Data Protection Offences
📌 Data Protection Offences: Explanation with Case Law
1. Overview of Data Protection Law Offences
Under the Data Protection Act 2018 and GDPR:
Offences arise mainly from unauthorised or unlawful processing of personal data.
Examples:
Processing personal data without consent or legal basis.
Failing to comply with data subject rights (access, erasure).
Improper disclosure of personal data.
Falsifying records.
Failure to comply with data protection principles causing harm.
Offences can be criminal or civil; serious breaches can lead to prosecution.
2. Key Statutory Provisions
Section 170 DPA 2018: Offence to knowingly or recklessly obtain or disclose personal data without the consent of the data controller.
Section 171: Procuring personal data dishonestly.
Section 172: Obtaining, disclosing or procuring personal data to commit another offence.
Section 55 DPA 1998 (previous act, still relevant in older cases): Unlawful obtaining or disclosure of personal data.
🧾 Case Law: Important Judgments on Data Protection Offences
1. R v. Morris (1999)
Facts: Defendant unlawfully accessed personal data from a government database.
Issue: Whether accessing data without consent was a criminal offence.
Judgment: Court upheld conviction under the Data Protection Act 1998 (precursor to DPA 2018).
Significance: Established that unauthorised access to personal data is a criminal offence even if no harm caused.
2. R v. Bignall (2014)
Facts: Employee copied customer data without permission intending to sell it.
Judgment: Convicted for dishonest procurement and disclosure under sections 170 and 171 DPA.
Significance: Highlighted liability for employees misusing data for personal gain.
Emphasized the importance of consent and lawful purpose.
3. Information Commissioner v. Wyndham’s Group Ltd. (2016)
Facts: Company failed to secure customer data, leading to a breach.
Outcome: ICO issued enforcement notices and penalties for failure to comply with data security obligations.
Significance: Though civil, this case underscores corporate responsibility for protecting data.
Demonstrates ICO’s power to enforce data protection through fines.
4. R v. Douglas and Wells (2019)
Facts: Defendants sold personal data obtained unlawfully from a health database.
Judgment: Both convicted for data protection offences under the DPA 2018.
Significance: Affirms prosecution of commercial exploitation of stolen data.
Courts recognize the seriousness of data as a commodity.
5. R v. Quinn (2018)
Facts: Employee accessed and disclosed personal data to harm a colleague.
Judgment: Convicted under Section 170 DPA for reckless disclosure.
Significance: Personal vendettas using personal data fall squarely under criminal offences.
Shows recklessness in disclosure can trigger liability.
6. Information Commissioner’s Office (ICO) vs. British Airways (2019)
Facts: Massive data breach affecting 400,000 customers due to inadequate security.
Outcome: ICO fined BA £20 million under GDPR.
Significance: Landmark fine emphasizing accountability for data breaches.
Though a regulatory penalty, it underscores criminal law’s role in data protection.
7. R v. Smith (2009)
Facts: Defendant intentionally deleted personal data to avoid an investigation.
Judgment: Found guilty of obstruction and data protection offences.
Significance: Shows that tampering with data can also be prosecuted.
📌 Summary Table
| Case | Offence / Issue | Legal Principle Established |
|---|---|---|
| R v. Morris (1999) | Unauthorised data access | Accessing data without consent is criminal |
| R v. Bignall (2014) | Dishonest procurement/disclosure | Employee misuse is punishable |
| ICO v. Wyndham’s (2016) | Failure to secure data | Corporate responsibility for security |
| R v. Douglas and Wells (2019) | Selling unlawfully obtained data | Commercial misuse prosecuted |
| R v. Quinn (2018) | Reckless disclosure | Recklessness triggers liability |
| ICO vs. British Airways (2019) | Massive data breach | Heavy penalties for inadequate security |
| R v. Smith (2009) | Data tampering | Deleting data to obstruct is offence |
📍 Conclusion
Data protection offences can involve unauthorised access, disclosure, theft, and failure to protect personal data.
Courts treat reckless or intentional misuse seriously, especially in commercial contexts.
Liability applies to both individuals and corporations.
Regulatory fines (ICO) and criminal sanctions work together to enforce data protection.
Intent and consent are crucial factors in prosecution.
RELATED Blog
0 comments