Worried about being personally liable for 20 million euro fine?
(errr, do you guys take card?)
We’ve got good news, it’s highly unlikely, unless your side hustle is a one-employee Facebook clone. But it’s not totally straightforward.
It is quite easy to find yourself liable for some smaller fines. So in this article we’ll explore how individuals can receive fines under the UK-GDPR & EU-GDPR. We’ll also look at some recent cases where individuals rather than organisations have been fined.
Table of contents
Before we get to the complicated stuff, let’s make sure we’re talking to the right audience by clearing up a common concern:
Can an individual processing data for personal reasons get a GDPR fine?
No. Sorry, you’ll have to move house if you want to stop their christmas cards.
The UK-GDPR & EU-GDPR do not apply to data processing carried out by individuals purely for personal/household activities.
Can an individual processing data for other purposes get a GDPR fine?
There are two cases where an individual could receive a fine for a violation of GDPR.
- The individual is self-employed.
A GDPR fine is typically applied to the business entity (for example “ACME Ltd”). But that entity could be an individual
It is certainly possible for an individual to receive a GDPR fine if the individual was running a business or organisation as a sole trader. For example a local electrician trading as a sole trader, could receive a fine for failing to comply with GDPR.
In the example above the business entity consists solely of one individual. They assume responsibility because there is no other legal wrapper for the business such as a limited company for the fine to be applied to.
The other case is that…
- The individual has personally breached a data privacy offence applied in national law.
GDPR is a regulation. This means it’s mandatory for EU member states to apply this rules set out in GDPR. When member states apply the regulation they must write the GDPR into their own national laws. So whilst the GDPR does not specifically set out offences and associated penalties for individuals, individuals can still receive fines for infringements of GDPR rules under national laws. It just depends how the country that you operate in has decided to implement the law.
In this article we will examine potential offences for individuals in the UK, as identified by the Crown Prosecution Service (the people who stand against you in court within the UK):
What individual offences could be incurred?
Relevant criminal offences from the Data Protection Act 2018 include:
Section 119: Obstructing the Commissioner in inspecting personal data to discharge an international obligation
“The Commissioner may inspect personal data where the inspection is necessary in order to discharge an international obligation of the United Kingdom, subject to the restriction in subsection (2).”
Section 119 (6) states that it is an offence to:
- “intentionally to obstruct a person exercising the power under subsection (1), or
- to fail without reasonable excuse to give a person exercising that power any assistance the person may reasonably require.”
In effect this means you could be fined if you obstruct the work of the DPA (In the UK, this is the ICO) in investigating alleged non-compliance with a data privacy law like GDPR.
Section 144: False statement made in response to an information notice
“It is an offence for a person, in response to an information notice:
- to make a statement which the person knows to be false in a material respect, or
- recklessly to make a statement which is false in a material respect.”
In effect this means you could be fined if you knowingly make a false statement when asked for information by the ICO.
Section 148: Destroying or falsifying information and documents etc
If the commissioner has given an individual an information notice requiring the person to provide the Commissioner with information.
Or they have given an assessment notice requiring the person to direct the Commissioner to a document, equipment or other material or to assist the Commissioner to view information.
Then Section 148 (2) states that:
“It is an offence for the person
(a) to destroy or otherwise dispose of, conceal, block or (where relevant) falsify all or part of the information, document, equipment or material, or
(b) to cause or permit the destruction, disposal, concealment, blocking or (where relevant) falsification of all or part of the information, document, equipment or material,
with the intention of preventing the Commissioner from viewing, or being provided with or directed to, all or part of the information, document, equipment or material.”
In effect this means you could be fined if you destroy or falsify documents summoned by the ICO.
Section 173: Alteration etc of personal data to prevent disclosure to data subject
This section relates to requests for data by individuals.
“Section 173 (3) makes it a criminal offence for organisations (persons listed in Section 173 (4)) to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure. “
In effect this means you could be fined if you alter, deface, block, erase, destroy or conceal information summoned by the ICO.
Schedule 15, Paragraph 15. Powers of Entry and Inspection
This schedule would apply in the case of an inspection or dawn raid on your premises by a supervisory authority such as the DPO.
Paragraph 15 states that:
“It is an offence for a person—
- intentionally to obstruct a person in the execution of a warrant issued under this Schedule, or
- to fail without reasonable excuse to give a person executing such a warrant such assistance as the person may reasonably require for the execution of the warrant.
It is an offence for a person—
- to make a statement in response to a requirement under paragraph 5(2)(c) or (d) or (3)(c) or (d) which the person knows to be false in a material respect, or
- recklessly to make a statement in response to such a requirement which is false in a material respect.”
In effect this means that you could be fined for obstructing the execution of a warrant in relation to offences under the Data Protection Act 2018 or making false statements.
Section 170: Unlawful obtaining etc of personal data
This section criminalises “knowingly or recklessly obtaining”, disclosing or procuring personal data without the consent of the data controller.
Specifically it states:
- “It is an offence for a person knowingly or recklessly—
- to obtain or disclose personal data without the consent of the controller,
- to procure the disclosure of personal data to another person without the consent of the controller, or
- after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.”
Recklessly Obtaining Data 4: Reckless without consent hits cinemas this Autumn btw.
In effect this section has crossover with many principles of GDPR, meaning you could find yourself subject to a fine because of poor compliance measures or by misapplying GDPR rules. This section specifically focuses on acquiring personal data unlawfully.
