Michel MolitorManaging Partner – MOLITOR Avocats à la Cour
Article written by Molitor Avocats a la cour as part of their sponsorship of ACA Insurance Days 2022.
In the context of a cyber-risk insurance policy, MOLITOR Avocats à la Cour’s insurance law experts present the reasons why administrative fines issued by the National Commission for Data Protection should be considered as criminal sanctions and therefore currently uninsurable under Luxembourg law.
There is no shortage of recent examples of cyber-attacks and the COVID-19 pandemic as well as the Russian-Ukrainian conflict have undoubtedly provided a playground for cybercriminals. While such attacks can be devastating for a company and paralyse its operations, they can also be accompanied by personal data breaches within the meaning of the General Data Protection Regulation (GDPR) that may give rise, on the one hand, to an investigation on the protection of personal data carried out by the competent administrative authority and, on the other hand, to pecuniary sanctions at the end of that investigation.
In Luxembourg, the National Commission for Data Protection (NCDP) has in particular  the power to impose substantial administrative fines in the event of a breach of the applicable data protection regulations, the amounts of which may be as high as EUR 20 million or 4% of a company’s annual turnover, whichever is higher.
Given the level of fines and the economic stakes for businesses, the question of insurability of such fines is of definite practical interest. While there has been the development of so-called “cyber-risk” insurance contracts whose purpose goes well beyond compensation for damage suffered by the insured and/or caused to third parties, but also aim to offer a genuine crisis management solution, an analysis of existing clauses shows a certain hesitation on the part of insurers to offer cover of financial penalties imposed by an administrative authority.
By way of illustration, an extract from the general terms and conditions of a cyber-risk insurance issued by a Luxembourg provider concerning this issue states:
“DATA PROTECTION FINES
The insurer will pay to or on behalf of any insured all data protection fines which are legally insurable in the most favourable jurisdiction, and that the insured is legally liable to pay upon the conclusion of a regulatory investigation by a regulator for an infringement of the data protection legislation”.
By referring to an expression such as “which are legally insurable in the most favourable jurisdiction” in the context of fines imposed by an administrative authority, the insurer thus intends to protect itself against legislation, or even case law, which would enshrine the uninsurability of such sanctions.
The question of whether the hesitation of the insurers is well-founded requires a review of the applicable laws and related case law.
Under Luxembourg law, insurance contracts are governed by the amended law of 27 July 1997 which is itself based on the Belgian law of 25 June 1992 on non-marine insurance contracts. Both Luxembourg and Belgian laws are silent on the question of the insurability of administrative fines.
Only the principle of the uninsurability of criminal sanctions is expressly provided for in Article 97 which states: “No fine or penal transaction can be the subject of an insurance contract, except for those which are borne by the civilly liable person“.
This prohibition to insure such fines is a matter of public policy and derives from Article 6 of the Luxembourg Civil Code which provides that: “No derogation may be made, by special agreements, from laws which concern public order and morality“. As the specific doctrine clearly expresses it, “When, traditionally, it is explained that insurance cannot run counter to criminal sanctions, it is because in this case it would call into question the personal scope of criminal sanctions, which are a matter of public policy embodied here by the decisions of the public service of justice. (…) Fines imposed by a criminal court and the related costs are never covered by insurance, as there is a public policy prohibition on compensating criminal debts. Indeed, these debts are personal and are therefore attached to the convicted person, who is the only person who can pay them”.
It is also on the basis of this same ground of violation of public order that the majority of case law and doctrine have traditionally concluded that administrative sanctions are in principle uninsurable.
In this respect, two decisions of the French Court of Cassation have been interpreted by certain French authors as adding a nuance to this categorical view: according to these authors, public policy is no longer the basis to be taken into account in order to exclude the insurability of such fines, but rather – in the context of the 2012 judgment – the criterion of the intentionality of the act and, in the context of the 2019 judgment, the criterion of the insured’s knowledge of the loss prior to the conclusion of the insurance contract.
In other words, pursuant to this case law, administrative penalties would no longer be “uninsurable per se, but would be so only if the act giving rise to them was committed intentionally. One could then consider a policy that would stipulate that only administrative sanctions that did not result from an intentional fault would be covered. It is indeed theoretically possible to have an administrative sanction without intentional fault“.
In this spirit, administrative fines would therefore be insurable provided that the infringement giving rise to such sanctions was not intentional, respectively that the insured was not aware of the wrongful acts that gave rise to the administrative proceedings before concluding the insurance contract.
