A very long engagement

Tim Kelsey’s appearance on the Today programme was not illuminating. No compromise, no acknowledgement that the process has been badly handled, and the plan to slip leaflets about the process in with the pizza menus was on the advice of ‘competent marketing agencies’ (the sound you just heard was the launch of an FOI request about who they were and what they said). It must be nice to make such a fantastic hash of your job, and be capable of thinking you’re still a winner.

From the perspective of someone who is uncomfortable with the care.data process, I would have been happy had he promised a proper, personally addressed opt-out (which is better than what we have now). I would have been even happier had he promised consent. I wouldn’t say for certain that a fair version of care.data is impossible but I don’t think one will ever be offered. I doubt NHS England wants to spend the money on sending personally addressed letters to everyone, and they don’t respect their fellow citizens enough to choose consent, so I’m actually happy that Kelsey is sticking to his guns. Because we’re not going to get a fair, democratic version of the system, I’d rather he keep infantilising the public. This tactic has already led to two delays –  a third try at the same patronising “engagement” will surely kill the scheme off forever.

However, one thing struck me about the interview. Justin Webb asked Kelsey the straight question of whether a letter would be sent to every affected citizen. Kelsey said that all options were on the table, but was keen to plug his ‘Get hip with the 21st Century’ bluster about direct mail not being the right way to communicate. We’re using the Vulcan Mind Meld, Grandad. On the basis that Twitter has hardly been a roaring success for the care.data campaign (look at the #caredata hashtag if you don’t believe me), I wondered whether there might be more to Kelsey’s statement than panicked airtime filling. If so, what else is he planning, because I think the expensive letter option is the only game in town?

It’s entirely possible that NHS England has no plans to contact citizens directly at all. I predict posters, the reappearance of the NHS smurfs in the cheapest conceivable TV ad breaks, or adverts on radio stations I don’t listen to because I am old. But let’s assume that Kelsey and NHS England are thinking about some kind of direct contact. What are the options?


Writing to every citizen directly would be more or less legal in Data Protection terms.  Assuming that NHS England has a reliable source for every person (not every address) in England, I believe that contacting everyone would be lawful and fair, even if they loaded the correspondence with propaganda. This is partly because Data Protection has its limitations, but also because there’s nothing in the DPA to say that you can’t contact people unless you have their permission, even if the correspondence is marketing. Unless NHS England sends everyone a bald postcard that says ‘we’re taking your data for research, here’s your opt-out’, it’s highly likely that the correspondence would be marketing. The ICO’s definition of marketing is far wider than simply the offer for sale of goods and services, but the DPA does not prevent an organisation from sending unsolicited marketing by post unless the person has used their Section 11 data protection right to opt-out.

Legally, I think that’s NHS England’s only option for direct contact.  It is inconceivable that if they are going to pay to contact us all, NHS England would just provide a bald statement of the facts. They would (and you might think they are entitled to) provide the reasons why care.data is a good thing. I believe this fits solidly into the ICO’s definition of ‘promotion of ideals’, which makes post their only legal option.


Automated calls are universally loathed as a form of marketing, so I’m certain that a scheme as cack-handedly managed as this one will hover over the option of making them. Automated calls are much cheaper than live calls, but to make them, you have to step wholly outside Data Protection. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (usually rendered as PECR, which you pronounce ‘pecker’ in order to get cheap laughs) state in regulation 19 that an automated marketing call can only be made if the subscriber (i.e. bill-payer) has “notified the caller” that they consent to receiving the call. That means explicit, opt-in consent for automated calls from NHS England. Nothing implied or inferred – they need active specific consent for automated marketing calls, or they can’t make them.

