In depth

Corporate update: the latest corporate law developments December 2021

Gateley Legal

Article by

In this month’s update for directors, secretaries and general counsels we:

  • explain how failing to have adequate procedures to prevent bribery led to a £77m fine;
  • describe the court’s approach to a claim involving a trivial data breach; and
  • highlight the latest guidance and regulations relating to the new investment screening regime. 
Listen to this update via our 'Talking Business' podcast series

Company fined £77m for failing to prevent bribery

A recent case highlights the significant financial costs - £77 million in this instance - for a company which fails to take adequate procedures to prevent bribery.

Bribery offences

The Bribery Act 2010 introduced various different offences, including both giving and receiving a bribe, as well as a specific offence of bribing a public official. In addition, an organisation will also be guilty of an offence where an 'associated person' bribes another person with a view to obtaining or retaining business for that organisation. An 'associated person' for this purpose is anyone who performs services for or on behalf of the organisation. This could include employees, officers, agents or associated companies.

This corporate offence is a strict liability offence, meaning the organisation will be liable regardless of whether or it not it knew about the bribery. The only defence for an organisation is if it can show that it had in place adequate procedures to prevent bribery from occurring. 

The facts

The latest case involved Petrofac Limited, a company which provided oil-field services in various locations in the Middle East. Over the course of a four year investigation, the Serious Fraud Office found that between 2011 and 2017 senior executives at the company engaged in elaborate schemes to corrupt the awarding of contracts, using agents to bribe officials to win lucrative contracts. In particular Petrofac's Global Head of Sales, David Lufkin, had already pleaded guilty to a total of 14 counts of bribery.

Petrofac co-operated with the SFO's investigation and admitted that it failed to prevent its senior executives from paying £32 million in bribes which helped the organisation win over £2.6 billion of contracts in the oil and gas industry in the Middle East. Petrofac pleaded guilty to seven separate counts of failing to prevent bribery in connection with the offences committed by Mr Lufkin.

The decision

An organisation found guilty of the corporate offence of failing to prevent bribery faces an unlimited fine. This is made up of both the confiscation of gains made by the organisation as a result of its offending, as well as a penalty element. 

In Petrofac's case, not all of the contracts turned out to be profitable and some actually resulted in a loss. Nonetheless, the judge imposed a confiscation order of almost £23 million. 

In relation to the penalty fine, the SFO appeared keen to encourage other entities to co-operate with its future investigations and so was at pains to impose a penalty which would not tip Petrofac into insolvency. Petrofac had indicated that, with refinancing, it could afford a total penalty of around £81 million. Taking into account its co-operation with the investigation and its early guilty plea, Petrofac was order to pay a fine of £47 million. When added to the confiscation order, and a costs order of £7 million, the total financial penalty was £77 million.


As noted above, the only defence for Petrofac would have been to show that it had adequate procedures in place to prevent bribery taking place. However, Petrofac accepted that its procedures were inadequate and easily bypassed, and so it didn't raise a defence based on those procedures.

Many Bribery Act cases are resolved via a deferred prosecution agreement (DPA) under which an organisation avoids prosecution in return for agreeing a course of conduct (such as payment of a fine, etc) where prosecution is deferred. This is only the second case to result in a criminal conviction for the corporate offence of failing to prevent bribery. The SFO has not confirmed whether DPA negotiations were initiated or why this case was resolved by a prosecution not a DPA.

High court unimpressed by trivial data breach claim

The High Court has summarily dismissed a claim where, despite a data breach occurring, it was implausible that any damage had been caused or any distress suffered.


Since the introduction of the General Data Protection Regulation (GDPR) and the related Data Protection Act 2018, organisations have faced an increased regulatory burden when it comes to the personal data that they possess and process. Any misstep carries the threat of fines from the ICO and claims by the affected data subjects, as well as potential reputational issues. Whilst there may be a perception that the legislation was aimed at serious or persistent breaches involving sensitive personal data which caused significant loss or distress to the individuals involved, there have been relatively few cases before the courts to explain how lesser breaches will be assessed and treated.

