BCL partner Julian Hayes and legal assistant Guevara Leacock‘s article titled ‘ GDPR fines: Can third party service providers be fined for the privacy lapses?’ has been published by Startups Magazine.
Here’s an extract from the article:
“In the space of just two months, the UK’s data watchdog, the ICO has dished out nearly £40m in personal data breach fines to some of the country’s best-known companies – British Airways, Marriott International and Ticketmaster. Whisper it quietly but the ICO’s burst of penalty decisions, coming after significant delays, goes some way to countering mutterings that the regulator lacked the will to take on large and well-resourced opponents.
But as the dust settles and the ICO waits for the cheques to arrive, the companies – and their shareholders – may be wondering how much they are ‘on the hook’ for, and whether any of the fines or the costs of dealing with the regulatory action can be recovered from others.
Those poring over the terms of insurance policies are likely to be disappointed. While it is not entirely settled, case law suggests regulatory penalties are probably uninsurable on public policy grounds, and the small print of insurance contracts may even include ‘clawback’ provisions for the legal costs paid out whilst defending regulatory action where an insured is ultimately found liable.
Next up for consideration, third party contractors and suppliers, often for smaller entities with fewer resources, caught up in the data breaches. Pre-GDPR, such third parties could point out they were data processors, avoiding data protection liability. GDPR upended that, imposing both regulatory and private law liability on processors too. In each of the three cases before the ICO, BA, Marriott and Ticketmaster (data controllers) sought to varying degrees to offset their own liability by pointing to the contributory negligence of such third parties.
In many respects, data controllers and processors face the same risk of GDPR liability: both are required to implement appropriate security measures for personal data, each is subject to the panoply of ICO enforcement powers, and aggrieved data subjects are entitled to seek compensation from controllers and processors as a result of regulatory infringements, subject to an exemption where they can show they were not in any way responsible for the breach.”
This article was originally published by Startups Magazine on 8/12/20. You can read the full version on their website.