EMAILS (and as it happens TEXT MESSAGES)

The business sector did a smart lobbying job way back when PECR was drafted, so it is legally possible to send unsolicited business-to-business marketing emails, because PECR treats corporate subscribers (effectively organisations and their email addresses) differently from individual subscribers (i.e. an email account of any kind used solely for personal, home and recreational purposes). But for those individual subscribers i.e. you at home as a regular person, Regulation 22 has bad news for Kelsey’s 21st century engagement. The same rules apply – an active opt-in is the only option. The ‘Interpretation’ section of PECR makes clear that a text message is the same as an email, so the same rules apply – active opt-in. Even if NHS England can get hold of email addresses or mobile numbers (or exhort GPs to use the information they have), it is legally impossible to send messages about care.data unless they have active consent, or the messages are not marketing. And they will be marketing.


I assume that live calls won’t be an option because they would be prohibitively expensive. However, just in case anyone is wondering, NHS England would have to screen all calls against the Telephone Preference Service list under PECR Regulation 21, ruling out millions of people (or making calls to them illegal).

Of course, these rules are routinely abused by Green Deal and PPI pests. The ICO’s efforts have been rather dismissively rebuffed by the First Tier Tribunal, so we await the Upper Tier to see whether the existing PECR rules can be properly enforced. But the difficulty of enforcing PECR does not grant NHS England permission to adopt the tactics of the snivelling spam-monger. PECR does not have public interest get-outs or exemptions. It applies to communications about care.data made by electronic means because they will inevitably be a promotion of NHS England’s ideals.

Of course, I may be way off. It’s entirely possible that the plan is for more soothing reassurance. It’s equally possible that care.data is dead, and nobody is willing to admit it yet. Given their stewardship of this so far, I doubt NHS England are above claiming that any contact would not be marketing, and going on a spam frenzy. The ICO – permanently on the back foot over care.data – would need to slap that down. But the Royal College for General Practitioners have demanded direct contact with patients, and it’s clear that their intervention (along with the BMA) has been decisive. Whatever options are on the table, NHS England does not have the legal consent necessary to contact patients by electronic means, even if they can get the data to do it. It would be illegal.

Time to warm up the franking machine.

Think of a number

On Friday, DataGuidance (“the global data protection and privacy compliance solution”) published research headlined ‘Total fines imposed on private sector outstrip public sector‘. They also claimed that the level of fines against private sector organisations has increased year on year: the private sector CMPs amounted to 50.7% of the total, compared to 20.5% in 2012 and only 0.2% in 2011.

A few people – presumably those who didn’t actually read the article – were impressed by the findings. A former ICO employee accused me of making illogical claims because I did not think my belief in the ICO’s anti-public sector bias had finally been refuted. However, DataGuidance’s methodology and conclusions are eccentric and potentially unhelpful. The figures were broken down at the bottom of the article, but the headlines and the colourful bar charts conflate enforcement on both Data Protection and the Privacy and Electronic Communications Regulations. They also looked only at the total amounts, rather than the number of enforcement actions.

The law on PECR enforcement was changed in 2011; before that, it was impossible for the ICO to issue CMPs for PECR breaches at all, and even after that, until the statutory guidance was published, the ICO’s hands were still tied. The guidance was published in 2012. The ICO served their first PECR CMPs in November 2012. DataGuidance don’t acknowledge the fact that one of these PECR CMPs was overturned (admittedly, the ICO says they’re appealing), but much more importantly, the report does not register that the increase in private sector CMPs is almost entirely down to PECR and to this change in the law.

Data Protection and PECR are two completely different types of legislation and thus, two completely different strands of enforcement. Obviously, the public sector does some electronic direct marketing  and is no better at complying with PECR than the private sector in my experience. However, it’s equally obvious that the vast majority of direct marketing in the UK is carried out by the private sector. Therefore, the vast majority of complaints received by the ICO about PECR breaches will be about private sector organisations. If you’re trying to assess whether the ICO has a bias against the public sector in enforcement, it’s illogical to use legislation focussed on the private sector as evidence. It’s like trying to draw conclusions about the ICO’s attitude towards the private sector by looking at FOI. Any FOI enforcement would be against the public sector. Virtually all PECR enforcement will be against the private sector. There are interesting conclusions to be drawn here – whoever makes decisions about enforcing FOI clearly doesn’t have the bottle to do so, whereas whoever makes decisions about PECR clearly does. But the issue that really interests me is whether the ICO is generally biased against one sector versus another, and it’s Data Protection where I think this can best be examined.

