Greater criminal liability ahead for U.K. company directors involved in data breaches

hands typing on a laptop in the dark

The Data Protection Bill is currently making its way through the legislative process. This Bill will replace the current Data Protection Act and will provide a comprehensive framework for data protection in the U.K. The resulting legislation will supplement the General Data Protection Regulation (GDPR), which will apply directly to the U.K. beginning on May 25, 2018. In one key respect relating to directors’ duties, it looks as if the Act may prove more onerous than the GDPR. Where directors can be implicated by their “neglect” in the criminal conduct of the company they may find themselves personally liable for that conduct.

Section 177 of the Bill creates personal liability for directors wherever a company is criminally liable for breach of data protection legislation. It provides, in relevant part, that:

“….where
(a)an offence under this Act has been committed by a body corporate, and
(b)it is proved to have been committed with the consent or connivance of
or to be attributable to neglect on the part of—
(i)a director, manager, secretary or similar officer of the body
corporate, or
(ii)a person who was purporting to act in such a capacity.
(2)The director, manager, secretary, officer or person, as well as the body
corporate, is guilty of the offence and liable to be proceeded against and
punished accordingly.”

Corporate criminal offenses

It’s worth pointing out that it’s not simply directors who are caught by this, but managers and similar officers as well as those purporting to act in that capacity.

I won’t cover all of the criminal liabilities that will be created under the new Act, but for example:

  • Section 161 makes it a criminal offense to unlawfully retain data
  • Section 163 makes it a criminal offense to alter or destroy personal data following a Subject Access Request.

There should be enough in just these two offenses to worry senior managers of companies, especially when we remind ourselves how the English courts approach the “consent and/or connivance and/or neglect” test.

The meaning of consent, connivance and neglect

Some years ago, I blogged about a Court of Appeal decision on the meaning of the phrase “…consent and/or connivance and/or neglect” in relation to a director’s statutory criminal liability for a company offense under the Health and Safety at Work Act 1974. Now, it seems the same offense will be applied to personal criminal liability for breach of the Data Protection Bill.

The meaning of consent received Court of Appeal scrutiny a few years ago in the case of Regina v E. [2007]. That case concerned a tragic accident at the docks where a 6 year-old passenger was thrown from a forklift truck after it collided with a second truck. So far as the “neglect” ingredient of the offense was concerned, the Judge at first said it was necessary to show the defendant had suspicion or belief as to the material facts but that, because he feared the answer might be unpalatable, he did not want to know more. He concluded that it was a “…subjective test and not equivalent to inadvertence, laziness or even gross negligence…”

If that were the right approach it would have brought the concept of “neglect”, in effect, very close to its statutory cousins “consent or connivance”. The Court of Appeal rejected that conclusion and stated that it placed the burden on the prosecution too high. It pointed out that the Act contains no requirement that the “neglect” be “willful”. Instead, the Court concluded as follows:

“The officer in question of the company should have, by reason of the surrounding circumstances, been put on enquiry so as to require him to have taken steps to determine whether or not the appropriate safety procedures were in place.”

“The officer in question of the company should have, by reason of the surrounding circumstances, been put on enquiry so as to require him to have taken steps to determine whether or not the appropriate safety procedures were in place.”

In a similar case in 2009, The House of Lords agreed that the circumstances would vary from case to case and that no fixed rule could be laid down as to what the prosecution must identify and prove in order to establish that an officer’s state of mind amounted to consent, connivance or neglect. According to Lord Hope:

“In some cases, as where the officer’s place of activity was remote from the workplace or what was done was not under his immediate direction and control, this may require the leading of quite detailed evidence… In others, where the officer was in day to day contact with what was done there, very little more may be needed.” ?

Conclusion and implications

What this seems to boil down to in the context of the Data Protection Bill is that, for example, where it’s an offense to unlawfully retain data without consent (See section 161 above) and a company fails to prevent that risk from occurring, it may be possible to infer that there was “neglect “on the part of an officer. This would apply if the circumstances under which the risk arose were under the direction or control of that officer. The more remote the officer’s area of responsibility from those circumstances, the harder it will be to draw such an inference.

What’s equally clear is that it will not be open to an officer responsible for the part of the business in which the data breach occurred to run a defense to the “neglect” limb of a charge under Section 177 to the effect that he or she hadn’t known about the risk that it might occur. That is especially so in circumstances where he or she had neglected to find out whether there was in place an adequate system to prevent the breach from occurring in the first place. In other words, the onus will be placed on board members and other senior managers to satisfy themselves that the company does operate GDPR compliant systems and failure to do so may result in personal criminal liability in appropriate cases.

About Francis Kean

Francis is an Executive Director in Willis Towers Watson's FINEX Global, where he specializes in insurance for Dir…
Categories: Cyber Risk, GDPR | Tags: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *