The National Security Act (NSA) received royal assent on 11 July. The NSA repeals the official secrets acts of 1911, 1920 and 1939 and creates a range of new offences, including:

  • Espionage: obtaining or disclosing protected information (s.1); obtaining or disclosing of trade secrets (s.2); and assisting a foreign intelligence service (FIS) (s.3). Each offence has its own mens rea.
  • Sabotage (s.12): engaging in conduct which results in damage to any asset, where the person intends this to result in such damage (or is reckless regarding such damage). The person must also know, or ought to know, the purpose of the conduct is prejudicial to the safety or interests of the UK.
  • Foreign interference (s.13): engaging in conduct, directly or through a course of conduct with others, which is ‘prohibited’. A person must intend the conduct to, or be reckless as to whether, it would have an ‘interference effect’ – defined as including interfering with a person’s right under the European Convention on Human Rights or the exercise of public functions (s.14). Conduct will be prohibited if it is an offence in the UK (or an act, if committed abroad, which would be an offence in the UK if it took place here), or conduct involving coercion or a misrepresentation (s.15). There is also a standalone offence of foreign interference with elections (s.16); and
  • Obtaining a material benefit from an FIS (s.17): receiving a material benefit from an FIS, where a person knows or ought reasonably to know it is from an FIS.

Importantly, offences under s.1, 2, 12 and 13 can only be committed if they are carried out for, or on behalf of, a ‘foreign power’ and the person knows, or ought reasonably to know, that is the case. The foreign power condition is also met if the person intends the conduct to benefit the foreign power (s.31). ‘Foreign power’ is broadly defined at s.32 and includes heads of state, foreign governments, agencies of a foreign government, authorities or persons responsible for administering the affairs of an area within a foreign country or territory and the governing political party of a foreign government.

A number of NSA offences have extra-territorial effect with penalties extending to life imprisonment. The offences also carry fines, thereby allowing for corporate liability.

Significantly, s.35 of the NSA increases the compliance burden on senior individuals for national security offences by stating that if an NSA offence is committed by a body corporate, then certain individuals themselves will be guilty of a criminal offence if the corporate offence was committed with the individual’s consent, connivance or neglect. Those potentially liable under s.35 will depend on the relevant body, but include a director, chief executive, manager or secretary and a partner of a partnership.

Currently, there are four ways in which a corporate can commit an offence: a) a strict liability offence; b) specific legislation which places obligations on corporates – for example, s.7 of the Bribery Act 2010; c) legislation which confers vicarious liability; or d) senior individuals representing the ‘directing mind and will’ of the company (known as the ‘identification doctrine’). Cases involving the latter are notoriously difficult to prove, particularly where large companies are involved.

The NSA does not change this general position (for that, we must wait for the Economic Crime and Corporate Transparency Bill set to be passed by parliament later this year). However, it does add to the pool of offences where the bar for ascribing personal liability to a senior individual has been lowered to mere neglect on the individual’s part.

Existing legislation which allows for liability to apply where there has been neglect is relatively limited, but includes: money laundering offences under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (reg.92); health and safety offences under the Health and Safety at Work etc Act 1974 (s.37); data protection offences under the Data Protection Act 2018 (s.198); and offences under the Companies Act 2006 (s.1255).

National Security and Investment Act 2021

The NSA is not the only national security legislation recently enacted which creates additional liabilities for businesses and their management. The National Security and Investment Act 2021 (NSIA), which came into force on 4 January 2022, imposed various new obligations on businesses, and introduced a power exercisable by the government to scrutinise and intervene in relevant business transactions to protect national security.

The NSIA is also another example of an act which imposes criminal liability on individual officers for corporate offences attributable to neglect, as well as consent or connivance, on their part (s.36).

Annual reports from 2022 and 2023 confirm that no penalties have yet been issued for offences committed under the NSIA. However, the statute is very much in its infancy and, although NSIA penalties are likely to remain rare, where they are imposed the implications will be significant.

An expansion of liability

The NSA and NSIA therefore bring a further expansion of corporate and individual liability for serious offences with extra-territorial reach. This opens another avenue of potentially very significant legal risk. Businesses, particularly those operating internationally, must be mindful of the possible financial and reputational repercussions if these risks are not adequately managed.

Sophie Wood is a legal director at Kingsley Napley, London

Topics