Unlike FOI or PECR, there can be no argument about scope with DP. Some parts of public and private sector are at greater risk because of the nature of their work. For example, local government is more at risk because they share so much data, and the financial services sector is more at risk because of the effect of inaccuracies and losses on people’s finances.  However, in general, DP applies equally to all sides. DataGuidance clearly feel that the ICO’s attitude to the sectors is the crucial issue; their headline refers to it, and they quizzed the ICO on that topic, obtaining this unconvincing response ”We don’t consider whether a data controller is public or private sector when deciding whether to pursue enforcement. We judge everything on a case-by-case basis. It all comes down to the nature of the breach. It’s difficult to say how many public or private enforcement actions we will take in 2014.”

To get to the bottom of whether there is bias, let’s consider the evidence for each of the four years in which the ICO has been issuing Data Protection CMPs:

  • 2010: 1 public (£100,000), 1 private (£60,000)
  • 2011: 6 public (£540,000 in total), 1 private (£1000)
  • 2012: 20 public (£2,385,000 in total), 2 private (£200,000 in total), 1 charity (£70,000)
  • 2013: 10 public (£1,115,000 in total), 3 private (£330,000 in total)
  • TOTALS: 37 public (£4,140,000 in total), 7 private (£591,000 in total), 1 charity (£70,000)

There is no doubt that the private sector figure has gone up each year, but the Sony CMP in 2013 has a distorting effect. The private sector numbers are so low that Sony’s £250,000 CMP accounts for nearly 50% of the private sector total across all four years. Equally, the number of public sector CMPs are markedly down in 2013, but they still dwarf the private sector, and in any case, the drop in public sector enforcement is probably accounted for by the fact that a public sector organisation successfully overturned their CMP (Scottish Borders Council), showing up significant flaws in the ICO’s approach as they did so.

And consider these nuggets:

  • The highest CMP served (£325,000) was on a public sector organisation
  • Of the five CMPs that were £200,000 or above, only one (£250,000 on Sony) was served on a private sector organisation
  • Ignoring the two CMPs that were reduced because of the state of the Data Controller’s finances (both private sector), the lowest CMP served was on a private sector organisation (£50,000 on Prudential Insurance)
  • The only CMP successfully overturned was on a public sector organisation (£250,000 on Scottish Borders Council)
  • Of the seven private sector CMPs, only two were over £100,000 (of the 45 CMPs issued overall, 16 were below £100,000, 29 were £100,000 or over)
  • The ICO has served more CMPs on the NHS alone (9) than the whole of the private sector (7)
  • The ICO has served more than three times as many CMPs on local government (24) as it has on the whole of the private sector (7)
  • The ICO has twice served CMPs on public sector organisations that have been wound up and did not exist when the CMP was served (NHS Surrey and Stockport PCT for £200,000 and £100,000 respectively)
  • The first CMP issued against a private sector organisation was against A4e. A4e’s CMP was £60,000, the third lowest CMP if you disregard the two reduced CMPs. In a single year, A4e paid a bonus to its Chief Executive of £8.6million

If you want to believe that the ICO’s DP enforcement is an accurate reflection of Data Protection compliance in the UK, feel free to do so. All of my personal experience, the anecdotes I have heard over the years, and everything I have been told by private sector DP people tells me the opposite. Moreover, the ICO’s Annual Report suggests that something different. In 2012-13, the sector with the highest number of complaints was lenders with 17% of the total (local government, who account for the bulk of the enforcement, came in second with 11%). 47% of the complaints (the largest group) were about subject access, with disclosure coming in second at 19% and inaccuracy coming in third at 16%. There have been no subject access related CMPs, none related to disclosure, and only one about accuracy (needless to say, that was a private sector one). The Annual Report does not break down the complaints in terms of sector outcome, and it also only shows the top eleven most complained about sectors. However, private sector organisations account for at least 37% of the total, while the public sector account for 35%. So if 35% of all complaints result in ‘compliance unlikely’, while only 22% were ‘compliance likely’, unless the ICO can confirm otherwise, it’s reasonable to assume that the private sector have more than their fair share of breaches.

