Health and Safety - personal liability for directors operating in the built environment
The Data Protection Bill (“the Bill”) was described in the Queen’s speech of June 2017 as a new law to ensure ‘that the United Kingdom retains its world-class regime protecting personal data’. It supplements and bolsters the General Data Protection Regulation (“GDPR”), the directly effective EU regulation on Data Protection coming into force in May. GDPR changes the regulatory environment and gives the ICO the power to impose eye watering fines for those in breach. The Bill deals with elements of the regulatory framework not covered by GDPR, and sets out the criminal offences for data protection breaches. There is some continuity with the existing regime governed by the Data Protection Act 1998 (“DPA”) but new offences have also found their way into the bill. This article considers the intended changes to data protection offences, an increased appetite to prosecute and penalise offenders and the critical importance of the broader criminal context in understanding these specific offences.
Something Old, Something New…
Many of the criminal offences build on or update parts of the DPA:
Access and Disclosure Offences
The Bill empowers prosecutors to proceed against individuals, body corporates and those associated with them. Clause 189, which is intended to have the same effect as s.61 DPA 1998, provides that where an offence has been committed by a body corporate with the consent or connivance of an officer (or a person purporting to act in that capacity) then both the body corporate and the relevant person are liable to prosecution.
Despite suggestions that certain offences under the DPA might be made imprisonable, the Bill preserves the status quo ante of financial penalties only. In terms of quantum, the Crown Court may impose unlimited fines, a power extended to the Magistrates’ Courts since 13 March 2015. There is little authority on the appropriate level of fines such offences, beyond the general guidelines on the relevance of defendants’ means and ability to pay. Most cases brought by the ICO under s.55 DPA have been resolved in the Magistrates’ Court with fines in the hundreds or low thousands of pounds. However in a 2013 Crown Court case (R v Hill and others) fines well into five figures (and in respect of one defendant, six figures) were imposed following guilty pleas. It is fair to assume that there is an appetite in the senior courts for increasingly significant fines. For corporate offenders, the sentencing court will expect detailed financial statements covering a five year period to be provided.
It is important not to put the ‘data blinkers’ on when assessing whether conduct connected to obtaining, retaining and processing data is criminal. Data is a valuable commodity and obtaining and misusing it may attract criminal liability outside of the data focused legislation. For example, the aforementioned case of Hill and others started life as a conspiracy to defraud (guilty pleas being offered to DPA offences) and several private detectives were successfully prosecuted for a similar conspiracy in the aftermath of the 2011 phone hacking scandal. That data protection prosecutions can only be brought by the ICO obviously precludes the typical path of a criminal investigation from police to CPS. Even if the CPS was empowered to act, the limited sentencing powers would likely tempt prosecutors to seek alternative charges. As well as conspiracy to defraud, one can envisage Fraud by False Representation and Computer Misuse Act offences being applicable where data has been obtained by deception or electronically.
Whilst the regulatory framework provided by GDPR is understandably garnering significant attention, GDPR must be read alongside the Bill to understand how the data protection landscape will be changing. In the criminal context in particular there is also a need to look back upon existing legislation to understand how it will be applied to the use and misuse of personal data.
Should you have any GDPR or data protection queries, please contact Kingsley Napley’s data protection team.
Skip to content Home About Us Insights Services Contact Accessibility