Making UK directors personally liable for data privacy breaches


Amidst the ongoing Brexit furor, it is good to see the government has still found time for other matters-but maybe company directors will take a different view.

Among the proposals for the U.K.'s new Digital Economy Bill (the Bill), due to become law next spring, is one under which company directors would become personally liable for payment of fines as a result of nuisance calls being made by their companies. At a recent House of Commons Public Bill Committee meeting, Elizabeth Denham, the U.K. Information Commissioner, suggested that directors of companies who violate data protection laws should be personally liable to pay fines. The general aim of the Bill is to improve the U.K.'s digital infrastructure by encouraging the development of fast broadband and mobile networks and imposing fewer regulatory hurdles. The Bill will also strengthen the rights of consumers to easily switch suppliers and to receive compensation when their service fails.

Impact on data protection compliance

While data protection is not the main focus for the Bill, it is clear that a number of the proposed provisions could have a significant impact on data protection compliance obligations for businesses. Currently, the Information Commissioner can impose fines of up to £500,000 on companies, with its largest-ever fine to date being a £400,000 fine imposed in October 2016 on a well-known U.K. mobile network.

Enforcement has proved difficult

The problem for the Commissioner, as data privacy regulator, has been one of enforcement. According to her office, since April 2015, she has issued fines against companies for more than £2.7 million for nuisance calls, but a very significant proportion (£2.26 million) remains unpaid.

In her evidence to the Select Committee she said that this inability to recover fines was due, in part, to large numbers of such companies going into liquidation. Often these businesses would reopen with the same management, staff and premises in a new corporate entity. Making directors personally liable for such fines would be a means of preventing these avoidance measures.

How will personal liability be attached?

We have no information yet as to how the Bill would seek to attach personal liability to directors, assuming the Information Commissioner's evidence to the Select Committee is acted upon. But this is a space which we need to watch closely-not least because, when the General Data Protection Regulation ("GDPR") becomes law in the U.K. on 25 May 2018 (assuming no Brexit surprises), the ICO will have the power to impose fines of up to the greater of €20 million or 4% of worldwide turnover. Any extension of the means by which these penalties aimed at companies can be passed onto company directors in the case of insolvency would be a cause for considerable concern.

Are such fines insurable?

More generally, (and as previously blogged) the question of insurability of fines and penalties under English law remains a vexed one. Readers will recall this was an unsuccessful attempt by a company to recover damages from its directors in respect of a fine which had been levied on it as a result of alleged breaches of their duty of skill and care. The court ruled that, in this case, it was not permissible to claim indemnity but left open the possibility that certain categories of fines might be insurable.

Whether the government will legislate so as to criminalize the act of placing a company into insolvency-if it can be shown that this was done so as to allow the company to avoid the fine in the first place-remains to be seen. If that were to happen, I rather doubt that there would be any question of such fines or penalties being insurable given the level of deliberate intent implied in such conduct. It would still represent another headache and cause for concern for directors.

Using my crystal ball and knowing how keen The Government is on anti-avoidance measures in general I wouldn't bet against it.

Read more:

This user-friendly Handbook offers guidance and practical suggestions for small and medium-sized enterprises (SMEs) that could facilitate compliance with the General Data Protection Regulation (GDPR).

It has been two years since the EU General Data Protection Regulation (GDPR) entered into application. We have witnessed the first positive impacts of the law but also the challenges authorities, courts, and people have faced in its enforcement. The past 12 months have proven particularly demanding for the protection of personal data and the...

The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the California Consumer Privacy Act of 2018 ('CCPA') (SB-1121 as amended at the time of this publication) both aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use, or share consumer data, whether the...