The ICO’s DP enforcement is skewed by an obsession with security, and a reliance on self-reporting above all other things. The private sector does not own up but the public sector does, as the ICO’s own Technology adviser admitted. On page 3 of the Information Commissioner’s ‘Regulatory Action Strategy‘, the following statement can be found: “In selecting areas for attention we will bear in mind the extent to which market forces can themselves act as a regulator”. I asked the ICO under FOI for any evidence that they hold establishing that market forces act as a regulator. They admitted that they had no evidence at all to back up this assertion. It’s an unfounded statement to justify inaction against the private sector under DP.

The ICO’s approach to Data Protection enforcement is biased against the public sector, and public sector bodies have far more to fear from them.

Insert knob gag here

Last night, I received a charming email message from Theresa May, revelling in all the foreigners she has kept out of the country before asking me for money. I’m paraphrasing slightly. I regret that politicians don’t have the time to keep me in the loop as much as I’m sure they’d like – I’d really like to know more about Michael Gove’s crusade to keep rudeness out of politics (presumably, he just wants it directed at his civil servants). So perhaps I should not be churlish when one of them gets in touch.

But as Theresa is supposed to be responsible for law and order, I find myself pedantically drawn to point out that her email was almost certainly illegal.

The Privacy and Electronic Communications (EC Directive) Regulations – universally and hilariously known by the acronym PECR (say it out loud) – require organisations wanting to send direct marketing emails to obtain prior consent before doing so. Much as politicians would like to think different, exhorting a member of the public to vote, to donate or support a campaign is direct marketing – both the Information Commissioner and the Tribunal have said this, and the four major political parties in the UK (Conservatives, Labour, LibDems and the Scottish Nationalists) have all received enforcement notices under PECR as a result. So unless the Conservatives have obtained my direct consent to send me these marketing emails, they’ve breached PECR and possibly Data Protection as well.

I have three email addresses – one I use for business purposes which is published on the internet. In PECR terms, I am a corporate subscriber for this address, and cannot complain about spam if I receive it. My other two email addresses are personal ones – in PECR terms, I am an individual subscriber for both. One I use for a lot of general correspondence, the other I use for competitions, surveys and other situations where I think that the person I am giving it to might send me spam emails. If I was to fill in a survey or a petition – the only place I can imagine the Tories might have obtained my email address from – I would always use the third spammy one. What’s interesting about Theresa’s email is that it was sent to the middle one – the personal address that I am more likely to read, but which is not published on the internet like my business one, but is not on all the dodgy databases that list brokers hawk, often illegitimately, as ‘opted-in data’.

In short, the Conservative Party must be able to explain how they fairly obtained an email address that I am 99% certain I would not have ever given to them, or anyone affiliated to them. This is not because I am particularly anti-Tory – I am left-wing, but I have equal contempt for all parties and politicians and avoid them all with the same diligence. Unless they can show me clearly where they got my email from and that they did so fairly (as opposed to scraping it from somewhere or buying a shonky database), they may well have breached the First Data Protection principle.

And that’s the sideshow. PECR is engagingly blunt – even if I have answered a petition or survey and unintentionally used this email address, the Conservative Party would still need my consent before sending me emails. The so-called ‘soft opt-in’ – which allows an opt-out in prescribed circumstances – applies only to sales or negotiation for a sale, conditions which would not apply to a political party.

I’ve written to the Conservatives to ask for the following information:

  • Where they obtained my email address from
  • How they obtained my consent, and a copy of the web page or document on which I indicated my consent to receive emails from them

Under Section 7 of the Data Protection Act, the Conservatives are obliged to provide me with any personal data they hold about me, and also to confirm the source from which they obtained my personal data (in this case, my personal email address). They could, of course, charge me £10 for this information, but given that the person responsible for maintaining law and order in this country has put their name on  correspondence that I am pretty certain breaks the law, I think it would be polite of them to waive the fee.

