14 DAY TRIAL // UK privacy advocates are strongly criticizing the Information Commissioner's Office for dropping its investigation into Data Protection Act violations committed by BT when sending unencrypted customers details to a law firm.
The investigation began last September when an email database was leaked from ACS:Law, a law firm engaged in a controversial form of copyright litigation dubbed speculative invoicing.
This involves law firms working for the entertainment industry obtaining court orders that force ISPs to release the details of customers suspected of copyright infringement based on Internet activity tied to their IP address.
The law firms then email these individuals and offer them the possibility to settle the accusations by paying a sum of money or risk being taken to court.
Through this procedure, BT was forced to release contact information for some of its Plusnet broadband customers to ACS:Law.
The subsequent email leak showed that the company sent the data in unencrypted Excel documents, which would consist a violation of the Data Protection Act provisions.
The Information Commissioner's Office (ICO) launched an investigation into the matter, but recently announced that it will drop the probe because it was a BT employee who did the mistake, not the company.
"Where it is found that the data controller has adequate policies and safeguards already in place, the usual and most appropriate outcome in these cases is disciplinary action taken by the employer," an ICO spokesperson said, according to The Register.
Alex Hanff of Privacy International is not happy at all with the outcome and calls the ICO incompetent and Information Commissioner Christopher Graham unfit for the job.
"This is an incredibly dangerous decision for the ICO to have made as it effectively dissolves any pretence that a company is responsible for the actions of their employees at work," said Mr. Hanff.
"So whereas we already had a very weak Data Protection regime due to lack of enforcement and regulatory capture - we now effectively have no Data Protection regime with regards to corporate breaches of the Data Protection Act," he concluded.