17 Feb 2020

The Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and the Financial Services Compensation Scheme (FSCS) have issued a joint statement warning regulated firms and insolvency practitioners of the need to be responsible when dealing with personal data.

The Regulators are aware that some insolvency practitioners (IPs) and FCA-authorised firms have attempted to sell clients’ personal data to claims management companies (CMCs) either before or after a firm has entered into an insolvency process (typically administration or liquidation) and where it is likely claims for compensation will be made to FSCS.

The statement confirms that standard contract terms, conditions and clauses are "highly unlikely" to constitute sufficient legal consent for personal data to be shared with CMCs to market their services. This could mean that the insolvent companies (and potentially the IPs personally) are held to be in breach of data protection legislation. The effect of that is that any fine levied on an insolvent company by the FCA or ICO as a result of such breach(es) is likely to be treated as an expense of the insolvent seller's insolvency process (rather than as an unsecured claim). In such circumstances, any available funds in the insolvent company's estate will be diverted to meet such a liability ahead of the payment of any preferential, floating charge or unsecured creditor claims, as well as the IP's remuneration. Commercially, if the insolvent business sale agreement contains the usual indemnities from the "buyer" CMC in favour of the "seller" insolvent company (in respect of the transfer of such personal data) then the risk of such a liability would ultimately pass to the buyer CMC. However, this contractual protection for the insolvent company is only as strong as the financial position of the CMC. If the CMC cannot afford to pay the fine itself then liability would remain one to be borne by the insolvent seller (and ultimately, its creditors). 

IPs should be wary, too, that the FCA or ICO could seek to levy a fine on them personally (rather than the insolvent company) for any such data protection breaches if they act as a "data controller" by taking decisions about the processing of data as principal rather than as agent of the company. This seems unlikely but whether that is deemed to be a profound risk for IPs is likely to be determined by their conduct in effecting the sale or transfer of the personal data as agent of the seller insolvent company (including any due diligence undertaken by the IPs as to the risks of a transfer and any prior engagement with the FCA or ICO accordingly) and whether the IPs have indemnity protections in their personal favour under the business sale agreement. IPs should also be mindful of potential criminal liability under s.170 of the Data Protection Act 2018.

Companies that pass on personal data may be failing to meet their obligations under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). Subsequent direct marketing calls, texts or emails made by CMCs may breach the Privacy and Electronic Communications Regulations 2003 (PECR). 

The FCA Handbook requires that CMCs act honestly, fairly and professionally in line with the best interests of their customers. CMCs intending to buy and use such personal data must be able to demonstrate how they have considered the fair treatment of customers, as well as how their actions comply with privacy laws. If CMCs rely on legitimate interest grounds for processing such data they are unlikely to meet the requirements of the GDPR, and may also be in breach of their FCA rules to act in their customers' interests. 

Where breaches of data protection legislation, the Claims Management Conduct of Business sourcebook (CMCOB) or the FCA Handbook are identified the Regulators state they will take appropriate action. 

It should be emphasised that this joint-warning from the FCA, ICO and FSCS is not intended to prevent the legitimate transfer or sale of personal data but, rather, to ensure that IPs are sensitive not only to their duties to creditors but also to regulatory issues surrounding the transfer of consumers' personal data, as part of an insolvent business sale, to minimise the risk of such data being compromised.