Blog: Data protection criminal prosecutions

Data protection enforcement in the UK is probably best known through the work of the Information Commissioner’s Office (ICO) using its powers to impose fines. In addition, and perhaps less well-known, is the fact that the criminal courts also play a role in the enforcement of some offences under the UK’s Data Protection Act 1998 (DPA 1998). The courts may impose fines and/or order any document or other material used in connection with the processing of personal data and appearing to the court to be connected with the commission of the offence to be forfeited, destroyed or erased.

 

So we thought it would be interesting to know how many data protection criminal prosecutions are actually brought before the courts in the UK.  We therefore made a request under the UK’s Freedom of Information Act 2000 to the Crown Prosecution Service (CPS), who are likely to bring the majority of these prosecutions in England & Wales (Scotland and Northern Ireland have slightly different systems). The CPS provided information for the years 2008-2013 concerning offences charged and which reached a hearing in the magistrates’ courts. Information on the final outcome or whether the charge was the final charge maintained is not provided, nor is it known if any matters went higher to the Crown Court.

 

The CPS confirmed that they had prosecuted for 3 data protection offences – obtaining or disclosing personal data or the information contained in personal data; procuring the disclosure to another person of the information contained in personal data; and, selling personal data. Obtaining/disclosing data is by far the most enforced offence with a total of 654 prosecutions over six years. Selling data has only been prosecuted twice over six years. 2010-2011 was a peak year with a total of 200 prosecutions (obtaining/disclosing data, and, procuring the disclosure of data).  Finally, since 2010 there has been a marked drop in prosecutions (obtaining/disclosing data, and, procuring disclosure of data) to the lowest total figure of these years in 2013 of 96 prosecutions. It could well be the case that the number of prosecutions has dropped as fewer people are committing offences now that the law is more established.

 

Whilst the numbers may have decreased a little in recent years it is clear that whilst not receiving a lot of attention there is significant enforcement activity of data protection legislation over and above the enforcement action the ICO is taking. The consequences of criminal enforcement are also severe. In one case in March this year (in this case prosecuted by the ICO) Isleworth Crown Court convicted a company director of DPA 1998 offences and ordered him to pay £89,000 in fines and confiscations. He faces 20 months in jail if the money is not paid and has also been disqualified from acting as a director of a limited company for 8 years. 6 other employees of the same company and the company itself were also fined.

 

The possibility of criminal enforcement, combined with the increased enforcement of the legislation by the ICO means that every business large or small will need to take its data protection responsibilities seriously

 

Jonathan Armstrong & André Bywater are lawyers with Cordery in London where their focus is on compliance issues.