Passing on fines for GDPR breaches
28 January 2021
Data protection has become the forefront agenda item for many companies and this may be attributable to the heavy fines accompanying data breaches that are making headlines themselves. For example, in 2020 alone, H&M was on the receiving end of a hefty €35m fine, followed by Google with an eye-watering fine of €50m.
The General Data Protection Regulation ("GDPR") provides that where an organisation has committed a data breach, a regulatory body may impose an administrative fine of up to €10m, or up to 2% of a company's worldwide annual turnover of the preceding financial year (whichever is higher). It is clear that the threat of such extravagant penalties alone has companies across the board paying attention and (rightly) treating data privacy as a serious issue. The regulatory fines have successfully achieved their objective as providing an effective deterrent to keep companies on their toes.
So what happens in the situation where a company has been slapped with a hefty fine because of a data breach originating from a third party that was contracted on behalf of the company? Would a company be able to recover its losses of the regulatory fine from the third party?
Passing on the blame to a third party is a commonly attempted defence launched by organisations finding themselves on the receiving end of a regulatory fine. Recently, British Airways, Marriot and Ticketmaster faced some of the largest GDPR fines in 2020, and in making their representations to the Information Commissioner's Office (the "ICO") (the UK data regulator), all three companies argued that it was not them, but their third party service providers, that were at fault.
Unfortunately, this was not an effective argument that held any weight with the regulatory authorities. In each of these cases, the ICO held that it was the companies (i.e. British Airways, Marriot and Ticketmaster) and not the service providers that were at fault. In particular, the ICO made a statement that the engagement of third parties cannot reduce the company's degree of responsibility.
It is therefore important for companies to bear in mind that under the GDPR, even where a company outsources data processing to a third party organisation, it is still considered the data controller. The company is responsible for not only its own compliance under the GDPR, but also that of its data processors (which is how a third party, contracted supplier is designated).
It is interesting to note that, under the GDPR, both data controller and data processor can be directly liable for fines by the regulatory authorities. In light of recent case examples, it seems that regulatory authorities will be more likely to hold data controllers rather than data processors responsible and impose the penalties on the former.
This leads us to the consideration of what happens when a company is fined as a data controller. Will they be able to pass on the fine?
The illegality defence often arises in this topic. It essentially prevents a claimant from obtaining compensation for a loss which they have suffered as a result of their own illegal or immoral act. This is traditionally engaged in criminal offences, however recent cases suggest that it may be deployed in breaches involving quasi-criminal acts infringing statutory rules meant to protect the public interest, particularly where it attracts penalising civil sanctions.
When the courts are determining whether the illegality defence applies, they would need to balance the following considerations:
- the underlying purpose of the prohibition which has been contravened;
- any other relevant public policies which may be rendered less effective by not allowing the defence to be engaged; and
- whether upholding the defence would be a proportionate response to the contravening act, bearing in mind the seriousness of the conduct, centrality to the contract and whether it was intentional.
It is useful to have the above guiding principles in mind when assessing whether recovery of regulatory fines can be passed on to a third party.
Taking these in turn, there is little doubt that the GDPR fines are punitive in nature and are meant to deter companies from committing data breaches and it is therefore likely to engage the illegality defence that bars a company from passing on the fines. Similarly, there is a strong case to be made that data breaches are quasi-criminal in nature.
In the case of other public policies to be considered, there is an argument to be made that, where a company has already made representation to a regulatory body that its liability should be reduced due to the involvement of a third party, which is then rejected by the regulatory body, then it is not for the company to re-allocate blame for the penalty as that would nullify the punitive effect of the fine. A company is likely to be barred from doing so in such circumstances.
It is clear that the consideration of culpability and wrongdoing that led to the breach will play a strong role. For example, where the breach results from an unknown malicious hacker, and the company is innocent of wrongdoing, the public policy of illegality is less likely to be engaged. Whereas a company that commits a breach as a result of its own, poor data handling will be more likely to engage the defence.
Similarly, the nature of the data breach and the seriousness of the breach will also likely be a factor of consideration. The more sensitive the data, (e.g. medical information), and the bigger the data leak is, then the more likely the illegality defence will apply.
However, on the other hand, if the company has a contract with the third party supplier and the data breach arose as a result of the third party supplier failing to meet its obligations, one would think that there should be a stronger case that the third party should be made liable to pay damages as a result of its failures.
What emerges from all of this is that the issue of passing regulatory fines is a nuanced question that needs to be looked at on a case by case basis, determined on its own particular facts. However, there is a strong likelihood that the data controller company will encounter severe difficulties in trying to pass on any fines.
What does this mean for companies?
As the situation is far from clear, companies should not take it for granted that they will be able to recover losses incurred as a result of any financial penalties from third parties.
Instead, companies should make sure to do their due diligence before they contract with third parties to handle any data and ensure that they have adequate data protection measures in place to minimize the risk of breaches. Under the GDPR, they are considered responsible for their own compliance, as well as that of any third party data processors that handle data controlled by the company in its capacity as data controller.
Particular care should be taken to ensure that there are contracts in place that set out the third party's obligations and requirements of proper data handling.
If you would like any further information, please get in touch with your usual Bedell Cristin contact or one of the contacts listed.