Fines aren't working: time for a Data Protection Offenders' Register

On Tuesday the Information Commissioner Christopher Graham announced the outcome of his office’s investigation into alleged security failures by ACS:Law, and the imposition of a £1,000 fine on the company’s owner, solicitor Andrew Crossley. This case demonstrates why the Information Commissioner’s Office is failing to apply fines in a meaningful manner, and we need a fresh approach to data protection penalties.

The ACS:Law case

In 2009 and 2010, ACS:Law sent approximately 10,000 letters to individuals accusing them of breach of copyright through peer-to-peer file sharing technologies, and threatening them with legal action unless they settled the claim out of court (typically with a sum of around £500). Whilst the number of victims who gave into these threats is disputed, Crossley himself allegedly claimed to have recovered over £1m from suspected copyright infringers.

Lists of suspects were provided by major ISPs such as BT and Sky Broadband, and from the very beginning there were anecdotal tales of incorrect or non-existent evidence of any copyright breach; it appeared that in many cases there was simply no way to substantiate the claims which gave rise to the threats. The media and public were outraged, and it was at that point that hacker collective 4chan waded in with a denial of service attack on ACS:Law’s website. However, that attack revealed unexpected results. It transpired that ACS:Law had stored its claim files in unencrypted form, and as the company restored its website from backup, those files were accidentally copied over. The files became publicly visible – a list of around 6,000 defendants was revealed, including personal details, payment information and details of their alleged copyright infringement.

In September 2010 the ICO investigated the alleged breach, and it became clear that not only was the claim file accidentally published, but in some cases the information provided by ISPs had been transferred in unencrypted form on memory sticks, and was stored in an online service that was not intended for business use. Apparently ACS:Law did not seek any professional advice on how to protect that information.

So, in consequence, yesterday the ICO issued a fine of £1,000 to Mr Crossley personally (since ACS:Law has now ceased trading), stating that were ACS_Law still extant, the fine might have been closer to £200,000. If Mr Crossley pays up by 6th June, the fine will be discounted to £800.

Why the ACS:Law fine undermines the ICO’s credibility

There is an important legal principle to protect company directors from the full extent of company liabilities where there has been no misconduct – otherwise no-one in their right mind would become a company director. There is an even more important principle that individual laws should not be used to punish individuals where their moral or legal misconduct cannot be prosecuted under more appropriate legislation – in other words, the Data Protection Act (1998) shouldn’t be used to punish ACS:Law for other alleged failings. But in this case, the Information Commissioner really does seem to have failed to applied a proportionate fine.

ACS:Law had a single employee in the form of Mr Crossley. He is a solicitor, so he cannot claim ignorance as a defence for failing to comply with the Data Protection Act. He has been able to escape his punishment by winding up the company, even though what allegedly occurred in ACS:Law cannot possibly be the fault of anyone else but himself. ACS:Law and its director should not be able to escape the full penalty for breach of the Act.

By applying a fine that is proportionate to the director’s ability to pay, the ICO has made it clear that a company’s directors can escape full censure simply through their accounting declarations. There really is nothing left to fear for companies that wilfully abuse the Data Protection Act, since that abuse has become a simple risk decision, and there is no meaningful obligation for them to comply. The ICO’s ability to enforce the Act has been critically undermined by this case.

Applying an appeals process

A far more appropriate way to enforce data protection penalties would be for the Information Commissioner’s to apply its fines regardless of the recipient’s ability to pay. The only proportionality in the basic fine should be against the size of the business concerned, not whether it has fallen on hard times since its original breach of the Act. The fine can then be suspended or reduced subject to a public appeals process – as opposed to discussions behind closed doors – where the recipient argues their case for reduction.

Introducing the Data Protection Offender’s Register

We also need to introduce a new concept of ‘being struck off’ the register of Data Controllers.

Just as a prosecuted company director can be prevented from holding that office again for a set period; or a professional might be struck off by their professional body and hence lose their license to practice; or a driver found guilty of repeated or serious motoring offences may be banned for a period; so individuals found guilty of knowingly mishandling personal data should be legally prevented from doing so again for a set period. This could include:

  • banning the individual from registering as a Data Controller;
  • banning the individual from setting or managing company policy for the handling of personal information;
  • banning the individual from handling personal information in their professional capacity without supervision form another individual (much as a learner driver may not drive without a qualified driver in the passenger seat);
  • forcing the individual to declare their ban to any future employer within the period of censure;
  • applying a further fine or criminal conviction in the event of breach of these rules.

This new regime of applying fines regardless of the individuals’ ability to pay, followed by an appeals process; and then forcing convicted individuals to sign a register of Data Protection offenders, there would be a meaningful way to enforce the Data Protection Act. Until then, the Information Commissioner’s efforts are likely to have very little deterrent effect, and incidents such as ACS:Law will keep happening.