Last month the Crown Prosecution Service (CPS) announced that they had decided there was insufficient evidence to provide a realistic prospect of a conviction on charges related to phone hacking allegations, both against individuals at the Mirror Group, and in relation to corporate liability at News Group Newspapers.

On this second point – corporate liability – the CPS announcement went further than many expected in providing a summary of the law relating to corporate liability and how, in its view, it applied to the facts. The summary itself is worth quoting in full:

The law on corporate liability in the United Kingdom makes it difficult to prove that a company is criminally liable if it benefits from the criminal activity of an employee, conducted during their employment. The company will only be liable if it can be proved that the individual involved is sufficiently senior, usually close to or at board level, to be the ‘controlling mind and will’ of the company. Unlike other countries, the principles of vicarious liability or poor corporate governance, which are matters that are easier to prove, play no part in establishing corporate criminal liability.

The present state of the law means it is especially difficult to establish criminal liability against companies with complex or diffuse management structures. In this case, as in any corporate liability case, we have looked closely at the overall structure of the company involved, and the level of management and decision-making powers of those involved, in order to come to a decision.”

And with that rather narrow interpretation of the common law, the CPS has effectively declared that, other than in the most simple and straightforward cases, the ‘identification principle’ first set out in Tesco Supermarkets v Nattrass 1972 AC 153 is no longer an effective tool for prosecuting corporate bodies.

The CPS analysis effectively means that establishing corporate liability under the identification principle will depend on, inter alia, how the relevant company is structured. It goes without saying that company structures vary widely according to, for example, whether they (i) are privately or publicly held, (ii) conduct operations in one or a number of countries, and (iii) pursue tax efficient structures which necessitates the creation and management of different entities in structures which may or may not be much more loosely held and managed. That more complex companies should in effect be less likely to be prosecuted because of such complexity is in itself a highly imperfect and potentially unjust outcome. Indeed, a number of high profile corporate prosecutions in the early 2000s failed for precisely such reasons, amid much public anger (see, for example, the failed Railtrack prosecutions in respect of the Paddington and Hatfield crashes).

The CPS decision is in part recognition that since those headlines, the legislature has been seeking other ways to hold corporates criminally accountable for their actions. There are three principal ways of doing so, two of which have been deployed in the UK. The first is a statutory workaround in effect creating a corporate negligence offence. The second is a Deferred Prosecution Agreement. The third, and arguably most straightforward method, which has not been taken up, would be to extend the principles of vicarious liability so that a company which had failed to exercise proper control over its employees would be automatically vicariously liable for the criminal acts of those employees.

Statutory workarounds

Under section 1 of the Corporate Manslaughter and Corporate Homicide Act 2007:

A relevant organization to which this section applies is guilty of an offence if the way in which its activities are managed or organized –

  1. causes a person’s death; and
  2. amounts to a gross breach of a relevant duty of care owed by the organization to the deceased.

The sections that follow contain many qualifications and clarifications of the above offence, but in simple terms this statute circumvents the difficulties of the identification principle by creating an offence based on a breach of duty, together with the somewhat nebulous concept of “the way in which its activities are organized” being a “substantial element” in the breach of duty (see s1(3)). Some may argue that this merely shifts the battleground from finding a‘directing mind and will’ to establishing that a company’s health and safety procedures, training and standards fell “far below” what could reasonably be expected of it in the circumstances (see s1(4)(b)).

In such a form this offence is similar in its jurisprudential effect to section 7 of the Bribery Act 2010, under which a “relevant commercial organization” is guilty of a failure to prevent bribery if a person “associated” with it bribes another person intending to obtain or retain business or an advantage for it. Here, the problem of finding a ‘directing mind or will’ is sidestepped by the creation of an offence of failing to prevent something from happening. Perhaps conscious of the rather obvious appearance of a reverse burden of proof, legislators have again focused on the question of internal procedures but this time the battleground has become a fully fledged defence: “But it is a defence for C to prove that C had in place adequate procedures designed to prevent persons associated with C from undertaking such conduct” (see s7(2)).

One can see the attraction of such an offence to prosecutors, and it is no surprise that the firstDPA concluded under the Crime & Courts Act 2013 was one in relation to a breach of the Bribery Act 2010. Similarly, it is unsurprising that the director of the SFO threw his weight behind now-dropped proposals to establish a corporate offence of failing to prevent fraud, in similar terms to the Bribery Act. However, such criminal offences are jurisprudentially unattractive, lack sufficient legal certainty and bring with them the prospect of satellite litigation and long, document-heavy trials.


DPAs have been dealt with elsewhere and while they do not provide for a corporate conviction (unless the company is later found to have breached the DPA) they may be considered a method of holding corporates liable for criminal conduct, and the current indications are that they are likely to become more prevalent as prosecutors and corporate counsel become familiar with them.

Vicarious Liability

While as a principle vicarious liability of a corporate for the acts of its employees does exist in the UK, it is in a rather indirect form which unfortunately enables a corporate to avoid such vicarious liability where it can establish that the employee has acted in breach of his terms and conditions of employment – something which will necessarily be the case where a criminal offence has been committed.

It is suggested that what is required in the UK is not the creation of yet more complex statutory offences with obscure breaches of duty which generate satellite litigation as to whether and when ‘adequate procedures exist’, but a simple and straightforward principle that where employees have committed offences in the course of carrying out their work for the company, that company will be vicariously liable for those offences. Where the company is the victim (for example with employee fraud) it goes without saying that no criminal liability would vest. But where employees commit bribery, cartel or other antitrust offences, or indeed fraud offences, which redound primarily to the benefit of the company (even though there may be some consequent performance-based benefit to the employee) it makes little sense (and offends against a sense of justice) that the company should avoid liability merely because the conduct was not approved by a board director.