Nothing is certain – I’m not going to complain to the Information Commissioner until the Conservatives show me what they did / did not do around consent. However, the current Parliament is past the halfway point, and we’re heading down a long, relentless slope towards a general election which will no doubt inspire a marketing frenzy, especially on social media, email, text and phone. It is very important that all politicians remember that PECR gives us all something very valuable for the latter three channels – easy and straightforward rights to be LEFT ALONE. The law applies to them, just as much as it does to anyone else. If you are bothered by unwelcome marketing from politicians, why not ask them the same questions I have above?

And now, a message from our sponsors

Last weekend, the media was full of stories featuring Richard Herman, who has come up with the remarkable wheeze of suing a company who made cold calls to him, charging them £10 a minute if they call. If you didn’t see Mr Herman on BBC Breakfast, hear him on Radio 4’s Today programme or Moneybox, you may well have read about him in many of the papers. The most detailed coverage is in the Daily Mail, complete with endearingly naturalistic pictures of Mr Herman enjoying his success.

The tone of the stories (and many of the people tweeting about them) was universally positive. This was David marching up to Goliath and kicking him in the nads. So is there anything else to say, other than to congratulate Mr Herman for landing a blow for the rest of us?

Well, for one thing, Mr Herman didn’t really win. The Mail reports a ‘stunning victory’ where “a cold-call firm has been forced to pay compensation to a businessman after he took it to court for wasting his time”. What happened is that the firm didn’t bother to contest the case and paid up because it was probably cheaper to do so. Herman is encouraging others to follow him, but he’s got no evidence that his approach would work for anyone else. Those with long memories may remember Nigel Roberts, another aggrieved small businessman who sued for nuisance emails under PECR way back in 2006. He was equally hopeful that he would start an avalanche of private action, despite the fact that had the case been contested, the spammers might well have been able to defend themselves on the basis that they thought Roberts’ address was a business address, and the ‘damage’ suffered by Roberts was negligible, as Pinsent Masons pointed out here at the time: http://www.out-law.com/page-6503. Faced with more than a few claims based on the Herman Method, a PPI company might well find it worthwhile to contest the £10 a minute wheeze, and then we’re back to square one.

Mr Herman does deserve congratulations for persuading so many journalists to give him so much free advertising. When interviewed on Saturday’s Today programme, Herman mentioned call recording in virtually every answer. Recording the call is essential; otherwise, you can’t prove that they called you despite entering into a contract to pay you £10 a minute by doing so. On his website, Herman says “I am just an ordinary person and I give this information to help people like myself” and “I set up saynotocoldcalls.com to be non commercial and non profit making, just so that people could copy the letters that I wrote for their own use”. Only in the forums does Richard overcome his modesty and admit that he does also happen to own a call recording software company. It’s clearly a coincidence that in the Mail photos, he is wearing his company branded shirt (it was probably the only thing clean in the house), while his computer just happened to have his software on it when the picture was taken. You can imagine the argument as he tried to stand in the garden wearing a Black Sabbath t-shirt, but the Mail’s photographer insisted.

Herman’s wheeze is an extended advert for the merits of call recording, and if he says that his interest in call recording is irrelevant to his campaign, I do not believe him. There is nothing inherently wrong with Herman hawking his wares – if I could get myself on the TV to tell you all that training is absolutely vital and you could be fined for not doing it, I’d be straight in there. Picture me now wearing a 2040 branded polo neck (NB: I don’t have one of these), sternly regarding a brace of ICO CMP notices, and lecturing you all on how the ICO only gives you credit for external training (NB: they don’t). Every time I have a pop at the Information Commissioner’s Office, you are more than entitled to ignore me because I have vested interest in the Commissioner taking action. If they still adopted the Richard Thomas model of ‘say nothing, act casual’, I’d get less work.  To be fair, recording calls may garner good evidence if you want to challenge the scumbags currently flogging PPI reclaims, and so buying Herman’s product may actually be a good idea. But Herman’s easy ride shows a credulous media with insufficient willingness to probe. Evan Davis even raised the issue when interviewing Herman on Today, and they all laughed as he went for another call-recording plug in his answer.