The facts

In Rolfe and others v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) a school instructed solicitors to write to the parents of a pupil to demand payment of outstanding school fees. A letter was prepared and sent by email with a statement of account. Unfortunately, due to a typing error, the email was not sent to the parents but was sent to another email address which was identical but for a single character. The recipient of the email, realising it was not intended for her, contacted the solicitors the same day. The solicitors asked her to delete the email and she confirmed that she had done so. The recipient of the email did not know the parents.

The parents were not happy that their personal data had been improperly disclosed by the solicitors. They issued a claim for damages for misuse of confidential information, breach of confidence, negligence, damages under GDPR and the Data Protection Act 2018, plus a declaration and an injunction, interest and further or other relief. 

The solicitors applied for the claim to be summarily dismissed. Such a request will be granted by the court where there is no realistic prospect of the claim succeeding at trial.

The decision

The court considered:

  • the nature of the information that had been disclosed, noting that this was the parents' names and addresses, the invoice for the fees and the statement of account. No phone numbers, bank details or information about the parents' finances or home life had been disclosed;
  • the circumstances of the disclosure, noting that the information had been accidentally disclosed to only one recipient who had promptly contacted the sender and confirmed it had been deleted. There was no reason to think they had not acted in good faith or even that they had actually read all the documents inadvertently sent to them; and
  • the harm done or loss caused, noting that it was common ground between the parties that damages could be recovered for data protection breaches, including for the distress caused, even where there was no financial loss suffered. However, there did need to be damage of some kind and a claim could not succeed where any possible loss or distress was only trivial.

Taking these factors into account, the court found that the parents' claim that the minimal data breach had caused them significant distress and worry, and even made them feel ill, was inherently implausible. The case involved minimally significant information, a rapid set of steps taken to remedy the breach, and no evidence of further transmission or information misuse. The judge said "no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied".

Accordingly, the court granted summary judgment for the solicitors and dismissed the case with costs.


Although a number of high value cases involving disclosures of highly sensitive personal data have been reported, the majority of data breaches involve far less significant information disclosed in far less damaging ways. But there have been few decisions involving these more trivial breaches and therefore little guidance as to the approach the courts may take. This decision is good news for those who find themselves on the receiving end of speculative or exaggerated claims and suggest the courts will not look favourably on those making such claims.

National Security and Investment Act: further guidance and regulations published

As the 4 January 2022 implementation date for the new national security screening regime approaches, the government has published additional guidance for businesses as well as a range of secondary regulations.

As a reminder, the new regime will require mandatory notification of certain transactions within 17 specified sectors. A qualifying transaction within one of those sectors which completes without clearance from the new Investment Security Unit (ISU) will be void. In addition, there will be a voluntary notification regime for transactions outside the specified sectors which give rise to national security concerns as well as new call in powers for the government to review transactions which should or could have been notified under either the mandatory or voluntary notification regime.

New and updated guidance

The government has published the final text of its statement explaining how it expects to exercise its power to call-in a transaction for review under the National Security and Investment Act 2021 (NSIA2021):

  • The updated statement now confirms that the new powers under the Act exist solely to safeguard the UK's national security and not to promote any other objectives. This amendment was made to address concerns that the government's original statement went beyond national security into other areas such as economic prosperity.
  • The original version of the statement suggested that the call-in powers could be exercised where only one of the three identified risk factors (target risk, acquirer risk and control risk) was present. In the updated statement, the government confirms that it is expected that all three risk factors will be present in order for a transaction to be subject to call-in. However, it does not rule out the possibility of call-in where fewer risk factors are present.

 At the same time, the government has also published guidance for businesses to help them assess whether their activities are within the scope of the mandatory notification regime. The guidance explains the activities caught by each of the 17 specified sectors. 

New regulations

The NSIA2021 leaves a number of matters to be specified in secondary regulations. Accordingly, the government has now published the following:


In is anticipated that the new Act will have a significant effect on the UK's M&A transaction process, with a significant number of precautionary notifications being made at least until the government's approach to the exercise of its call-in powers becomes clearer. Deal timetables are likely to be impacted with an increased number of transactions being made conditional on clearance from the ISU with the inevitable delays that will accompany this.

Gateley Plc is authorised and regulated by the SRA (Solicitors' Regulation Authority). Please visit the SRA website for details of the professional conduct rules which Gateley Legal must comply with.