At a recent Parliamentary meeting to discuss the draft Digital Economy Bill, the UK Information Commissioner recommended imposing personal liability and accountability upon company directors. If such liability is imposed, it will mark a radical departure from the current law, under which directors of companies generally have no personal liability or accountability for breaches of data protection law committed by their companies.
On 13 October 2016, the Information Commissioner, Elizabeth Denham, (the "Commissioner") gave evidence to a House of Commons Public Bill Committee (the "Committee") regarding the ICO's recommendations for the Digital Economy Bill (the "Bill"). The Commissioner expressed support for making directors personally liable for breaches of data protection law by their companies.
The Commissioner noted that the ICO issued a total of £4 million in fines in the last year, and only collected a small percentage of that figure, because many companies that had committed serious breaches of data protection law were simply shutting down following an ICO fine, only to promptly reopen with the same management, staff and premises in a new corporate entity. Attaching personal liability to directors has been proposed as a means of addressing this problem.
The ICO recently imposed a fine of £400,000 – its largest ever fine for a breach of data protection law. With enforcement of the General Data Protection Regulation ("GDPR") beginning on 25 May 2018, and giving the ICO the power to impose fines of up to the greater of €20 million or 4% of worldwide turnover, extending liability to directors could be extremely costly for individuals in these positions. White & Case has produced a detailed GDPR Handbook that explains the impact of that legislation on businesses.
The Digital Economy Bill
The UK Government introduced the Bill on 5 July 2016, with the aim of improving the UK's digital infrastructure, by encouraging the development of fast broadband and mobile networks and imposing fewer regulatory hurdles. The Bill will set the foundations for introducing a Broadband Universal Service Obligation to give consumers the right to demand a fast broadband connection. It will also strengthen the right of consumers to easily switch supplier and receive compensation when their service fails. The Bill has been through its first and second readings in the House of Commons and is currently at the committee stage. It is expected to receive royal assent in early 2017.
The ICO's recommendations to the Committee
- Reviewing the Bill against the GDPR, to ensure that the new requirements imposed by the Bill are consistent with the GDPR – in particular, the new rights afforded to individuals.
- Putting the ICO's Data Sharing Code of Practice and Direct Marketing Code of Practice on a statutory footing, effectively giving those Codes the force of law (whereas currently they are merely guidance).
- Obliging companies to make their data sharing activities transparent at two levels, by requiring them to: (i) ensure that the purposes of the data sharing, and how it will occur, are made clear either at the point of collection of data, or in ways that are easily accessible by individuals; and (ii) implement safeguards and transparency in line with the ICO's Privacy Notice Code of Practice.
- Ensuring that data sharing, whilst beneficial for public interest reasons, is always kept proportionate, minimised as far as possible and undertaken in accordance with the Data Protection Act 1998.
- Ensuring that the requirement for age verification does not result in an open-ended approach that allows the relevant websites to take large amounts of personal data from individuals. Secure and accredited third party providers of age verification systems should be used to ensure that the bare minimum of data are disclosed to such website owners.
- Lowering the threshold for the requirement of 'harm', in relation to nuisance calls, to make it easier for the ICO to take enforcement action and issue fines.
Consequences for businesses
While data protection is not a main focus for the Bill, it is clear that a number of its proposed provisions could have a significant impact on data protection compliance obligations for businesses. In particular, the Commissioner’s recommendations regarding personal liability for directors (noted above) stand out. It remains to be seen whether that proposal will be included in the final Bill. Nevertheless, the fact that the Commissioner was willing to make such a recommendation is indicative of the ICO’s determination to take stronger action against businesses that fail to abide by their data protection compliance obligations.
Chris Ewing, a Trainee Solicitor at White & Case, assisted in the development of this publication.