A Deferred Repression Agreement (DPA) is a mechanism for resolving proceedings against a company that is essentially an unofficial form of parole. Although generally used to solve criminal proceedings, civil enforcement authorities such as the SEC have begun to use it. The SFO held the publication of the DPA until the Tribunal concluded that there was no response to the proceedings against the three persons. The accused were in fact anonymous until then. However, after his acquittal, the SFO decided to publish the DPA. In its accompanying statement of facts, Tesco acknowledged a “dishonest falsification” of its accounts between February and September 2014, citing the three executives who “dishonestly immortalized” the winning errors. The surprising decision to publish the names of those acquitted underscores the unfairness of the DPA system. It appears that there is no mechanism within the current FRAMEWORK of the CCA to modify or repair a change of fact, or to correct an erroneous mechanism that will be known later as soon as the CCA has been signed. Simply put, they allow a sued company to avoid a procedure provided it meets certain conditions.
Data protection authorities can be used for specific economic crimes, including fraud and corruption. In October 2020, the SFO published a chapter of its manual, which provides detailed guidance on how data protection authorities are in contact with companies whose CCA is a forward-looking outcome. The terms of a CCA are negotiated between the defendant and the government. For example, the agreement could require the defendant to acknowledge wrongdoing, pay refunds, or take certain steps to prevent future wrongdoing. For example, a data protection authority could ask a company to fire executives responsible for misconduct, put in place a stronger compliance program, submit to an independent monitor to ensure good behavior, or all of that – and maybe even more. There are a number of reasons why a company like STL wants to enter into a CCA, for example to achieve opportunity, security and reputation management. However, the data protection authority TSL stressed the rigidity of the legislation in which the DPA process is implemented and its ability to inflect injustices to those involved in the investigation. It should be noted that, as Sir Brian Leveson PC said, the legal procedure contained in the Crime and Courts Act 2013 meant not only that the acquitted defendants (who were concerned by the data protection authority) could not request a change in data protection or the SoF, but that the judge`s role in the execution of the DPA procedure was effectively limited to imposing his conditions after his approval.