At the time of publication, Lisa Osofsky, Director of SFO, said, “The publication of these guidelines will provide more transparency about what we expect from companies that want to work with us.” Director Osofsky`s full remarks are here: www.sfo.gov.uk/2020/10/23/serious-fraud-office-releases-guidance-on-deferred-prosecution-agreements/. A dpa is a judicial agreement between a company under investigation and a prosecutor that allows the stay of proceedings, provided the company meets certain conditions. To enter a DATA authority, a company must: (1) admit misconduct; (2) pay a fine and (3) accept certain conditions set by the prosecutor to ensure future cooperation and compliance. On 24 February 2014, when Schedule 16 to the Crime and Courts Act 2013 came into force, data protection authorities became an alternative to prosecution in the UK. The SFO is the only UK law enforcement service to have negotiated DPAs and has closed nine data protection authorities since 2014. The FSC does not explain why the fairness and importance of the company`s non-management in terms of the strength of its case might require such disclosure when individuals are charged, but does not require that they not be charged if they are not. Given the importance of testimony in assessing evidence by a prosecutor (as well as in any proceedings), companies would be well advised to request such disclosure in order to develop their own vision of the strength of criminal proceedings. This would allow them to play an informed role in the negotiations and ensure that they are not misled about the strength of the criminal proceedings. The DPA 2020 guidelines (“the guidelines”) are available here: www.sfo.gov.uk/publications/guidance-policy-and-protocols/sfo-operational-handbook/deferred-prosecution-agreements/. The guidelines list a non-exhaustive list of factors that weigh on criminal prosecutions, including: (1) cooperation; (2) the absence of a history of similar behaviour; (3) the existence of a proactive compliance program both at the time of driving and at the time of reporting; (4) disciplinary action against all those guilty; and (5) if a conviction is likely to have security for the public, employees and shareholders of the company or the company and/or institutional pension holders. Serious Fraud Office has issued guidelines on late prosecution agreements (October 30, 2020), www.sfo.gov.uk/2020/10/23/seriousfraud-office-releases-guidance-on-deferred-prosecution-agreements/. Osofsky, a former U.S. federal prosecutor, knows first-hand how DPAs can be an effective tool for repression.
As an alternative to law enforcement, data protection authorities and companies offer the opportunity to cooperate in order to bring criminals to justice, to assist the company, to promote compliance and, in some cases, to ensure the viability of a business. While companies are not able to prevent all cases of misconduct, companies can monitor the implementation and maintenance of a robust business compliance program, a determining factor in the decision to sue a business under both regimes. While data protection authorities are a relatively new alternative to law enforcement in the United Kingdom, U.S. prosecutors have long used PGOs in the handling of enforcement measures. Federal lawyers have a great deal of leeway in determining when, who, how and whether violations of federal criminal law and data protection authorities should be prosecuted, and data protection authorities provide a balance between reducing prosecutions and convicting a company. The U.S. Department of Justice (DOJ) defines the principles of federal prosecution and indicates when data protection authorities may be an appropriate alternative to prosecution in the context of the enterprise.