If you don’t think that the whole business is just a shill for call recording, there’s still a problem. Herman’s YouTube video is confusing – he says that he complained to the ICO, and they wrote back to him saying that the calls did not appear to have been made from the UK. The ICO response will have been based on what he told them – so they had the impression that he was receiving calls from foreign countries, they would obviously and correctly say that they could do nothing. But if this was the case, neither could Herman – the Small Claims Court is no more able to force foreign companies to pay compensation than the ICO is capable of making non-EU companies comply with PECR. Either Herman doesn’t understand this, or he is deliberately painting the ICO as powerless. His website is bullish: “There is no point in contacting The Information Commissioner, they do not take any action.” Call recordings may help you to succeed in court (any lawyers’ views on this would be welcome), but you don’t need them to complain to the ICO. If the person who handled Herman’s complaint didn’t properly investigate it, then the ICO should account for that. We know now that the calls were indeed instigated by UK companies who are subject to PECR, so if they had the right information, they should have dealt with it. But if Herman’s complaint implied, even inadvertently, that he was getting robocalls from companies in the Far East, he only has himself to blame if the ICO didn’t pursue his complaint. Having established that they were UK-based, Herman does not mention whether he went back to the ICO; I’m guessing he didn’t.

Like Roberts before him, Mr Herman offers an attractive narrative of the little guy scoring a great blow against the perfidious scam-hawkers. The amount of texts and junk calls endured by UK citizens is appalling, and it’s in the interests of everyone in the path of the deluge that the problem be solved. But Herman, his call recording software and the Small Claims Court are not the solution. To have any real effect on the huge profits of the claims management industry and the spammers who feed them, thousands of people would have to record their calls, fill out the claim forms, pay the fee and hope that they get the same result as him. That sounds like a recipe for a lot of call recording software being sold without the wider problem actually getting sorted out.

The PPI claims calls are the result of two things – the deregulation of legal claims (touting for business in this way used to be flat-out illegal, so thanks to Labour for changing that) and the fact that banks routinely and enthusiastically mis-sold Payment Protection Insurance. Mr Herman says he feels sorry for the banks on his website, so for that, he can piss right off. Only because the banks did what they did, and now tell everyone how much cash they’ve had to set aside to compensate for their excesses are any of us getting these calls. We have this problem and I think the solution is enthusiastic and concerted action from the regulators, both the ICO and those that regulate claims management and related industries. Ironically, the ICO announced last month that it was seeking to issue penalties in the region of £250,000 for spam texts. Despite Herman’s claim, this suggests that they might be doing something. The worst thing for the public to do now is buy the snake oil and send the Commissioner the message that they’d rather do it for themselves.

I’m usually the person arguing against the ICO, and I am not converted now. I just think that Herman’s solution is privatisation, every man for himself. It’s worse than complaining to the ICO. If you’re affected by PPI calls and you want to do something about it, I think that you should play your small part in helping everyone. A guide to nuisance calls which appears to be the work of the Ministry of Justice, the ICO, OFCOM and a bunch of other people, carries a heavy emphasis throughout: complain. Complain, complain, complain, all the way through. Note down everything about the call that might identify who made it and complain to the ICO. Put the pressure on, and see if they deliver. The phrase ‘we’re all in this together’ has long since become a bad joke, but problems like the avalanche of PPI calls won’t be solved by people acting individually. Herman’s ‘stunning victory’ won’t stop a single call to anyone else – only the ICO and the other regulators have any chance of doing that. Given their record of inactivity on any number of fronts, the ICO has no right to the benefit of the doubt. But we should expect them to do their job, and hold them to account if they don’t.

And if this doesn’t convince you, do you really want to trust a man who thinks he’s Kirk Douglas?

Mother! Eat the Cookie! Eat It!

