Information Commissioner: Phorm must be opt-in only
Data protection probe into secret trials too
Updated The Information Commissioner's Office (ICO) has issued a major revision to its statement on Phorm, insisting that the ad tracking system must be deployed on an opt-in basis to comply with the law.
Of the three ISPs connected to the scheme, only Carphone Warehouse has committed to opt in when the system is finally rolled out. BT has not commented on how its national deployment will obtain consent.
Virgin Media meanwhile says that despite Phorm's note to the contrary, it did not "confirm [an] exclusive agreement" (to implement Phorm) - merely a memorandum of understanding that if it does decide to track customers, Phorm will be the technology provider. A concerned customer claims that he was told by CEO Neil Berkett's office: "We haven't signed up with Phorm, we've expressed an interest."
The ICO's tougher stance also means that as far as the ICO is concerned, BT and Phorm's secret and allegedly illegal trials without consent conducted in 2006 and 2007 are subject to investigation under DPA.
A spokeswoman said more news on the probe will be forthcoming, but was unable to provide a timetable for when the tens of thousands who were tracked and profiled can expect to see those responsible held to account. BT has refused to answer questions on why it believes it acted within the law.
The ICO released a first version of its statement on Friday 4 April and was branded a "green light for law breaking" by legal experts at the Foundation for Information Policy Research (FIPR). The long-awaited document merely parroted assurances that web browsers will be anonymous.
The extensively-rewritten statement now however includes strongly-worded concerns about the system under the data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR), which grant the ICO's powers.
Today's statement, which only covers future deployments of Phorm technology, reads:
Even if Phorm is not processing personal data, the ISP undertaking the profiling may be to the extent that it uses IP addresses in that profiling and is able to link its customers to an IP address although this may not be its intention.
To the extent that personal data is processed that processing must be fair and lawful in order to comply with the First Principle of the DPA.
Regulation 7 of PECR will require the ISP to get the consent of users to the use of their traffic data for any value added services. This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users.
The PECR is an implementation of a 2003 European directive aimed at protecting personal privacy online.
Nicholas Bohm, FIPR's general counsel, welcomed the ICO's revised statement. "It's good news that he [Information Commissioner Richard Thomas] says that nothing less than an explicit opt-in will do. It's a strong and valuable conculsion to draw."
The Commissioner also used the statement to pass responsibility for enforcing the Regulation of Investigatory Powers Act to the Home Office. Bohm criticised the move, saying: "I'm sorry he has ducked the interception issue. In my opinion his hands are not tied, and he is perfectly entitled to investigate any general unlawfulness around personal data."
BT and Phorm were unavailable for comment. ®
80/20 Thinking, the consultancy firm that produced an interim privacy report for Phorm, has organised a "Town Hall meeting" on 15th April in London, where the public can address Phorm's CEO Kent Ertugrul and technical SVP Marc Burgess. Details here.
Phorm sent us another statement:
We've not yet had the opportunity to discuss PECR with the ICO but will do shortly. However, the law is quite clear stating that any system requires valid, informed consent. We believe the approach that we will take to user notice will not only provide for such consent, but will in fact exceed the level of notice provided by anyone else.
We're very confident, as has been the case with the DPA and RIPA, that closer scrutiny will demonstrate that the way in which we obtain consent will substantially exceed any legal requirement.
Still no mention of those trials, eh?