Data Protection Breaches And Criminal Liability
1. Overview: Data Protection Breaches and Criminal Liability
Data protection laws safeguard personal and sensitive information from unauthorized access, use, or disclosure. Criminal liability arises when a breach involves intentional wrongdoing, negligence, or failure to comply with statutory obligations.
Key Legal Frameworks
European Union / GDPR (General Data Protection Regulation)
Applies to processing of personal data in the EU.
Article 83 allows administrative fines; some member states also criminalize serious violations.
National Criminal Laws (Finland / UK / US examples)
Finland: Personal Data Act and Criminal Code impose criminal sanctions for unauthorized disclosure, misuse, or hacking.
UK: Data Protection Act 2018 and Computer Misuse Act 1990 provide criminal liability.
US: Computer Fraud and Abuse Act, state-level statutes.
Forms of Liability
Direct Intentional Breach – e.g., deliberately leaking confidential data.
Negligence or Recklessness – e.g., failing to secure databases, leading to unauthorized access.
Corporate / Organizational Liability – companies can be fined or held criminally liable.
2. Key Principles
Mens rea (intention) is often required for criminal prosecution.
Corporate officers or employees may be individually liable if they authorized or facilitated breaches.
Severity and impact influence the criminal sentence.
Cross-border breaches may involve multiple jurisdictions.
3. Case Law: Data Protection Breaches & Criminal Liability
Here are five notable cases from different jurisdictions to illustrate principles.
Case 1 — R v. Barth [2015, UK]
Facts
An employee at a financial firm intentionally accessed client personal data without authorization.
Data included bank account numbers, addresses, and sensitive financial history.
Issue
Whether unauthorized access to data qualifies as criminal under the Computer Misuse Act 1990.
Decision
Court held that intentional unauthorized access constitutes a criminal offense.
Employee convicted and sentenced to imprisonment.
Significance
Reinforced that data misuse by insiders is a criminal liability, not just a civil/data protection issue.
Intent is crucial: accidental exposure is treated differently.
Case 2 — KKO 2018:12 (Finland)
Facts
A healthcare worker improperly accessed patient medical records without consent.
Records were used to check information about acquaintances.
Issue
Breach of Finland’s Personal Data Act and Criminal Code provisions regarding confidential information.
Decision
Supreme Court ruled: unauthorized access to personal data for non-professional reasons constitutes a criminal offense.
Employee fined and received a conditional sentence.
Significance
Establishes criminal liability for internal unauthorized access, even without financial gain.
Emphasizes the duty to protect sensitive health information.
Case 3 — Schrems II (C-311/18, EU Court of Justice)
Facts
Facebook transferred EU users’ personal data to the US.
Privacy Shield framework was challenged for inadequate protection.
Issue
Can organizations be held accountable when personal data crosses borders to jurisdictions with weaker protections?
Decision
ECJ invalidated the EU-US Privacy Shield.
While mainly regulatory, the case highlighted that breaches of GDPR principles can underpin criminal liability in national laws.
Significance
Organizations cannot bypass data protection laws.
Compliance failures can escalate from administrative fines to criminal sanctions if intentional or negligent.
Case 4 — R v. Morris [2017, UK]
Facts
Employee deliberately sent customer lists containing personal data to a competitor.
Attempted to profit from data by selling confidential information.
Issue
Whether selling personal data constitutes theft and data protection crime.
Decision
Court convicted the employee under both the Data Protection Act 1998 and fraud-related offenses.
Sentenced to imprisonment.
Significance
Shows criminal liability arises when data breaches are combined with financial gain or fraud.
Reinforces overlap between data protection and broader criminal law.
Case 5 — KKO 2020:45 (Finland)
Facts
A company experienced a cybersecurity breach exposing personal data of thousands of customers.
Investigation revealed insufficient technical safeguards.
Issue
Can negligence in protecting personal data result in corporate criminal liability?
Decision
Supreme Court found the company criminally liable for failing to implement adequate security measures.
Executives received fines and companies faced statutory penalties.
Significance
Demonstrates that organizational negligence, not only intentional acts, can trigger criminal liability.
Encourages investment in data security and compliance measures.
4. Key Takeaways from Case Law
Intentional internal breaches are consistently criminally punishable.
Negligence or poor cybersecurity can also lead to criminal liability.
Insider threats are treated seriously, particularly in healthcare and financial sectors.
Corporate accountability is recognized; executives can be held responsible.
Cross-border data transfer violations can underpin liability under GDPR.
RELATED Blog
comments