Feeds

Information Commissioner: Phorm must be opt-in only

Data protection probe into secret trials too

5 things you didn’t know about cloud backup

Updated The Information Commissioner's Office (ICO) has issued a major revision to its statement on Phorm, insisting that the ad tracking system must be deployed on an opt-in basis to comply with the law.

Of the three ISPs connected to the scheme, only Carphone Warehouse has committed to opt in when the system is finally rolled out. BT has not commented on how its national deployment will obtain consent.

Virgin Media meanwhile says that despite Phorm's note to the contrary, it did not "confirm [an] exclusive agreement" (to implement Phorm) - merely a memorandum of understanding that if it does decide to track customers, Phorm will be the technology provider. A concerned customer claims that he was told by CEO Neil Berkett's office: "We haven't signed up with Phorm, we've expressed an interest."

The ICO's tougher stance also means that as far as the ICO is concerned, BT and Phorm's secret and allegedly illegal trials without consent conducted in 2006 and 2007 are subject to investigation under DPA.

A spokeswoman said more news on the probe will be forthcoming, but was unable to provide a timetable for when the tens of thousands who were tracked and profiled can expect to see those responsible held to account. BT has refused to answer questions on why it believes it acted within the law.

The ICO released a first version of its statement on Friday 4 April and was branded a "green light for law breaking" by legal experts at the Foundation for Information Policy Research (FIPR). The long-awaited document merely parroted assurances that web browsers will be anonymous.

The extensively-rewritten statement now however includes strongly-worded concerns about the system under the data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR), which grant the ICO's powers.

Today's statement, which only covers future deployments of Phorm technology, reads:

Even if Phorm is not processing personal data, the ISP undertaking the profiling may be to the extent that it uses IP addresses in that profiling and is able to link its customers to an IP address although this may not be its intention.

To the extent that personal data is processed that processing must be fair and lawful in order to comply with the First Principle of the DPA.

Regulation 7 of PECR will require the ISP to get the consent of users to the use of their traffic data for any value added services. This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users.

The PECR is an implementation of a 2003 European directive aimed at protecting personal privacy online.

Nicholas Bohm, FIPR's general counsel, welcomed the ICO's revised statement. "It's good news that he [Information Commissioner Richard Thomas] says that nothing less than an explicit opt-in will do. It's a strong and valuable conculsion to draw."

The Commissioner also used the statement to pass responsibility for enforcing the Regulation of Investigatory Powers Act to the Home Office. Bohm criticised the move, saying: "I'm sorry he has ducked the interception issue. In my opinion his hands are not tied, and he is perfectly entitled to investigate any general unlawfulness around personal data."

BT and Phorm were unavailable for comment. ®

Updates

80/20 Thinking, the consultancy firm that produced an interim privacy report for Phorm, has organised a "Town Hall meeting" on 15th April in London, where the public can address Phorm's CEO Kent Ertugrul and technical SVP Marc Burgess. Details here.

Phorm sent us another statement:

We've not yet had the opportunity to discuss PECR with the ICO but will do shortly. However, the law is quite clear stating that any system requires valid, informed consent. We believe the approach that we will take to user notice will not only provide for such consent, but will in fact exceed the level of notice provided by anyone else.

We're very confident, as has been the case with the DPA and RIPA, that closer scrutiny will demonstrate that the way in which we obtain consent will substantially exceed any legal requirement.

Still no mention of those trials, eh?

Gartner critical capabilities for enterprise endpoint backup

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
So, Apple won't sell cheap kit? Prepare the iOS garden wall WRECKING BALL
It can throw the low cost race if it looks to the cloud
EE accused of silencing customer gripes on social media pages
Hello. HELLO. Can EVERYTHING EVERYWHERE HEAR ME?!
Time Warner Cable customers SQUEAL as US network goes offline
A rude awakening: North Americans greeted with outage drama
Shoot-em-up: Sony Online Entertainment hit by 'large scale DDoS attack'
Games disrupted as firm struggles to control network
BT customers face broadband and landline price hikes
Poor punters won't be affected, telecoms giant claims
Broadband slow and expensive? Blame Telstra says CloudFlare
Won't peer, will gouge for Internet transit
prev story

Whitepapers

Best practices for enterprise data
Discussing how technology providers have innovated in order to solve new challenges, creating a new framework for enterprise data.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?