Feeds

Information Commissioner: Phorm must be opt-in only

Data protection probe into secret trials too

The Essential Guide to IT Transformation

Updated The Information Commissioner's Office (ICO) has issued a major revision to its statement on Phorm, insisting that the ad tracking system must be deployed on an opt-in basis to comply with the law.

Of the three ISPs connected to the scheme, only Carphone Warehouse has committed to opt in when the system is finally rolled out. BT has not commented on how its national deployment will obtain consent.

Virgin Media meanwhile says that despite Phorm's note to the contrary, it did not "confirm [an] exclusive agreement" (to implement Phorm) - merely a memorandum of understanding that if it does decide to track customers, Phorm will be the technology provider. A concerned customer claims that he was told by CEO Neil Berkett's office: "We haven't signed up with Phorm, we've expressed an interest."

The ICO's tougher stance also means that as far as the ICO is concerned, BT and Phorm's secret and allegedly illegal trials without consent conducted in 2006 and 2007 are subject to investigation under DPA.

A spokeswoman said more news on the probe will be forthcoming, but was unable to provide a timetable for when the tens of thousands who were tracked and profiled can expect to see those responsible held to account. BT has refused to answer questions on why it believes it acted within the law.

The ICO released a first version of its statement on Friday 4 April and was branded a "green light for law breaking" by legal experts at the Foundation for Information Policy Research (FIPR). The long-awaited document merely parroted assurances that web browsers will be anonymous.

The extensively-rewritten statement now however includes strongly-worded concerns about the system under the data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR), which grant the ICO's powers.

Today's statement, which only covers future deployments of Phorm technology, reads:

Even if Phorm is not processing personal data, the ISP undertaking the profiling may be to the extent that it uses IP addresses in that profiling and is able to link its customers to an IP address although this may not be its intention.

To the extent that personal data is processed that processing must be fair and lawful in order to comply with the First Principle of the DPA.

Regulation 7 of PECR will require the ISP to get the consent of users to the use of their traffic data for any value added services. This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users.

The PECR is an implementation of a 2003 European directive aimed at protecting personal privacy online.

Nicholas Bohm, FIPR's general counsel, welcomed the ICO's revised statement. "It's good news that he [Information Commissioner Richard Thomas] says that nothing less than an explicit opt-in will do. It's a strong and valuable conculsion to draw."

The Commissioner also used the statement to pass responsibility for enforcing the Regulation of Investigatory Powers Act to the Home Office. Bohm criticised the move, saying: "I'm sorry he has ducked the interception issue. In my opinion his hands are not tied, and he is perfectly entitled to investigate any general unlawfulness around personal data."

BT and Phorm were unavailable for comment. ®

Updates

80/20 Thinking, the consultancy firm that produced an interim privacy report for Phorm, has organised a "Town Hall meeting" on 15th April in London, where the public can address Phorm's CEO Kent Ertugrul and technical SVP Marc Burgess. Details here.

Phorm sent us another statement:

We've not yet had the opportunity to discuss PECR with the ICO but will do shortly. However, the law is quite clear stating that any system requires valid, informed consent. We believe the approach that we will take to user notice will not only provide for such consent, but will in fact exceed the level of notice provided by anyone else.

We're very confident, as has been the case with the DPA and RIPA, that closer scrutiny will demonstrate that the way in which we obtain consent will substantially exceed any legal requirement.

Still no mention of those trials, eh?

The Essential Guide to IT Transformation

More from The Register

next story
Scotland's BIG question: Will independence cost me my broadband?
They can take our lives, but they'll never take our SPECTRUM
Trying to sell your house? It'd better have KILLER mobile coverage
More NB than transport links to next-gen buyers - study
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Speak your brains on SIGNAL-FREE mobile comms firm here
Is goTenna tech a goer? Time to grill CEO, CTO
NBN Co adds apartments to FTTP rollout
Commercial trial locations to go live in September
Samsung Z Tizen OS mobe is post-phoned – this time for good?
Russian launch for Sammy's non-droid knocked back
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.