Unlawful Disclosure of Personal Data: Who Carries the Burden of Proof Now?

February 27, 2019

0 comments

by James LLoyd Senior Manager, Contentious Data Protection Strategy, Legal and Compliance Services, PwC United Kingdom

Email +44 (0)7483 417072

by Simon Davis Senior Associate, Data Protection Strategy, Legal and Compliance Services, PwC United Kingdom

Email +44 (0) 7706 285054

It is a criminal offence for a person to unlawfully obtain or disclose personal data. Under the previous data protection regime, a person committed the offence by ‘knowingly or recklessly’ disclosing, obtaining, or procuring the disclosure of personal data, without the consent of the data controller (Section 55 of the Data Protection Act 1998, “Section 55”). However, a person did not commit an offence if they were able to ‘show’ that they did so for a reason specified in Section 55(2).

In Shepherd v Information Commissioner [2019] EWCA Crim 2, the Court of Appeal considered the operation of Section 55 in practice and, in response to a request by the Information Commissioner’s Office (“ICO”), gave guidance on how Section 170 of the Data Protection Act 2018 (“Section 170”), the analogous provision under the new data protection regime, might have changed things.

Background

The appellant had worked for a company engaged by a public sector organisation (“The Organisation”). The Organisation ended its agreement with the company on account of concerns about certain employees’ past conduct, including the appellant’s. Shortly after, an investigation was commissioned by the Organisation and a report produced. The report was leaked to the appellant who subsequently disclosed it, by email, to 83 individuals. It was alleged that the report contained personal data relating to an ‘unnamed female complainant’ in historic criminal proceedings involving the appellant, and two of the appellant’s colleagues.

The appellant was charged under Section 55 with three counts of unlawfully disclosing personal data. At trial, the appellant unsuccessfully relied upon certain justifications provided by Section 55(2), namely; that he had the right in law to disclose the data, had acted in the reasonable belief that he would have had the data controller’s consent had they known of all the circumstances, and that it was in the public interest to do so. He was convicted on all three counts.

Burden of Proof

The case turned on who carried the legal burden1 in relation to Section 55. The appellant claimed that he only had an ‘evidential burden’2 upon him, and not a legal burden. As such, he would only have to provide sufficient evidence to put the Section 55(2) justifications before the Court (for the prosecution to then disprove ‘beyond reasonable doubt’). He would not have to prove these justifications himself on the ‘balance of probabilities’.

The appellant further submitted that, if Section 55(2) did place a legal burden upon him, this violated the presumption of innocence enshrined by Article 6(2) of the European Convention of Human Rights (ECHR).

The Decision

The Court found that the issue was a matter of statutory interpretation and that, given this was a criminal provision, it must be interpreted narrowly and in the interests of the defendant.

Amongst other things, the Court observed that Section 55(2) was not expressed in terms of a ‘defence’ and did not contain archetypal wording sufficient to impose a ‘reverse legal burden’. Accordingly, it concluded that Section 55 imposed no more than an evidential burden on the appellant and quashed the convictions.

The Court then considered the analogous provision of Section 170. In contrast to Section 55, the Court stated that because of its use of a conventional ‘reverse legal burden’ construction, Section 170 did place a legal burden on the defendant to prove the relevant justifications on the balance of probabilities. However, it expressed no view on the section’s compatibility with the defendant’s Article 6 ECHR rights.

The move towards clear wording of a reverse onus provision in Section 170 shows that Parliament is receptive to public concern towards personal data breaches and the level of harm that can be caused. The comments provided by the Court in relation to the DPA 2018 will be welcomed by the ICO, which will look to impose criminal sanctions on those who unlawfully use personal data.


1 In criminal proceedings the legal burden or ‘burden of proof’ is most commonly borne by the prosecution to prove a matter in issue to the standard of ‘beyond reasonable doubt’. A ‘reverse legal burden’ imposes a legal burden upon the defence to prove a matter in issue on the ‘balance of probabilities’. Circumstances in which the defence carry the legal burden are limited, but exist in relation to the defence of ‘insanity’ and where expressly or implied by statute.

2 The evidential burden is not a burden of proof but the burden of adducing sufficient evidence or 'the duty of passing the judge'.

by James LLoyd Senior Manager, Contentious Data Protection Strategy, Legal and Compliance Services, PwC United Kingdom

Email +44 (0)7483 417072

by Simon Davis Senior Associate, Data Protection Strategy, Legal and Compliance Services, PwC United Kingdom

Email +44 (0) 7706 285054