My favourite part of the Information Commissioner’s website is the blog, where a succession of ICO notables talk about how marvellous their particular corner of the business is. The enterprise appears to be modelled on the Opinion section of The Onion, and I look forward to each new instalment with childlike enthusiasm. I’m really hoping they let the Internal Compliance people do one about people who make subject access requests in green ink. They have my permission to publish the mugshot from my driving license.

In the meantime, the one entitled ‘Education key to cookie law success’ by Dave Evans is certainly worth a read. Evans opens his post with the startling claim that “One area where I’ve seen most progress is cookie guidance”, a statement that makes sense only if he’s talking about the document produced by the International Chamber of Commerce, but the rest of the blog is definitely about the apparently marvellous work the ICO has been doing on cookies. I’ve been running – with a growing sense of futility – online courses on the cookie law for more than a year, and in the context of the ICO, “success” and “cookies” are phrases that repel each other like the opposing poles of a magnet. Cookies affect the private sector at least as much as the public sector, and often, much more so. This perhaps explains why the ICO has found it so challenging. Consider some of the landmarks:

  • The ICO published guidance called ‘Changes to the rules on using cookies and similar technologies for storing information’ on 9th May 2011 that stated: “The new legislation comes into force on 26 May 2011. You need to take steps now to prepare and ensure you are ready to comply.” The Commissioner himself ‘urged’ website owners to get to work in an associated press release:
  • Two weeks later, the day before the regulations came into force, the ICO suddenly decided not to enforce this same law for a year.
  • Even though the Commissioner’s slightly patronising school-themed ‘Half-Term Report’ of December 2011 included the comment that “if you are struggling with this part of the rule you are seriously lagging behind”, six months later, Dave Evans was reported by The Register to have said “We don’t expect all organisations not compliant on the 27th to have some evidence of taking action to be compliant.”.
  • On 13th December 2011, the ICO stated that consent – the vital disputed issue at the centre of all the cookie confusion – “must involve some form of communication where an individual knowingly indicates their acceptance”. They deliberately highlighted this quote out on their website. Two days before the ICO ended its self-imposed cookie enforcement abstinence in May 2012, they issued guidance that stated, “while explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant”.

In other words, anything to avoid going after the private sector. This unwillingness to take action was underlined by an interview Evans gave to a website  in April in which he said that the ICO might not to enforce against someone breaching the cookie law, purely because the website might lose money: “if a company’s revenue would drop if it went for a strict opt-in, then we could look at different ways of educating users and gaining consent”. Every cookie case has already been pre-judged as not meeting the threshold for a civil monetary penalty.

Even though the ICO’s current position seems to be ‘whatever it is you’re doing about cookies is fine’, some in the web industry are so frustrated they have taken to goading the Commissioner to take action against them . In response to this criticism, the ICO’s position probably reveals what lies behind the problem. A spokesman said: “It’s worth noting that this website criticises those regulations, but the ICO is responsible only for regulating those who must comply with the law, and not for how it was drafted

The ICO’s response raises the question of why the change happened in the first place. The argument about whether consent needs to be active or can be inferred from some specific action is a bit sterile – the intention of the change was clearly to shift the onus from users opting-out to websites getting evidence of users’ preferences. In the old version of the Regulations, users of the internet were to be given “the opportunity to refuse the storage of or access to” a cookie; in the new version, users must have “given his or her consent”. Few of the EU’s citizens spend fretful nights over the lurking menace of cookies on their computers, even those who are concerned over their privacy. Subtly dropped onto your machine by unseen electronic tentacles, the cookie is more insidious than the noisy spam text, but it’s equally easy to get rid of. Most web browsers include an option to reject them outright or purge them at the click of a mouse. So why make the change?

