In defence of the ICO (and regulators)

The ICO was recently criticised in an opinion piece in The Lawyer for disclosing that staff at an unnamed mobile network operator had allegedly sold details of customers.  The piece rightly pointed out that with only 5 operators to whom this could relate, it was only a matter of time before T-Mobile were identified as the operator affected.  It was suggested that whilst this outing led to extensive press coverage, it damaged “the trust relationship between the regulator and regulated” and would lead to less transparency about security failures.  The article noted, “Effective regulation is not just about tougher powers and penalties. Substantial improvements in practices could be achieved through a step change in thinking about the relationship between the regulator and regulated.” 

My personal view (and not that of Charles Russell), is that regulators should not be overly concerned about their relationship with the regulated.  Their guide should be their statutory duties and aims.  They should only consider the state of their relationship with the regulated to the extent that this hinders or promotes those statutory duties.  Undue concern about the relationship leads to regulatory capture by major regulated entities or regulatory paralysis. 

In the case of the ICO, the lack of proper enforcement or rule-making powers has meant that a cooperative, educative or consultative approach has been the only one available since 24 October 1998, or earlier if you include the limited powers of the Data Protection Registry (being the ICO as it existed under the Data Protection Act 1984).  The recent spate of massive data security breaches do not suggest that this has been an altogether successful approach, nor has the limited fines awarded for criminal offences under the Data Protection Act 1998 acted as a serious deterrent.  It is therefore no wonder that the ICO has lost patience with the regulated, and seeks the enforcement powers to be able to use an effective “stick” as well as carrot approach. 

As far as T-Mobile are concerned, whilst they may have suffered some unwelcome and unanticipated adverse publicity as a result of the ICO disclosure, they are probably all too well aware of the amendments agreed to the Privacy and Electronic Communications Directive 2002/58/EC and set out in the Citizens’ Rights Directive 2009/136/EC, which include new obligations on electronic communications service providers to report security breaches to the competent national authority.  Measures must be adopted in the UK in approximately 18 months time to implement this new obligation (the exact date will depend upon when the Citizens’ Rights Directive is published in the Official Journal).  Arguably any breakdown in trust between the ICO and electronic communications service providers who have volunteered information about security breaches will therefore soon be immaterial.  The European Commission is already discussing proposals to broaden the new breach notification obligation to all data controllers, too.

Shareholders, Directors and Bonuses

As the informal lawyer to my group of fellow commuters on the 0634 from Havant to Waterloo, I was asked yesterday to explain why directors of the Royal Bank of Scotland plc (RBS) might consider it necessary to resign if they were not permitted to pay what appears to the general public to be obscene levels of bonuses.  The answer lies in the codified version of the old common law that directors owe a duty to act in the best interests of their company.

Under s.172 of the Companies Act 2006 directors have a duty to promote the success of the company, with six factors to consider set out at s.172(1).  One of these factors includes acting fairly as between shareholders (s.172(1)(f)).  Where one shareholder demands a particular course of action that in the opinion of the directors is not best suited to promote the success of the company or disadvantages another class of shareholders, they can claim to be put in a difficult position.  The demand by HM Treasury for control over the RBS 2009 bonus pool as a condition of RBS entry into the Governments Asset Protection Scheme is arguably such a course of action, if you consider that the lack of bonuses will lead to the inability of RBS to retain and motivate high performers amongst its staff, so damaging its success and the share value for those minority shareholders not demanding direct control over bonuses.

However, the directors would have no difficulty if they were compelled by a shareholders’ resolution to act in a particular way.  In particular, if the Articles of the company dictated a bonus policy on the company, the directors would be bound to follow the policy or risk derivative action by the shareholders.  In the case of RBS, HM Treasury initially held 70.3% of its shares through UK Financial Investments Limited.  It now holds an 84% economic interest in RBS following RBS’ entry into the Asset Protection Scheme, but the Government has no more than 75% of the shareholders’ votes (otherwise RBS would be required to delist).

It therefore remains open for the Government to call an extraordinary general meeting of RBS shareholders (as it owns more than 10% of the shares, it can demand that the directors call an EGM under s.303 of the Companies Act 2006), and table a special resolution to amend the Articles accordingly (s.21(1); this will need 75% vote (s.283)).  The EGM would be the required route as only private companies can resort to written resolutions under the Companies Act 2006 (s.281(2)).