IT | Security

Criminal Prosecutions for Data Protection Cases

By: Absolute Editorial Team | 10/20/2014

Cordery lawyers André Bywater and Jonathan Armstrong recently commented on the criminal prosecutions of Data Privacy over the last six years in an article for the Privacy Laws & Business UK Report. According to a freedom of information request to the Crown Prosecution Service (CPS), there were 714 criminal prosecutions related to enforcement the UK’s Data Protection Act of 1998 in the 2008 - 2013 time period.

In 2010, the Information Commissioner’s Office (ICO) gained greater power to impose monetary penalties related to data breaches, resulting in an increase in fines over the last few years. Enforcement of the DP Act is not, however, limited to the ICO alone. Criminal courts have also heard DP Act cases and have the power to impose fines, though little is in the public domain about these actions.

André Bywater and Jonathan Armstrong investigated how many data protection cases have been subject to criminal prosecution, discussing their findings in the article. Though the final outcome of the cases is not provided, but from the data obtained, we know that:

  • 3 types of data protection offences were prosecuted:
    1. obtaining or disclosing personal data or the information contained in personal data
    2. procuring the disclosure to another person of the information contained in personal data
    3. selling personal data
  • 714 criminal offences were charged in 2008-2013, with the majority of those being unlawfully obtaining / disclosing data

The article further discusses the consequences of criminal enforcements, which can be severe. As the article suggests, enforcement activity of data protection legislation is not limited to the ICO and "highlights the fact that they are not alone in seeking to ensure that personal data is protected."

“The possibility of criminal enforcement, combined with the increased enforcement of the legislation by the ICO, means that every business, large or small, will need to take its data protection responsibilities seriously."

For more on how your organization can be proactive in data security, visit Absolute.com