Data Protection: The Big Stick in use…

In October 2009, Christopher Graham, the newly appointed Information Commissioner, addressed a data protection conference in Edinburgh and assured the audience that he was prepared to supplement the traditional "carrot" approach to data protection enforcement, by bringing the "big stick" out of the cupboard.  The message was clear: those found responsible for some of the worst breaches of the Data Protection Act 1998 could in future expect to face tougher enforcement action.

Further significance was given to his words in April 2010 when new powers were introduced, allowing him to fine data controllers up to £500,000 for serious breaches of the data protection principles.  (These eight principles are contained in Schedule 1 to the Data Protection Act, and ensure that personal data are used fairly, lawfully, and securely, for example to minimise damage to individuals.)

These measures were designed to redress the situation where serious breaches of the data protection legislation resulted in minor (or even no) penalties – a situation which was further exacerbated when contrasted with the wide-reaching powers of other bodies, such as the FSA, for levying significant fines for data losses.

The power to levy a monetary penalty was inserted into the Data Protection Act as section 55A, by section 144(1) of the Criminal Justice and Immigration Act 2008, s 144(1)).  In terms of the new s55A, the Information Commissioner can issue a monetary penalty notice where he is satisfied that:

  1. there has been a serious contravention of section 4(4) of the Data Protection Act 1998 by the data controller,
  2. the contravention was of a kind likely to cause substantial damage or substantial distress;
  3. the contravention was deliberate; and
  4. the data controller failed to take steps to prevent the contravention, despite knowing (or where it ought to have known) that there was a risk of a breach, and that the breach would be likely to cause substantial damage or substantial damage or distress.

Substantial damage or distress will arise where the data subject suffers in a tangible way (for example, through identity theft) or through anxiety and worry, even if his concerns do not come to pass.

These powers have now been put use for the first time, with the announcement today that the Information Commissioner has fined two data controllers for significant breaches of the data protection principles.

Hertfordshire County Council has been fined £100,000 for two incidents (which happened within two weeks of each other), where employees faxed highly sensitive details to the wrong recipients.  The information in question related to child sexual abuse and to care proceedings, both of which had the clear potential to cause serious damage to the subjects of the information.  Sending such sensitive personal data by fax, and failing to ensure its security, is a clear breach of the first and seventh data protection principles.

The second monetary penalty was imposed on A4e, an employment services company, for the loss of a laptop, containing unecrypted personal data relating to 24,000 people.  The penalty imposed here was £60,000.  Again, the loss of unsecured data is a breach of the seventh data protection principle, which requires "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

In both cases, the data controllers at fault reported the losses to the Information Commissioner, which is a positive step in addressing the serious breaches.   Nevertheless, the breaches were significant and the fact that the Information Commissioner now has the power to impose meangingful penalties is a welcome development in establishing a strong commitment to protecting personal data in the UK.

Directors’ Duties Post-Companies Act 2006: Plus ca change, plus c’est la meme chose?

When the provisions of sections 170 to 178 of the Companies Act 2006 were introduced and codified the law of directors' duties, they were heralded by the Government as representing a long overdue modernisation of the applicable law. In particular, commentators pointed to section 172 of the Act which enjoined directors to take decisions in a way which would promote the success of the company for the benefit of the members as a whole, pursuant to which they were compelled to consider the interests of stakeholder constituencies such as suppliers and employees.

However, on closer inspection, the statutory codification is not as radical as perhaps one might initially think. This has been noted by the judiciary south and north of the border. For example in West Coast Capital (Lios) Ltd. [2008] CSOH 72 at para. [21] Lord Glennie made the following obiter statement:

“It is no doubt because of the need to show that the conduct of the directors or the majority is in breach of some agreement or duty that the Dean of Faculty drew my attention to ss.171 and 172 of the 2006 Act. There was no equivalent in the earlier Companies Acts, but these sections appear to little more than set out the pre-existing law on the subject.”

A similar point was made by Warren J in Cobden Investments Ltd. v RWM Langport Ltd. [2008] EWHC 2810 (Ch) at para. [52] and Lord Hodge in Eastford Ltd. v Gillespie [2010] CSOH 132; 2010 G.W.D. 32-656 at paras. [13]-[14]. Indeed, in Eastford, Lord Hodge examined the relationship between the common law and the statutory statement of directors' duties. In particular, he drew attention to section 170(3) of the Act which directs that the statutory provisions replace the common law and then went on to explain the purpose of section 170(4) of the Act. 

“One must look to the purpose of the statutory statement which is revealed in the 2006 Act. Subsections (3) and (4) of section 170 set out the relationship between the general duties which are stated in the Act and the pre-existing common law rules and equitable principles on which they are based. Subsection (3) provides:

'The general duties are based on certain common law rules and equitable principles as they apply in relation to directors and have effect in place of those rules and principles as regards the duties owed to a company by a director.'

Thus the statutory statements replace such of the common law rules as have been subjected to statutory formulation. But sub-section (4) provides:

'The general duties shall be interpreted and applied in the same way as common law rules or equitable principles, and regard shall be had to the corresponding common law rules and equitable principles in interpreting and applying the general duties.'