My answer to this question is simple, and it goes some way to explaining the ICO’s clod-hopping reluctance to engage with the cookie changes. The cookie changes are their fault. Though the story is a familiar one to many, I’m surprised that it hasn’t been revisited more often in recent months. Some years ago, a company called Phorm started to hit the headlines. The Phorm product (WebWise) worked like this: ISPs provide data to Phorm about the browsing habits of their customers using a cookie. Websites access the cookie, and knowing what sites had been browsed, allows them to display just random adverts, but ones tailored to the interests indicated by the recent browsing. Everyone makes money (except the user whose web browsing has been monetised).

Less ambitious / troubling versions of this idea are alive and well on the internet right now, but the idea of the ISP tracking your every move and selling the results to others didn’t go down very well with Joe Punter. The alleged KGB past of the company’s saturnine CEO Kent Ertugrul probably didn’t help public perception much, but what really lit a fire under Phorm was the revelation that the system had been tested by BT and none of the customers involved knew about it. I should probably put the Phorm / BT case that what they did wasn’t a breach of anything, that no personal data was gathered etc. etc. But their interpretation doesn’t convince me and more importantly, there was no reason to do the trial in secret. BT deserves opprobrium on that point alone. As the fury over the secret trial and the implications of the product itself increased, customers on all sides melted away, and Phorm pulled out of Europe altogether.

The ICO took no action against either Phorm or BT for the secret trial, and a perfect way to understand their approach is to track down a document entitled “Phorm: The ICO View”, published in April 2008, but no longer on their website (thanks, WhatDoTheyKnow for reminding me of it, and to @blepharon for this link). “Whether or not the deployment of the Phorm products raise matters of concern to the Commissioner will depend on the extent to which the assurances Phorm has provided so far are true. The Commissioner has no reason to doubt the information provided by Phorm but some technical experts have publicly expressed concerns.”. The instinct when dealing with big organisations, ‘stakeholders’ or the private sector is believe what you’re told and accommodate and ameliorate rather than act. It’s hard to believe a council or NHS trust being given the same generous benefit of the doubt.

Look at Google. When dealing with the allegation that Google had secretly slurped Wi-Fi data from thousands of UK citizens, former Assistant Commissioner Phil Jones and Dave Evans (remember him?) met with Google, resulting in a decision to delete all the inconvenient and potentially incriminating data, with no further questions. Google was a valued stakeholder needing only a friendly meeting, rather than a data controller that might have breached the law. Evans’ blog states: “In my experience of working as the ICO’s industry strategic liaison manager, the vast majority of businesses want to operate within the law”. But Evans’ experience ought to show that the Streetview data turned out to be more personal than previously advertised, resulting in the ICO having to ask Google to sign an undertaking. Their press release at the time said that Google had been ‘instructed’ to sign, but the whole point of an undertaking is that it is voluntary. Only now that this undertaking has apparently been breached has Google Streetview finally been passed to the Head of Enforcement. Altogether, it’s not quite a ringing endorsement of strategic liaising.

The softly-softly approach is the hallmark of Phorm: believe what you’re told, take no action against the big player. To take action on the secret trial would have been to take on BT, a challenge for which the ICO showed no appetite. As a consequence, as well as infraction proceedings against the UK, I suspect the ICO decision that Phorm use of cookies did not breach privacy, data protection or surveillance law in the UK made a change EU cookie law seem much more necessary. Monitoring and exploitation of web-browsing data is precisely the kind of thing that makes a shift in the balance necessary – had the ICO attempted to argue that the legal status quo did have something to say about Phorm, I doubt we’d be where we are now.

To misquote The Dark Knight, I believe in Chris Graham, the current commissioner. He clearly has more guts than his predecessor, he sorted out the shameful FOI backlog, he has taken more enforcement action than any of the three previous Wilmslow incumbents put together, and his public persona is polite but increasingly pugnacious, precisely the kind of attitude to persuade recalcitrant organisations to take Data Protection seriously. But the cookie debacle is evidence of the Old ICO alive and well: vague, deferential, ineffectual, and embarrassing. In other words, nobody’s definition of success.

NB: The tradition in writing about cookies is to use one of a limited number of obvious cookies puns or references in the title. I have chosen the most obscure I can think of, and if you recognise it, you should be as ashamed of yourself as I am.