Jail sentence penalties for data breaches will be consulted on despite Government's scepticism

Out-Law News | 11 Oct 2013 | 2:36 pm | 2 min. read

The Government has reiterated its commitment to consult on introducing custodial sentences as a possible penalty for individuals who breach UK data protection laws.

In a letter (46-page / 238KB PDF) to the chairman of Parliament's Home Affairs Committee Keith Vaz, Justice Secretary Chris Grayling said that the public would be asked whether there should be new custodial penalties for breaches of Section 55 of the Data Protection Act (DPA).

Section 55 of the Data Protection Act (DPA) states that it is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data" without the consent of those who control the data.

The current penalty for committing a section 55 offence is a maximum £5,000 fine if the case is heard in a Magistrates Court and an unlimited fine for cases tried in a Crown Court.

Under the Criminal Justice and Immigration Act (CJIA) the Justice Secretary has the power to introduce new regulations that would allow a custodial sentence penalty to be available for the offences under Section 55 of the DPA, but those powers have yet to be used. In 2008 the Act came into force without those powers being immediately available.

"[In his report into the culture, practices and ethics of the press] Lord Justice Leveson made a range of data protection related proposals which are potentially far reaching in their nature, including that the Government introduce the possibility of custodial penalties for section 55 offences," Grayling said. "These recommendations could in particular have an impact on the conduct of responsible investigative journalism. The issues raised in the data protection elements of Lord Justice Leveson's report were not subject to the same level of public scrutiny as other elements of the inquiry."

"It is the Government's view that the recommendations require careful consideration by a wide audience. We therefore intend to conduct a public consultation on the full range of data protection proposals, including on whether to introducing custodial sentences under section 77 of the CJIA. Consultation on the latter is a statutory requirement. This will enable us to seek views on their impact and how they might be approached. We think it is important that the public get the opportunity to consider the question of whether to introduce custodial penalties for breaches of section 55 in the context of Lord Justice Leveson's wider proposals relating to the data protection framework," he added.

The Government has previously expressed scepticism about whether there is a need for the CJIA provisions to be brought into force.

"The Government believes that misuse of personal data should be taken very seriously, however, it is important to note that there are already a range of existing offences that cover the misuse of personal data," the Government said in a report published in June. "These include fraud by false representation in breach of the Fraud Act 2006 and bribing another or being bribed contrary to the Bribery Act 2010. The offence of unlawful interception of communications under Regulation of Investigatory Powers Act 2000 and unauthorised access to computer material under the Computer Misuse Act 1990, both carry a maximum two year prison sentence."

Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, previously said that it is "perverse that organisations and individuals guilty of accidental breaches of personal data can be issued with monetary penalty notices of up to £500,000 for those breaches, but organisations and individuals guilty of a criminal offence of deliberately invading privacy and misleading others can escape with a relatively minor punishment".

Marc Dautlich of Pinsent Masons has also previously backed calls, led by the Information Commissioner, for the CJIA provisions to be introduced. The data protection law specialist said that there is an "overwhelming" case to justifying the powers being brought in.