Are We Heading Towards Personal Liability for Data Protection Breaches?

A couple of weeks ago I heard Stephen Eckersley, the ICO’s Head of Enforcement being put on the spot on Radio 4 about the number of the fines imposed by the ICO that have gone unpaid. This isn’t a problem with what might be considered the more reputable businesses that pay up when fined but it is a problem with those that deliberately sail close to the wind, particularly when making marketing calls or sending texts. The ICO’s fines have been substantial – up to £350,000 in some cases involving calls and texts – but arguably they are ineffective if they don’t get paid. The problem is that fines are imposed against businesses and businesses can duck and dive to avoid paying up. The ICO isn’t well set up to chase those who default on their fines and, in any case, businesses can ultimately be closed down without settling their debts. It’s then not unknown for those behind a business that has been fined and then wound up to re-emerge in the guise of a new business adopting much the same unlawful marketing practices that led to the original fine.

Some see the answer as being the introduction of some new form of personal liability for company directors. The consumers’ organisation Which? has been campaigning to ensure that company directors are held personally accountable for unlawful calls and texts. They appear to have some support in Parliament and the ICO also seems to be behind them. Elizabeth Denham, the new UK Information Commissioner supported this approach in her recent comments before a Parliamentary Committee in relation to the Digital Economy Bill where she called for directors to be accountable by becoming personally liable to pay fines for nuisance calls. She stated “I would support extending liability and accountability to directors. Our office has issued fines that totalled about £4 million in the last year, but the problem is that we have been able to collect only a small proportion of those fines because companies go out of business and, as in a game of whack-a-mole, appear somewhere else. It is important for us to be able to hold directors to account for serious contraventions.” She is keen for directors’ liability to be built into statute.

It’s not yet clear what form any personal liability might take. Where criminal offences under the Data Protection Act (DPA) are committed by a corporate body then any ‘director, manager, secretary or similar officer’, as well as the corporate body, can be prosecuted for the offence if it has been committed with their consent or connivance or be attributable to any neglect on their part. It’s therefore possible for the ICO to get at company directors by first issuing an enforcement notice against the company and then prosecuting any director behind the company’s failure to comply with the notice. However this is a convoluted route with breaches of the Data Protection Principles and of the Privacy and Electronic Communications Regulations (PECR)  generally being punishable by civil monetary penalties rather than by criminal prosecution. And with civil monetary penalties there is no equivalent provision for directors’ liability.

For the time being it’s unclear what form any personal liability might take. It could be criminal or it could be a civil liability for a monetary penalty. No doubt there will be a debate about which is the more effective deterrent, the risk of a criminal conviction accompanied by a limited fine or liability for what would, in all probability, be a much larger civil fine leading to the possibility of bankruptcy.

Currently all the attention here is on personal liability for breaches of PECR and it’s being driven by political pressure to clamp down on those who make nuisance calls or send nuisance texts. This could move on though, particularly as public concern about data breaches grows. In a climate where increasingly directors’ liability is seen as an answer to a range of mischiefs, might there be pressure to introduce personal liability more generally for breaches of the DPA? And how might this play in the context of the General Data Protection Regulation? The huge fines for controllers and processors of up to 20m EUR or 4% of global turnover have attracted a great deal of attention and are presented as a new and effective deterrent against businesses that fail to live up to their data protection obligations. They might well work against otherwise responsible multinationals but will they really make any difference to those “rogue” businesses that start off with little or no intention of complying anyway?  Some might argue that if we are really getting serious about data protection then some element of personal liability for directors is required as well.