Privacy & Cybersecurity Law Blog

On October 13, 2016, Elizabeth Denham, the UK Information Commissioner, suggested that directors of companies who violate data protection laws should be personally liable to pay fines at a House of Commons Public Bill Committee meeting when discussing the latest draft of the Digital Economy Bill (the “Bill”). The Bill is designed to enable businesses and individuals to access fast, digital communications services, promote investment in digital communications infrastructure and support the “digital transformation of government.” Measures to improve the digital landscape contained in the Bill include the introduction of a new Electronic Communications Code and more effective controls to protect citizens from nuisance calls. More controversially, however, the Bill also contains provisions both enabling and controlling the sharing of data between public authorities and private companies.

Responding to a question about so-called “nuisance calls,” Denham agreed with a Member of Parliament’s suggestion that the directors of companies found to have seriously breached data protection laws should be personally liable for the fines imposed on their companies. It was suggested that this enforcement would allow the Information Commissioner’s Office (the “ICO”) to recoup a much larger proportion of the £4 million it has issued in fines in the last year than it is able to collect at present. Denham suggested that this is, in part, due to a large number of companies that receive fines from the ICO subsequently falling into liquidation.

Currently, the ICO can impose fines of up to £500,000, with the largest fine to date being a £400,000 fine imposed on TalkTalk on October 5, 2016. Further detail on how liability could be imposed on directors was not discussed at the meeting.

In addition, Denham made the following recommendations:

• to place the ICO’s Direct Marketing Code on a statutory footing;
• to lower the threshold for harm to an individual at which point a data security breach is considered to have occurred; and
• to improve transparency when personal data is collected and in respect of safeguards that are in place (e.g., publishing privacy impact assessments).

It was claimed that these measures would provide better protection for the general public. Although Denham welcomed the development of the Digital Economy Bill, she stated that improvements are required before it comes into force.