to conclude that currently such an offence is uninsurable under Luxembourg law currently in force15.
1 INTERPOL, Analysis report “Cybercrime: COVID-19 impact”, available on www.interpol.int, 19 August 2020.
2Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
3See Article 58 of the GDPR for a complete list of powers granted to supervisory authorities. See also the CNPD Regulation on the investigation procedure adopted by Decision No. 4AD/2020 dated 22 January 2020, in application of Article 40 of the Law of 1 August 2018 on the organisation of the National Commission for Data Protection and the general data protection regime.
4 Article 83 (5) of the GDPR.
5 Law of 27 July 1997 on insurance contracts, Official gazette of the Grand Duchy of Luxembourg, Mémorial A, n° 65, p. 2048.
6 Presently, law of 4 April 2014 on insurance.
7 Article 91 of the Belgian law.
8 N. HÉLÉNON et C. HESLAUT, « Données personnelles : sur l’assurabilité des sanctions administratives », Expertises, May 2017, pp. 180 et seq.
9 Cass. fr., civil, Civil Chamber, 14 June 2012, 11-17.367.
10 C. LEERMAKERS, « L’arrêt du 14 juin 2012 de la Cour de cassation française », available on www.newsletter.cms-db.info, June 2014.
11 Article 14, paragraph 1 of the Law of 27 July 1997.
12These criteria have also been taken up by the Court of Justice of the European Union; see in particular CJEU, 5 June 2012, Łukasz Marcin Bonda, case C-489/10 ; CJEU, 26 February 2013, Åklagaren c. Hans Åkerberg Fransson, case C-617/10 ; CJEU, 20 March 2018, Luca Menci, case C-524/15 and CJUE, 20 March 2018, Garlsson Real Estate SA, en liquidation, Stefano Ricucci, Magiste International SA c. Commissione Nazionale per le Società e la Borsa (Consob), case C-537/16.
13 Please refer to: M. MARTY, « Le principe ne bis in idem ou la quête de l’immunité pénale », in Le risque pénal du banquier, Limal, Anthemis, 2020, p. 46.
14 E. GUISSARD, « Le risque pénal du banquier en matière de protection des données personnelles », in Le risque pénal du banquier, op. cit., pp. 259 and 260.
15 Please refer to the following, under Belgian law: Y. POULLET, La vie privée à l’heure de la société numérique, coll. CRIDS, Bruxelles, Larcier, 2019, p.157, footnote n° 156.
Article provided by: Michel Molitor and Virginie Liebermann (Molitor, Luxembourg)
Dr. Tobias Höllwarth (Managing Director INPLP)