Who: David Barlow Lewis and the Information Commissioner’s Office (“ICO“)
Where: Bournemouth Magistrates’ Court
When: 7 April 2016
Law stated as at: 5 May 2016
David Barlow Lewis pleaded guilty at Bournemouth Magistrates’ Court to attempted breach of Section 55 of the DPA for offering to buy motor accident victim leads from an ex-colleague at insurer, LV=. Lewis unsuccessfully tried to persuade his ex-colleague, via WhatsApp, to sell him the name and number of LV= customers who had been involved in accidents for £3,000 a month. The court fined Lewis £300 for the offence and ordered that he also pay a victim surcharge of £30 and prosecution costs of £614.40. Following sentencing, a spokesperson for the ICO said, “Stealing personal information is a crime. Lewis may have failed in his attempt to buy personal data but his intention was clear. Anyone who tries to unlawfully obtain, disclose or sell personal data should expect to see themselves hauled before the courts.”
Why this matters:
Section 55 of the DPA provides that it is a criminal offence to knowingly or recklessly obtain, disclose or sell personal data without the data controller’s consent. A person who is found guilty of an offence is liable on conviction to a fine which, for offences committed before 12 March last year was a maximum of £5,000 on summary conviction or an unlimited fine on indictment. Various factors such as the seriousness of the offence (in Lewis’ case, an attempted, not actual theft of personal data), the harm caused (likely to be minimal if no personal data is disclosed), whether the defendant pleaded guilty (which Lewis did) and the defendant’s ability to pay all count towards a reduction of that maximum amount. Even for more serious offences under Section 55 we have seen relatively low fines imposed by the courts. For example on 8 January this year Sindy Nagra pleaded guilty to a Section 55 offence after selling almost 28,000 customers’ records for £5,000 whilst she was an administrative assistant at Enterprise Rent-A-Car. She was only fined a modest £1,000, plus a £100 victim surcharge and £864.40 prosecution costs.
The Lewis and Nagra offences occurred before 12 March 2015 when Section 85 of the Legal Aid, Sentencing and Punishment of Offenders Act 2012 removed the £5,000 cap on fines for most offences on conviction by Magistrates Courts (including Section 55 offences). In spite of these powers to increase financial penalties, Information Commissioner, Christopher Graham has recognised the limitations that the courts have in determining the value of fines, especially where the defendant has limited resources. He has therefore argued that the courts should be given more options to punish breaches of Section 55 such as suspended sentences or community service and that prison may even be appropriate for the most serious breaches. [See here: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/01/information-commissioner-repeats-call-for-stronger-sentences-for-data-thieves/]
Stronger sentences for data theft have been debated for some time and have so far been resisted by the government, in part, on the basis that there are other statutory offences with custodial penalties that could (albeit in specific circumstances) also apply to offenders who breach Section 55 (for example unauthorised access to computer material under section 1 of the Computer Misuse Act 1990 or bribery under the Bribery Act 2010). This resistance is in spite of Parliament having already introduced a power in Section 77 of the Criminal Justice and Immigration Act 2008 for the Secretary of States to pass an order for custodial sentences for persons who are found guilty of a Section 55 offence. Unfortunately this power has never been exercised despite the ICO consistently arguing that more effective penalties are required to deter would be data thieves who “need to know that they will be severely punished and could even go to prison”.
Things may change when the European General Data Protection Regulation (“GDPR“) comes into force in May 2018. There is no equivalent provision to Section 55 of the DPA in the GDPR but the ICO could bring enforcement action against a person who is unlawfully processing personal data that has been stolen. The ICO will have powers under the GDPR is issue fines of up to €20m or, in the case of companies, 4% of total worldwide annual turnover, although in doing so it will have to take into account mitigating factors such as the nature, gravity and duration of the infringement and the harm caused (in the case of individuals, the GDPR recitals suggest the ICO will also need to consider the individual’s economic situation). It is also open to Member States to lay down criminal penalties for infringements of the GDPR and Article 84 expressly states that penalties must be “effective, proportionate and dissuasive” (whether criminal or administrative). This may be enough to push the government into finally providing for custodial sentences and other criminal sanctions for people who steal personal data given that mitigating factors may continue to influence lower financial penalties for individuals.