The Data Protection Bill (“the Bill”) was described in the Queen’s speech of June 2017 as a new law to ensure ‘that the United Kingdom retains its world-class regime protecting personal data’. It supplements and bolsters the General Data Protection Regulation (“GDPR”), the directly effective EU regulation on Data Protection coming into force in May. GDPR changes the regulatory environment and gives the ICO the power to impose eye watering fines for those in breach. The Bill deals with elements of the regulatory framework not covered by GDPR, and sets out the criminal offences for data protection breaches. There is some continuity with the existing regime governed by the Data Protection Act 1998 (“DPA”) but new offences have also found their way into the bill. This article considers the intended changes to data protection offences, an increased appetite to prosecute and penalise offenders and the critical importance of the broader criminal context in understanding these specific offences.
Something Old, Something New…
Many of the criminal offences build on or update parts of the DPA:
Access and Disclosure Offences
- Clause 166 of the Data Protection Bill builds on s.55 DPA which criminalised knowingly or recklessly obtaining, disclosing or procuring personal data without the consent of the data controller, and the sale or offering for sale of that data. The provision was most typically/commonly used to prosecute those who had accessed healthcare and financial records without a legitimate reason. Clause 166 adds the offence of knowingly or recklessly retaining personal data (which may have been lawfully obtained) without the consent of the data controller;
- Clause 177 relates to Subject Access Requests and builds on s.56 DPA 1998. It is designed to prevent organisations from trying to use Subject Access Requests as background checks. It creates the offence of requiring relevant records (a record relating to health, convictions or cautions, or statutory functions), as a requirement for employment or a contract for the provision of services. Organisations are expected to run the necessary background checks without compelling people to obtain and disclose their personal data.
- Clause 143 replicates s.47 (2) DPA 1998 in criminalising the provision of false statements in response to an information notice (a demand from the ICO to produce information within a certain timeframe);
- Paragraph 15 of Schedule 15 criminalises obstructing a warrant or making a false statement in response to a request for information pursuant to a warrant, replicating paragraph 12 of Schedule 9 DPA 1998.
- Clause 119 is described as a ‘future-proofed’ version of s.54A DPA 1998, a provision that criminalises obstructing the ICO’s inspection of European information systems;
- Clause 131 is set to replace s.59 DPA 1998, criminalising action by former or current ICO staff to unlawfully disclose data obtained during the course of their duties.
- The two new offences which appear within the Bill address specific concerns relating to the operation of existing data protection regime Clause 167 follows a recommendation by Dame Fiona Caldicott, the National Data Guardian for Health and Care, to criminalise the re-identification of personal data that has been ‘de-identified’ (de-identification being a process - such as redactions - to remove/conceal personal data).
- Clause 169 relates to the processing of Subject Access Requests from individuals for their personal data, and makes it a criminal offence for organisations to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure. A similar offence already exists to prevent public bodies avoiding their duties to disclose information under the Freedom of Information Act 2000.
Liability and Sentencing
The Bill empowers prosecutors to proceed against individuals, body corporates and those associated with them. Clause 189, which is intended to have the same effect as s.61 DPA 1998, provides that where an offence under has been committed by a body corporate with the consent or connivance of an officer (or a person purporting to act in that capacity) then both the body corporate and the relevant person are liable to prosecution.
Despite suggestions that certain offences under the DPA might be made imprisonable, the Bill preserves the status quo ante of financial penalties only. In terms of quantum, the Crown Court may impose unlimited fines, a power extended to the Magistrates’ Courts since 13 March 2015. There is little authority on the appropriate level of fines such offences, beyond the general guidelines on the relevance of defendants’ means and ability to pay. Most cases brought by the ICO under s.55 DPA have been resolved in the Magistrates’ Court with fines in the hundreds or low thousands of pounds. However in a 2013 Crown Court case (R v Hill and others) fines well into five figures (and in respect of one defendant, six figures) were imposed following guilty pleas. It is fair to assume that there is an appetite in the senior courts for increasingly significant fines. For corporate offenders, the sentencing court will expect detailed financial statements covering a five year period to be provided.
Beyond the bill
It is important not to put the ‘data blinkers’ on when assessing whether conduct connected to obtaining, retaining and processing data is criminal. Data is a valuable commodity and obtaining and misusing it may attract criminal liability outside of the data focused legislation. For example, the aforementioned case of Hill and others started life as a conspiracy to defraud (guilty pleas being offered to DPA offences) and several private detectives were successfully prosecuted for a similar conspiracy in the aftermath of the 2011 phone hacking scandal. That data protection prosecutions can only be brought by the ICO obviously precludes the typical path of a criminal investigation from police to CPS. Even if the CPS was empowered to act, the limited sentencing powers would likely tempt prosecutors to seek alternative charges. As well as conspiracy to defraud, one can envisage Fraud by False Representation and Computer Misuse Act offences being applicable where data has been obtained by deception or electronically.
Whilst the regulatory framework provided by GDPR is understandably garnering significant attention, GDPR must be read alongside the Bill to understand how the data protection landscape will be changing. In the criminal context in particular there is also a need to look back upon existing legislation to understand how it will be applied to the use and misuse of personal data.