Private investigators are facing increased scrutiny over their compliance with data protection rules. In recent months, the Irish courts have seen two criminal prosecutions concerning private investigators.  Following a prosecution in June when a private investigator was charged with over 70 data protection offences, a separate private investigation company and two of its directors now face 23 charges. Considering two prosecutions have been brought in recent months, this may be an area of increasing focus for the Data Protection Commissioner (“DPC”). The case also proves an example of how responsibility for corporate crime in the area of data protection may be attached to individual company directors. 

Background

According to media reports, number of credit unions hired the company to investigate and locate customers who were not responding to communications about outstanding loan payments. The DPC has alleged that the company used unlawful methods to obtain the customers’ new contact details and supply the information to the credit unions. The DPC is said to have discovered the matter when investigating the credit unions. In a prosecution brought before Bray District Court, the private investigation company and its directors now face criminal charges under the Data Protection Acts 1988 and 2003 (“DPA”).

What are the charges?

The company has been charged under section 22 DPA, which criminalises disclosures of personal data without authority. The DPC has alleged that investigators made telephone calls to the Department of Social Protection and the HSE Primary Care Reimbursement Service (the agency responsible for the administration of medical cards). In the course of these phone calls, it is alleged that the investigators “blagged”, or misrepresented, who they were in order to obtain the addresses of the customers under investigation. The company is then said to have provided these addresses to the credit unions.

The directors are separately being prosecuted under section 29 DPA. This is novel prosecution. Under this section, directors and other company officers can be prosecuted in relation to data protection breaches committed by companies under their control. More specifically, the directors are charged with consenting to, supporting, or through their neglect allowing, offences under the DPA to be committed by the company.

The company and directors are being prosecuted in the District Court (the lowest court in Ireland’s court system), with a potential fine of €3,000 per offence. However, according to media reports the judge was hesitant to accept that the District Court was the appropriate venue for hearing the case. This suggests that future offences could instead be brought on indictment in front of a jury in the more senior Circuit Court. This could lead to fines of up to €100,000 per offence. Aside from these significant financial penalties, directors convicted in the Circuit Court may also find themselves disqualified from acting as a director of any company under section 190(2) of the Companies Act 1990. 

The implications of the case

The prosecution is of interest for two reasons.

First, it shows how, with respect to the private security industry, the DPC is taking an aggressive, prosecutorial approach to enforcement. This seems to be influenced, in part, by the high profile controversies that have emerged in the UK with respect to “phone hacking” and related practices.

Second, the case shows how, in cases of criminal breaches of data protection law, the directors of the company may find themselves facing personal prosecution.