Gdpr Violations With Criminal Liability
๐ก What Is the GDPR?
The General Data Protection Regulation (GDPR) is an EU-wide regulation (enforced from May 2018) designed to:
Protect personal data and privacy
Increase transparency in data processing
Hold organisations and individuals accountable for misuse of personal data
๐ฃ Criminal vs Civil Liability:
Civil liability usually involves regulatory fines by Data Protection Authorities (like the UKโs ICO).
Criminal liability arises when someone knowingly, unlawfully, or maliciously obtains, discloses, or misuses personal data, often under Section 170 of the UK Data Protection Act 2018 (which implements GDPR principles).
๐ Key Types of Criminal GDPR Offences (UK Context):
Unlawful obtaining or disclosure of personal data
Reckless or deliberate misuse
Failing to comply with enforcement orders
Altering or destroying data to prevent disclosure
โ๏ธ Key GDPR Violation Cases with Criminal Elements
1. Christopher Niebel (2012) โ ICO Prosecution under DPA, Pre-GDPR but Criminal
๐น Facts:
Niebel sent over 840,000 spam text messages using illegally obtained personal data to promote mis-sold PPI claims.
๐น Outcome:
He was fined and prosecuted for unlawful data use, as he had obtained and used personal data without consent.
โ Principle:
Deliberate marketing using illegally sourced data can lead to criminal sanctions.
2. Muneeb Iqbal (2020) โ First UK criminal GDPR conviction
๐น Facts:
A customer service worker at accident claims company accessed over 2000 motor accident records and passed them to a third party without consent.
๐น Outcome:
He was criminally convicted under Section 170 of the DPA 2018 and received a conditional discharge and court costs.
โ Principle:
Employees accessing data without authorization for personal or third-party gain is a criminal offence under GDPR-related law.
3. Andrew Crossley โ ACS:Law (2011)
๐น Facts:
Crossley ran a law firm that collected IP addresses of suspected illegal file-sharers and threatened legal action. When the firmโs poorly secured website leaked the data, personal info was exposed online.
๐น Outcome:
Though mostly fined and struck off professionally, the case raised potential criminal liability for data breaches and reckless handling.
โ Principle:
Gross negligence in handling and storing data can trigger regulatory and possible criminal consequences.
4. Scottish Borders Council (2013)
๐น Facts:
An outside contractor found confidential employee pension records in a recycling bin. The council had allowed documents to be disposed of insecurely.
๐น Outcome:
The ICO issued a large fine, and though criminal charges werenโt pursued, employees or contractors could have faced prosecution for breach of confidentiality and negligence.
โ Principle:
Failure to control third-party data handling can amount to criminal recklessness in some cases.
5. Rebecca Gray (2018) โ NHS Employee
๐น Facts:
Gray, working at the NHS, accessed medical records of 29 patients without any business reason, including those of family and friends.
๐น Outcome:
She was criminally convicted under the Data Protection Act for unlawfully accessing data and fined by the magistratesโ court.
โ Principle:
Even curiosity-based snooping is a criminal offence when there's no lawful reason to view the data.
6. British Airways Data Breach (2018โ2020) โ Civil + Potential Criminal Inquiry
๐น Facts:
Cyberattack exposed data of 400,000 customers due to poor security measures.
๐น Outcome:
ICO issued a record fine (ยฃ20 million), but there were discussions of criminal investigation due to failure to protect user data, though no criminal charges followed.
โ Principle:
Large-scale negligence in cybersecurity may lead to criminal investigations depending on intent and harm.
๐ง Quick Summary Table
| Case | Key Offence | Outcome |
|---|---|---|
| Niebel (2012) | Spam using unlawfully obtained data | Criminal fine |
| Iqbal (2020) | Employee misuse of accident data | Criminal conviction |
| Crossley (2011) | Data leak through poor security | Sanctions, possible criminal liability |
| Scottish Borders (2013) | Data in unsecured disposal | Major fine, criminal risk |
| Gray (2018) | NHS staff accessed records unlawfully | Criminal fine |
| BA Data Breach (2018) | Poor data protection | Record fine, criminal probe considered |
๐จโโ๏ธ How Is Criminal Liability Proven?
To prosecute criminal GDPR offences, authorities must show:
Deliberate or reckless misuse of data
No lawful basis or consent
Intent to cause harm, gain, or avoid responsibility
RELATED Blog
0 comments