Other authors firmly reject giving such a scope to these judgments: “In these two judgments, questions of insurance (intentional fault, knowledge of the loss) were dealt with; but the substantive question of the validity of the insurance of an administrative sanction was never raised and therefore not answered. It does not seem possible (…) to interpret these judgments in the sense of a possible insurability of administrative sanctions based on unintentional faults. As the law stands, it must therefore be concluded that administrative fines and any financial penalty are uninsurable. A clarification of the texts in the sense of the uninsurability of these administrative pecuniary sanctions seems desirable in order to put an end to the uncertainties which remain in many insurance contracts envisaging the insurability of administrative sanctions, but within the limits permitted by the law”.
A similar debate on this topic has not yet taken place in Luxembourg, to the best of our knowledge, either in doctrine or case law. However, on reading the Luxembourg law on insurance contracts, a vision of openness (as defended by certain French authors) in favour of the insurability of administrative fines (under certain conditions) has not automatically been rejected. As we have seen above, the law does not in any way regulate the question of the insurability of administrative penalties. It nevertheless declares the consequences of intentional or fraudulent fault uninsurable by stating that “Notwithstanding any agreement to the contrary, but without prejudice to Article 103 point 1, the insurer may not be required to provide cover in respect of any person who has caused the loss intentionally or fraudulently“. Similarly, it concludes that the insurance contract is null and void if, at the time the contract is concluded, the risk has already occurred. The deliberate or non-contingent nature of an intentional or fraudulent breach as well as in the event of knowledge of the claim prior to the conclusion of the contract explains the penalty imposed by the legislator.
Even considering that the French Court of Cassation may have wanted to pave the way and to rule in favour of the insurability of certain administrative fines or, at the very least, the rejection of the systematic uninsurability of such sanctions, it seems to us that another element must be taken into account before a conclusion can be reached concerning the particular case of fines imposed by the NCDP.
As indicated above, Luxembourg law enshrines the uninsurability of criminal sanctions. Consequently, if, by its nature, the sanction imposed by the NCDP is of a criminal or quasi-criminal nature, it could not be covered by insurance.
According to the GDPR, it is necessary that the sanctions provided for are “effective, proportionate and dissuasive” (Articles 83 and 84).
To our knowledge and to date, there is no normative text or case law dealing specifically with the (quasi-)criminal or non-penal nature of an administrative fine imposed by the NCDP.
In order to determine whether or not an administrative sanction – such as that imposed by the NCDP – is of a (quasi-)criminal nature, an analysis of the so-called “Engel” criteria identified by the European Court of Human Rights and used to determine, on the one hand, what actually falls within the scope of a criminal charge and, on the other hand, what the scope of the ne bis in idem principle is, is relevant. These three criteria are as follows:
In this respect, we can only agree with the analysis made by the doctrine with regard to the GDPR: “as explained by the doctrine based in particular on the Grande Stevens v. Italy case law of the European Court of Human Rights, the sanctions provided for in the Regulation meet these three criteria, since the sanctions are administrative sanctions under the Regulation, they are intended to have a deterrent and repressive effect and to protect the general interest, and the amounts of the fines reflect an undeniable severity. These elements sufficiently convince of the penal nature of the sanctions provided for by the Regulation, at least of the fines. It follows that the administrative fines imposed by the NCDP should be subject to some of the procedural guarantees applicable in criminal matters (…)“.
The financial measures imposed by the NCDP, in that they meet the three Engel criteria and are therefore of a criminal nature, must therefore be subject to the same rules and principles as those governing criminal sanctions. This leads us to conclude that they are uninsurable under Luxembourg laws currently in force.
 Agence nationale de la sécurité des systèmes d’information (ANSSI), PANORAMA DE LA CYBERMENACE 2022, available at www.cert.ssi.gouv.fr, January 2023; I. VERGARA, “France, Italie, Finlande, États-Unis… Une campagne de cyberattaques affecte plusieurs pays,” Le Figaro, available at www.lefigaro.fr, 5 February 2023.
 INTERPOL, Analysis report “Cybercrime: COVID-19 impact”, available on www.interpol.int, 19 August 2020; “ Global landscape on COVID-19 cyberthreat“, available at www.interpol.int, April 2020; D. VENTRE, H. LOISEAU, “Évolution du crime et du cybercrime durant la pandémie de coronavirus”, in Cahiers de la Sécurité et de la Justice, n°50 – January 2021 – Penseurs et acteurs de la sécurité.
 Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
 See Article 58 of the GDPR for a complete list of powers granted to supervisory authorities. See in addition, the NCDP Regulation relating to the investigation procedure adopted by decision n-4AD / 2020 dated 22 January 2020, in application of Article 40 of the law of 1 August 2018 on the organisation of the National Commission for Data Protection and the general data protection regime.