So far this part of the law has mostly been used to prosecute individuals unlawfully obtaining medical and financial data. It has not yet been applied within any high-profile GDPR cases. However the ICO’s increased enforcement against individuals suggests the application of this offence could be widened. After all, many GDPR violations could be attributed in some way to unlawfully obtaining personal data.
Section 171: Re-identification of de-identified personal data
“(1) It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data.
(2) For the purposes of this section and section 172—
- personal data is “de-identified” if it has been processed in such a manner that it can no longer be attributed, without more, to a specific data subject;
- a person “re-identifies” information if the person takes steps which result in the information no longer being de-identified within the meaning of paragraph (a).“
This section makes it an offence to knowingly re-identify de-identified personal data. For example by taking anonymous or pseudo-anonymous data and combining that with other data to identify an individual.
Please be aware that the list of offences above is not exhaustive. We thoroughly recommend that you work towards maximum attainable compliance with GDPR and other data privacy laws. And that you consult expert legal advice.
Can you go to jail under the GDPR/Data Protection Act 2018?
“What are you in for?”
“I forgot to add an unsubscribe link to the bottom of my email”
There are no custodial sentences in respect of offences under DPA 2018 (the UK Law which puts the GDPR into force) and no powers of arrest. Offences are punishable only by a fine. Within the EU-GDPR text there are no references to powers of arrest or prescribed custodial sentences.
As a manager or director could I be fined for another individual’s breach of data protection law? For example an employee.
Yes even if you did not directly carry out the offence yourself. You could still be held responsible to some effect under Part 7, Section 198 of the Data Protection Act 2018.
This section applies when an offence under this Act has been committed by a body corporate. And, “it is proved to have been committed with the consent or connivance of or to be attributable to neglect on the part of; a director, manager, secretary or similar officer of the body corporate, or a person who was purporting to act in such a capacity.”
Recent data privacy law fines for individuals
Case 1: NHS Employee viewing personal data of family members
An NHS Employee viewed personal data of family members and children known to her, without reason. They admitted to the offence and were fined £1,000. They also were required to pay a £50 victim surcharge to pay £590 towards prosecution costs.
Fined under the now repealed Data Protection Act 1998. If this case was to occur again today it would likely be considered a breach of Section 170 of the Data Protection Act 2018.
Case 2: Employee taking personal data of customers and employees before resigning.
An employee of a recruitment firm called Elite Employment Group based in Wildnes sent email(s) to their personal email account containing personal details of over 100 clients. As recruitment data this personal data was particularly sensitive. The employee then resigned and started a new job at a different recruitment company. They then used these personal details at their new company. They admitted to the offence and were fined £200. They also were required to pay £214 prosecution costs and a £30 victim surcharge.
Steve Eckersley, Head of Enforcement at the ICO commented in a press release:
“We’re asking people to stop and think about the consequences before taking information. Most people know it’s wrong but they don’t seem to realise it’s a criminal offence and that they could end up in court and also lose their job. What people think is a minor mistake can lead to job loss, a day in court and a fine.”
Fined under Section 55 of the now repealed Data Protection Act 1998. If this case was to occur again today it would likely be considered a breach of Section 170 of the Data Protection Act 2018.
Case 3: German Police Officer fined €1400 for requesting personal data of individual
In this case a German police officer was fined €1400 for requesting the personal details of an individual for personal reasons. They then used this data to contact the individual using their mobile phone number. The individual did not consent to this data processing and so it was found to breach GDPR.
Case 4: Council employee fined £400 for illegally deleting audio file
In this case the ICO fined an employee of Whitchurch Town Council £400 for an offence under Section 77 of the Freedom of Information Act. The ICO’s investigation uncovered that after an individual had requested an audio file of a council meeting, they were informed that it had already been deleted as per council policy. Following a complaint to the ICO, the ICO found that the employee responsible for handling the FOIA request was actually aware of the previous request and had deleted the audio file some days later. After pleading guilty the employee was fined £400, ordered to pay costs of £1,493 and a victim surcharge £40.
Case 5: Former NHS health advisor accesses the medical records of 14 patients without consent
Mr O’Brien unlawfully accessed patient’s medical records while working as a health advisor for the South Warwickshire NHS Foundation Trust.
Without consent or any other legitimate reason to do so, Mr O’Brien viewed the records of 14 patients – which is he knew personally.
He appeared before Coventry Magistrates’ Court and pleaded guilty to 6 counts of unlawfully obtaining personal data in breach of s170 of the Data Protection Act 2018. The judge ordered him to pay £250 compensation to each of the affected individuals.
So should individuals be concerned about receiving GDPR fines?
Based on the increase in fines levied on individuals and recent hiring spree at the ICO, the Measured Collective view is that this kind of enforcement is likely to rise. Whilst you can probably count yourself personally off the hook for eye-watering fines of 20 million euros, you could still find yourself fined for criminal offences under Section 170. The fines might be small, but the reputational damage can be huge. Our advice is to keep yourself up-to-date with data privacy law by taking frequent training and refresher courses. If you manage a team you should be looking to keep your team members up to date with data privacy law in order to protect your organisation from fines and reputational damage, and to protect your team members from individual liability.
⚠️ Try our "painless" GDPR course. Certificate on completion. Sign up and start learning today.