AML: HMRC flexes enforcement muscle to the tune of £7.8 million
“A world-class regime protecting personal data”
The Data Protection Act 2018 (“the Act”) repeals and replaces the UK’s existing data protection laws to keep them up to date for the digital age to ensure that United Kingdom “retains its world-class regime protecting personal data”. It sets new standards for protecting personal data, in accordance with the General Data Protection Regulation (“GDPR”), the directly effective EU regulation which came into force on 25 May 2018. (See our related blogs).
It also includes a number of provisions relating to processing of personal data by police and criminal justice agencies as it implements the related Law Enforcement Directive extending its provisions to cover national as well as trans-national data sharing. (See our related blog)
GDPR changes the regulatory environment and gives the Information Commissioner’s Office (“ICO”) the power to impose eye watering fines for those in breach. (See our related blog)
The Act deals with elements of the regulatory framework not covered by GDPR, and sets out the specific criminal offences relating to data protection. There is some continuity with the existing regime governed by the Data Protection Act 1998 (“DPA 1998”) but new offences have also been introduced onto the statute book.
This article considers the changes to data protection offences, an increased appetite to prosecute and penalise offenders and the critical importance of the broader criminal context in understanding these specific offences.
Many of the criminal offences build on or update parts of the DPA 1998:
Access and Disclosure Offences
The two new offences which are introduced address specific concerns relating to the operation of existing data protection regime:
The Act empowers prosecutors to proceed against individuals, body corporates and those associated with them. Directors are put in the spotlight as Section 198 (which is intended to have the same effect as s.61 DPA 1998), provides that where an offence has been committed by a body corporate with the consent or connivance of an officer (or a person purporting to act in that capacity) then both the body corporate and the relevant person are liable to prosecution. (See our related blog)
Despite suggestions made during the passage of the Bill that certain offences under the DPA might be punished by imprisonment, the Act preserves the status quo ante of financial penalties only. The Crown Court may impose unlimited fines, a power extended to the Magistrates’ Courts since 13 March 2015. There is little authority on the appropriate level of fines for such offences, beyond the general guidelines on the relevance of defendants’ means and ability to pay. Though this may be addressed in future following the recent Sentencing Council consultation which proposes a draft general sentencing guideline for use where there is no offence specific guideline which includes data protection offences. Most cases brought by the ICO under s.55 DPA have been resolved in the Magistrates’ Court with fines in the hundreds or low thousands of pounds.
However, there is an appetite in the senior courts for increasingly significant fines of five and six figures. For corporate offenders, the sentencing court will expect detailed financial statements covering a five year period to be provided.
It is important not to put the ‘data blinkers’ on when assessing whether conduct connected to obtaining, retaining and processing data is criminal. Data is a valuable commodity and obtaining and misusing it may attract criminal liability outside of the data protection legislation. For example, the case of R v Hill and others started life as a conspiracy to defraud (guilty pleas being offered to DPA 1998 offences) and several private detectives were successfully prosecuted for a similar conspiracy in the aftermath of the 2011 phone hacking scandal.
That data protection prosecutions can only be brought by the ICO obviously precludes the typical path of a criminal investigation from police to Crown Prosecution Service (“CPS”). Even if the CPS was empowered to act, the limited sentencing powers would likely tempt prosecutors to seek alternative charges. As well as conspiracy to defraud, one can envisage Fraud by False Representation and Computer Misuse Act offences being applicable where data has been obtained by deception or electronically.
Whilst the regulatory framework provided by GDPR has understandably garnered significant attention, GDPR must be read alongside the Act to understand how the data protection landscape is changing.
In the criminal context in particular there is also a need to look back upon existing legislation to understand how it will be applied to the use and misuse of personal data.
Should you have any GDPR or data protection queries, please contact Kingsley Napley’s data protection team.
Skip to content Home About Us Insights Services Contact Accessibility