Limits of Liability
Finally, turning to the actual drafting of the financial caps and other limitations and exclusions of liability in circumstances where they are appropriate, the position we are seeing in the market following GDPR is now quite different from under the Data Protection Act 1998. It is less usual now to see a blanket statement of unlimited liability for breach of the data protection provisions of the contract, in the same way as you will generally still see for breaches of confidentiality. What is seen generally breaks down into the following:
(a) a financial cap on liability which is different from and separate to the general cap for contractual damages. The amount we see typically varies from low millions of pounds to many multiples of the contract value, depending on the nature of the data and the processing and the bargaining power of the parties.
(b) an exclusion of indirect losses; and
(c) a list of specific losses which are deemed to be direct and therefore recoverable, which may include internal additional costs, remediation efforts with data subjects, ex-gratia compensation and costs incurred generally in dealing with the fall-out from data breaches. This list often includes claims made by data subjects and fines, but for the reasons given above, it is doubtful whether these will be effective in situations where the party seeking to claim the amounts has caused the damage or breach to arise. For that reason, we would recommend splitting out the data subject claims and fines from the other losses that may be suffered, so that if these are ineffective the whole clause will not fall away.
GDPR creates many open legal questions and the ability to recover fines and compensation awards from a contract counterparty or insurer are good examples. One interesting issue is whether the courts will differentiate between direct liability and vicarious liability when determining whether or not to enforce a contractual indemnity. In cases where there is no finding of direct liability for an employer (as was the case in Morrisons) and liability arises strictly on the basis of vicarious liability of the employer for the acts of its employees, the courts may be more willing to allow recovery. This should provide some comfort for organisations grappling with the challenge of insider threat. It is also an illustration of why there is value in negotiating appropriate indemnity protection.
Closing Limiting financial liability under GDPR has been made much more complex than under the Data Protection Act 1998, both because the nature of the obligations placed on both parties has changed and because the consequences of breaches are much more serious. Parties looking to limit their exposure should be realistic and not assume that it will be either possible or desirable to simply pass liability to the other party under the contract in all circumstances, instead, they will need to take a more balanced approach to liability, based on the terms of GDPR and who has caused the loss in question to arise