Offences Involving Data Protection
Author | Matthew Richardson |
Pages | 53-70 |
Chapter 2
Offences Involving Data Protection
2.1 OVERVIEW
The Data Protection Act 2018 (DPA 2018), which came into force on 23 May 2018, modernised the United Kingdom’s data protection laws and set out a framework for criminal offences relating to personal data. The DPA 2018 repealed the DPA 1998. The DPA 2018 builds on the principles of the DPA 1998 but sets new standards for the protection of personal data, and this legislation marks a significant development in the regulatory landscape.
Part 2 of the DPA 2018 supplements the General Data Protection Regulation (GDPR) which came into force on 25 May 2018.
Prosecutions under the DPA 2018 may only be brought by the Information Commissioner’s Office (ICO). Section 196 of the DPA 2018 specifies that all of the criminal offences prohibited by the Act are punishable by financial penalty only. There is no power of arrest contained in the Act. Section 199 operates to make data protection offences ‘recordable’, meaning convictions will appear on records of convictions held by the police.
Offences charged under the specific sections dealing with criminal offences should not be confused with the powers of the ICO to issue penalty notices for breaches of data protections.
Regulations 2019 (SI 2019/419).
54 Cyber Crime: Law and Practice
2.2 SECTION 170 OF THE DATA PROTECTION ACT 2018 – UNLAWFUL OBTAINING OR DISCLOSURE OF PERSONAL DATA
Section 170 of the DPA 2018 makes it an offence to knowingly or recklessly obtain, disclose or procure personal data without the consent of the data controller, and the sale or offering for sale of that data. It replaces section 55 of the DPA 1998 upon which enforcement action was most often based. The previous section was most commonly used to prosecute those who had accessed health, educational and financial records without a legitimate reason. While now repealed, much of the jurisprudence around section 55 provides useful guidance for the interpretation of the offence under section 170 of the DPA 2018.
In addition, section 170(1)(c) of the DPA 2018 creates the new offence of knowingly or recklessly retaining personal data (which may have been lawfully obtained) without the consent of the data controller. This development extends the scope of the offence, making it illegal to store even legitimately obtained personal data without permission, or beyond the limits of the permission obtained.
There are some permitted exceptions: for example where such obtaining, disclosing, procuring or retaining was necessary for the purposes of preventing or detecting crime. Section 170(2) and (3) of the DPA 2018 sets out the defences to section 170(1):
(1) It is an offence for a person knowingly or recklessly—
(a) to obtain or disclose personal data without the consent of the controller,
(b) to procure the disclosure of personal data to another person without the consent of the controller, or
(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.
(2) It is a defence for a person charged with an offence under subsection (1) to prove that the obtaining, disclosing, procuring or retaining—
(a) was necessary for the purposes of preventing or detecting crime,
(b) was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or
(c) in the particular circumstances, was justified as being in the public interest.
(3) It is also a defence for a person charged with an offence under subsection (1) to prove that—
(a) the person acted in the reasonable belief that the person had a legal right to do the obtaining, disclosing, procuring or retaining,
(b) the person acted in the reasonable belief that the person would have had the consent of the controller if the controller had known about the obtaining, disclosing, procuring or retaining and the circumstances of it, or
(c) the person acted—
(i) for the special purposes,
(ii) with a view to the publication by a person of any journalistic, academic, artistic or literary material, and
(iii) in the reasonable belief that in the particular circumstances the obtaining, disclosing, procuring or retaining was justified as being in the public interest.
(4) It is an offence for a person to sell personal data if the person obtained the data in circumstances in which an offence under subsection (1) was committed.
(5) It is an offence for a person to offer to sell personal data if the person—
(a) has obtained the data in circumstances in which an offence under subsection (1) was committed, or
(b) subsequently obtains the data in such circumstances.
(6) For the purposes of subsection (5), an advertisement indicating that personal data is or may be for sale is an offer to sell the data.
(7) In this section—
(a) references to the consent of a controller do not include the consent of a person who is a controller by virtue of Article 28(10) of the GDPR or section 59(8) or 105(3) of this Act (processor to be treated as controller in certain circumstances);
(b) where there is more than one controller, such references are references to the consent of one or more of them.
2.2.1 Elements of the offence
Section 170 of the DPA 2018 effectively creates two separate offences. The actus reus of the offence under section 170(1) involves obtaining or disclosing personal data, or procuring the disclosure to another of such information, without the
56 Cyber Crime: Law and Practice
consent of the data controller. The actus reus of the offences under section 170(4) and (5), respectively, involve the selling or offering for sale of personal data where the data has been obtained without the consent of the data controller (i.e. obtained in contravention of section 170(1)).
The mens rea of the offence under section 170(1) of the DPA 2018 is proved by intention or recklessness as to the obtaining or disclosure of such data without the consent of the data controller. Section 170(2) provides three separate defences involving the necessity, requirement or justification of the obtaining, disclosing procuring or retaining of the personal data. Section 170(3) provides an additional defence or the negating of the mens rea by showing reasonable belief either in the legal right or the consent of the data controller to do so, or where the person acted for special purposes, publishing and in the reasonable belief they were doing so in the public interest. Manifestly, the offences under section 170(4) and (5) require the intention to sell or the intention to offer for sale.
The Court of Appeal has recently had to examine the burden of proof applicable to the defence. In the case of Shepherd v The Information Commissioner [2019] EWCA Crim 2, the principal issue for the court to determine was whether section 55 of the DPA 1998 imposes a legal or evidential burden of proof on a defendant; and, if the former, whether the outcome is compatible with Article 6 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (EConHR)
The appellant had been convicted of three counts of unlawfully obtaining personal data contrary to section 55 of the DPA 1998. Jay J handing down the decision of the court said:
The DPA 1998 has been repealed by the Data Protection Act 2018 (‘the DPA 2018’), but we have been asked by the Information Commissioner to provide appropriate guidance on the new provisions. Approaching the question of statutory construction as we have done thus far without reference to authority has led us to the clear conclusion that s.55(2) imposes no more than an evidential burden. In our judgment, relevant jurisprudence does not lead us to a different conclusion; rather, it tends to support the conclusion we have reached […]
The principal ingredients of the offence are contained in s.55(1)[5] read in conjunction with subsection (3): for the actus reus, what is required is proof to the criminal standard of the disclosure of personal data without the consent of the data controller;
and for the mens rea, proof that this was done knowingly or recklessly. This is couched in the negative because it is...
To continue reading
Request your trial