 Article 83 (5) of the GDPR.
 Law of 27 July 1997 on insurance contracts, Official gazette of the Grand Duchy of Luxembourg, Mémorial A, n° 65, p. 2048.
 Presently, law of 4 April 2014 on insurance.
 Article 91 of the Belgian law.
 N. HÉLÉNON et C. HESLAUT, « Données personnelles : sur l’assurabilité des sanctions administratives », Expertises, May 2017, pp. 180 et seq.
 Cass. fr. civ. 2e, 14 June 2012, pourvoi n° 11-17.367, Revue des sociétés 2012, p. 637, and the note ; Gaz Pal. n° 179-180, note B. Dondero; JCP E, 2013 n° 36, pp. 30-31, obs. M. Asselain; RTD com. 2012, p. 813, note N. Rontchevsky; Cass. fr. civ. 2e, 13 June 2019, n° 17-26.171, Rev. Sociétés 2020, p. 103.
 See J. KULLMANN : « Amendes pénales et amendes administratives infligées aux dirigeants : pour une assurance raisonnée », in JCP Entreprises, 2009, n° 10, p. 1226 ; M. ROBART and A. FRENEAU, « Les sanctions pécuniaires à la limite de l’assurabilité », in L’Argus de l’Assurance, nov. 2012, p. 46, mentioned by A.-F. BOUVIER, « La sanction pécuniaire de l’AMF est inassurable : note s/ Paris, 14 février 2012 », in Revue de jurisprudence commerciale – Les Cahiers du Chiffre et du Droit – Septembre / Octobre 2013 – Numéro 5, p. 5.
 C. LEERMAKERS, « L’arrêt du 14 juin 2012 de la Cour de cassation française », available on www.newsletter.cms-db.info, June 2014.
 See Lamy Droit des Assurances 2013 § 2101 et seq., L. GRYNBAUM, « note sous Cass. Civ 2ème 14 juin 2012 », in Rev. Sociétés, November 2012, p. 639, mentionned by A.-F. BOUVIER, op. cit.
 HAUT COMITÉ JURIDIQUE DE LA PLACE FINANCIÈRE DE PARIS, Report on the insurability of cyber risks, 28 January 2022, p. 14 et seq.
 Article 14, paragraph 1 of the LIC.
 Article 32, paragraph 1 of the LIC.
 During our analysis, we identified several decisions from which it emerges that (i) the decision taken by the Director of the Employment Administration to impose on an employer a fine of between 251 and 2,500 euros for non-compliance with his obligations to declare any work position to the Employment Administration is of an administrative nature and not of a criminal nature (Tribunal d’arrondissement de Luxembourg, 21 October 2010, n° not.2054 /09; 3431/2010), (ii) the fine imposed by the Administration de l’Enregistrement et des Domaines on a company for non-compliance with its professional obligations under the anti-money laundering legislation does not fall under criminal law (Tribunal d’arrondissement de Luxembourg, 10 December 2015, n° not.4935 /15/CD; 3508/2015), (iii) non-compliance with the rules of conduct of the financial sector is likely to lead to administrative sanctions but such violation does not lead to criminal sanctions (Chambre du Conseil de la Cour d’appel, 10 July 2014, n° not.33190/12/CD; 487/14 Ch.c.C.).
 These criteria have also been taken up by the Court of Justice of the European Union; see in particular CJEU, 5 June 2012, Łukasz Marcin Bonda, case C-489/10 ; CJEU, 26 February 2013, Åklagaren c. Hans Åkerberg Fransson, case C-617/10 ; CJEU, 20 March 2018, Luca Menci, case C-524/15 and CJUE, 20 March 2018, Garlsson Real Estate SA, en liquidation, Stefano Ricucci, Magiste International SA c. Commissione Nazionale per le Società e la Borsa (Consob), case C-537/16.
 Please refer to: M. MARTY, « Le principe ne bis in idem ou la quête de l’immunité pénale », in Le risque pénal du banquier, Limal, Anthemis, 2020, p. 46.
 E. Guissard, « Le risque pénal du banquier en matière de protection des données personnelles », in Le risque pénal du banquier, op. cit., pp. 259 and 260.
 Please refer to the following, under Belgian law: Y. POULLET, La vie privée à l’heure de la société numérique, coll. CRIDS, Bruxelles, Larcier, 2019, p.157, footnote n° 156, under French law: HAUT COMITÉ JURIDIQUE DE LA PLACE FINANCIÈRE DE PARIS, op. cit., p. 15.