Hand in the Cookie Jar? Never Mind.

May 11, 2011

When my wife got back from the gym yesterday to find me in bed with Angelina Jolie, Cameron Diaz and another famous film star whose identity cannot be revealed because of a super-injunction, I feared that there might be a bit of a row and that she might well insist that I bring an end to all shenanigans with Jolie, Diaz and X immediately. Fortunately, she had been reading the latest guidance from the Information Commissioner’s Office on the implementation of the amendments to the Privacy and Electronic Communications Regulations that very morning. Such is her respect for Christopher Graham that she has decided to follow his creed: I demonstrated a realistic plan to achieve compliance at some indeterminate date in the future and she was happy. The key point, said the wife, is that I am not to ignore the rules, merely failing to comply with them is not so bad.

You may think that no regulator of data protection could possibly take such a light approach to breaches of data protection law. But here is what the ICO actually said, under the heading ‘What will happen to me if I don’t do anything?’, about the need to comply with the new {i}requirement enshrined in law{/i} that web site owners gain each user’s consent to the storing of information from them on the user’s computer or mobile device:

{i}The government’s view is that there should be a phased approach to the implementation of these changes. In light of this if the ICO were to receive a complaint about a website, we would expect an organisation’s response to set out how they have considered the points above and that they have a realistic plan to achieve compliance. We would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice. The key point is that you cannot ignore these rules.{/i}

And if just deciding not to enforce the requirement seems strange, what about those opening words referring to the government view? Isn’t the ICO supposed to be an independent regulator?

The whole thing smacks of the sort of approach to enforcement of EU regulation that we have long thought to be the preserve of the more southerly Member States. I don’t doubt that compliance is challenging but it has got a lot more challenging because so many of those affected have pretended that they need to do nothing. That the ICO plays along with that attitude seems strange indeed.

Meanwhile, things have calmed down in the Eastham household. Jolie, Diaz, X and the wife are all hoping for a pop-up solution. I am not sure I have the technology.