Is 17p per unsecure online file a fair monetary penalty?

Scales of Justice © Alex Proimos

On 10 May 2011 the Information Commissioner imposed a £1,000 monetary penalty on Andrew Crossley, trading as ACS Law, for a serious breach of security that permitted over 6,000 individuals’ details to be accessible on an unsecured website. Already, there is much discussion on the internet as to the fairness of this penalty. Has justice been done?

Internet comment is not likely to be objective in the case of ACS Law, given that it was the law firm targeted by hackers for a distributed denial of service attack as retribution for its perceived aggressive approach to internet users claimed to be illegal copyright infringers (see the Wikipedia entry for ACS:Law). Andrew Crossley was reported to have made a profitable business pursuing copyright infringement cases – claiming he would be buying a Ferrari F430 Spider for cash.  The monetary penalty of £1,000 amounts to less than 17p for each individual’s details that ACS Law left unsecured on its website as part of its recovery from the DDOS.

However, the Information Commissioner has made it clear that had ACS Law still been trading, he would have imposed a monetary penalty of £200,000 (the maximum that could have been imposed was £500,000). Clearly the Information Commissioner was satisfied by the written representation sworn on oath by Andrew Crossley to reduce the fine to the token £1,000 – much to the chagrin of many on the internet less willing to accept Crossley’s pleas of reduced financial circumstances.

Other data controllers ought to reflect on the factors considered by the Information Commissioner in making the monetary penalty. In particular, the lack of investment in appropriate security measures was a major factor, as was the lack of appropriate IT trained personal in the organisation. In addition, whilst spending serious money to remedy the security breach (in ACS Law’s example, spending £20,000 to fix the problem) was considered as a mitigating factor, it was obviously not that significant given the level of the final penalty.

Lawyers and law firms also ought to take particular note that as far as the Information Commissioner is concerned, they cannot expect any leniency for any breach by them of the Data Protection Act 1998 – “Data controller is a lawyer and should have been fully aware of his obligations under the Act.”

Advertisements

Nadine Dorries Press Statement: enforcement and remedy

ICO Data protection cases received and closed (source ICO)

In our previous post we reviewed in the context of yesterday’s personal statement to the press by Nadine Dorries MP, whether the publication of a person’s medical condition on a website could be unlawful under the Data Protection Act 1998 (the “DPA”). If our view that there has been a breach of the DPA is supported, what are the potential consequences for Nadine Dorries MP and what remedies are available to her partner’s wife (“W”), under the DPA?

Firstly, breach of a data protection principle is not of itself a criminal offence. Nothing Nadine Dorries has done appears to be within the scope of any of the criminal offences under the DPA. The disclosures she made in her blog are even within the scope of her notification properly made to the Information Commissioner’s Office (“notification” is the accurate term for the registration of a data controller’s processing purposes required under section 17 of the DPA). So any enforcement action taken by the Information Commissioner against the MP will not include prosecution at this stage.

Nadine Dorries could still be prosecuted if she fails to comply with an enforcement notice made by the Information Commissioner, but as the nature of any enforcement notice would be an order by the Information Commissioner not to breach the relevant data protection principle again, this is unlikely. However, the current practice of the Information Commissioner’s Office is to seek undertakings from breaching data controllers that they will remedy the breach and will behave lawfully in future. Whilst enforcement by enforcement notice is described in Part V of the DPA, this practice of undertakings is non-statutory. It appears that this use of undertakings makes criminal prosecution even more unlikely, as a breach of an undertaking would then lead to an enforcement notice, not directly to a prosecution.

However, the Information Commissioner does have the ability to impose monetary penalties of up to £500,000 for serious breaches of the DPA. All the elements that give the Information Commissioner the power under the DPA to impose a monetary penalties may be present in the Nadine Dorries case: there is a deliberate breach of the first data protection principle in circumstances that would cause W distress. The question is therefore whether the breach is “serious” or the distress “substantial” for the purposes of section 55A(1) of the DPA. As required by section 55C of the DPA, the Information Commissioner has published guidance on how it would determine whether a breach warrants action under section 55A (or 55B), but this does not give sufficient assistance to be able to conclude that Nadine Dorries would be given a notice of intent to impose a monetary penalty, were the Information Commissioner to investigate this case. However, the guidance does suggest that breaches that involve medical data and distress as a result of wrongful processing of medical data are more likely to be in the serious/substantial camp.

So if the Information Commissioner takes no action, what direct remedy does W have under the DPA? It is recognised by privacy advocates that the DPA provides limited remedies to individuals. The only remedy they have for past breaches, which requires court action, is a right to compensation for damage under section 13 of the DPA. In almost all cases, this must be actual damage (i.e. recovery of costs, losses or expenses suffered or incurred as a result of the DPA breach) rather than distress. Damages for distress alone are only possible in a limited set of circumstances, which do not apply to this Nadine Dorries case unless it can be argued that the issue of a personal press statement was for the “purposes of journalism” (section 3(1) of the DPA). There is no case law on what this phrase means.  In addition, there is no recital in the Data Protection Directive 95/46/EC that gives any assistance on what this provision was intended to cover.  Therefore in our opinion it would be a brave claimant that would try to obtain damages for distress under the DPA by claiming that the issue of a statement on a blog was caught by what the DPA calls this “special purpose”.

This leads to the uncomfortable conclusion that W may have no direct DPA remedy herself, and must rely on the Information Commissioner to take action to give her some redress for the distress she may have suffered as a result of details of her alcoholism being published in breach of the DPA.  However, the development of a right to privacy under cases such as Max Mosely v News of the World [2008] EWHC 1777 (QB) or Naomi Campbell v Mirror Group Newspapers [2004] UKHL 22 show that a privacy remedy made be available as a result of judicial intervention where no statutory remedy under the DPA is provided.

Monetary Penalties under the Data Protection Act 1998

It has been a long time coming, but finally the Information Commissioner is about to get fining powers to enforce the Data Protection Act 1998.  Not all the required orders and regulations required to bring the relevant sections of the Act into effect (ss. 55A to 55E) are in place, but yesterday two important steps were made.

The first was that maximum penalty has now been set: £500,000. (See Data Protection (Monetary Penalties)(Maximum Penalty and Notices) Regulations 2010).

The second was that certain procedural steps regarding the issue of a monetary penalty following a notice of intent have been prescribed. (See Data Protection (Montery Penalties) Order 2010).

Both these instruments are stated to come into force on the same date, which must be the intended date when monetary penalties will be brought into effect.  This date for your diary is:

6 April 2010