This subsection seeks to address the challenge which the Law Commissions and the Company Law Review had identified, namely of avoiding the danger that a statutory statement of general duties would make the law inflexible and incapable of development by judges to deal with changing commercial circumstances. Parliament has directed the courts not only to treat the general duties in the same way as the pre-existing rules and principles but also to have regard to the continued development of the non-statutory law in relation to the duties of other fiduciaries when interpreting and applying the statutory statements. The interpretation of the statements will therefore be able to evolve. The statutory statement of the general duties of directors is intended to make those duties more accessible to commercial people. I see nothing in the statutory provisions, including section 180(5) (which provides that, subject to specified exceptions, the general duties have effect notwithstanding any rule of law), which suggests that Parliament intended to alter the pre-existing rules on ratification by a board of a director's unauthorised acts. I am supported in my opinion by Lord Glennie in West Coast Capital (Lios) Ltd Petr [2008] CSOH 72, (at para 21) in which he expressed the view that section 171 of the 2006 Act did little more than set out the pre-existing law on the subject. I also derive some support from leading company law textbooks such as Gore-Browne on Companies (at para 15[8A]) and Palmer's Company Law, which (at para 8.2309) suggests that older cases remain relevant to the interpretation of the statutory duties "since the codified duties are generally formulated in a way that quite faithfully reflects the older case law". The statutory formulations do not, by a side wind, alter the law of agency or prevent ratification of the unauthorised acts of a director.”

On another note, if some of the directors of a company commit the company to take a particular course of action without the authority of the board of directors, is it the case that they have breached the company’s constitution contrary to section 171(a) of the Act? This was one of the other issues considered in Eastford. Lord Hodge answered that question in the affirmative, but went on to on to hold that there was no rule which provided that an unauthorised act of a director could not be ratified by the board of directors in paras. [11]-[12]:

"It is well established at common law that, unless a company's constitution otherwise provides, a board of directors can, within a reasonable time, ratify the acts of a director or directors who, when they acted, had no authority to bind the company: Re Portuguese Consolidated Copper Mines Ltd [1890] LR 45 Ch D 16, Breckland Group Holdings Ltd v London & Suffolk Properties Ltd [1989] BCLC 100 and Municipal Mutual Insurance Ltd v Harrop [1998] 2 BCLC 540. See also Danish Mercantile Co Ltd v Beaumont [1951] Ch 680. The statutory statement of the general duties of directors in Chapter 2 of Part 10 of the 2006 Act has not superseded that line of authority. Section 171 provides that a director of a company must act in accordance with the company's constitution. That might, taken by itself, suggest that an unauthorised act could not be ratified. But it is clear on examining the statutory statement of the general duties of directors that that statement does not prevent a company by a resolution of its board from ratifying the acts of a director which were unauthorised but were within the power of the board."

The above analysis is interesting, particularly when considered against the backdrop of section 239 of the Act which  is a provision which had no precursor or counterpart in the Companies Act 1985 and does not appear to have been considered in Eastford. Since a breach of section 171(a) of the Act clearly amounts to a breach of a duty of a director to obey the constitution, one wonders what remains of the cases of Re Portugese, Breckland Group Holdings, Municipal Mutual and Danish Mercantile in light of section 239(1) and (2) of the Act which provides 'This section applies to the ratification by a company of conduct by a director amounting to negligence, default, BREACH OF DUTY or breach of trust in relation to the company… [and t]he decision of the company to ratify such conduct MUST be made by resolution of the members of the company.' It is submitted that the above clearly demonstrates that the company only has the power to ratify a breach of section 171(a) via the medium of an ordinary resolution of the shareholders and the board has no locus to do so. It would have been interesting to note if the result would have been the same if the role of section 239 of the Act had been analysed. Admittedly, one might argue that a breach of agency authority on the part of a director would not amount to a breach of the constitution on the facts of Eastford when two of the directors (out of a total of 4) instructed the company's lawyers to raise legal action without the consent of the other two directors. However, since Lord Hodge's judgment tells us that Eastford's articles of association/constitution were based on Table A, there is no mileage in any argument that the two directors had not breached the company's constitution when they raised the legal action, since Table A regulation 88 provides that all 'questions arising at a meeting shall be decided by a majority of votes' and Table A regulation 92 directs that decisions taken by the directors outwith a board meeting must be taken by a resolution in writing signed by every director. Since the decision had not been taken in accordance with Table A regs 88 or 92, the inevitable conclusion is that the two directors were clearly in breach of section 171(a) of the Act when they took such a decision to initiate legal action. Breach of section 171(a) is a breach of a director's duty and so only an ordinary resolution of the shareholders (which complies with section 239(3) and (4) and (7) of the Act) can serve to lawfully ratify the director's breach. Curiously, if the directors had exceeded their powers by settling or releasing a legal action already commenced, the position might be different (see section 239(6)(b) of the Act), but that was not the case in Eastford. To that extent, although some things remain the same post-Companies Act 2006, others have indeed changed, namely the mechanics of the law of ratification of breaches of directors' duties.