The Information Commissioner's Office has dropped an investigation into inadequate data protection by BT, prompting campaigners to say the privacy watchdog will not pursue large corporations due to legal expenses.
The Information Commissioner's Office has decided not to fine BT over a data breach that exposed customer information. Photo credit: ell brown on Flickr
The investigation, which was launched after the disclosure of BT customer details involved in an alleged file-sharing case, found that BT should not be held responsible for the actions of one of its employees.
"Where it is found that the data controller has adequate policies and safeguards already in place, the usual and most appropriate outcome in these cases is disciplinary action taken by the employer," said a spokeswoman for the Information Commissioner's Office (ICO) on Wednesday.
The ICO investigation focused on BT's broadband subsidiary PlusNet, which sent unencrypted customer details to solicitors ACS:Law as part of an alleged copyright case. The customer data was leaked onto the internet following a distributed denial-of-service attack on ACS:Law. The solicitor firm has since attempted to drop the cases, and the customer information is still available online.
The decision will set a precedent that will have the effect of making large corporations immune from aspects of data-protection law, according to campaign group Privacy International.
"It's an incredibly dangerous precedent," said Privacy International campaigner Alex Hanff. "If companies aren't responsible for the actions of their employees, performed when working for their employers, where does that leave us on data-protection negligence?"
If companies aren't responsible for the actions of their employees, performed when working for their employers, where does that leave us on data-protection negligence?– Alex Hanff, Privacy International
Hanff suggested that the ICO cannot afford to take large companies to court, which effectively puts corporations beyond its reach. He noted that the watchdog, which has the power to fine organisations up to £500,000, has not attempted to impose any penalty on BT for disclosing unencrypted customer details. In addition, it did not fine Google over its collection of unsecured Wi-Fi data.
Instead, the privacy watchdog has concentrated on fining smaller, public-sector organisations with more limited means to fight cases, said Hanff. "The ICO would seriously struggle to bring a large action to court, because of the legal fees," he said.
The ICO responded that it takes each case on its merits and will pursue large companies if the need arises.
"We have a full understanding of our powers and are not afraid to use them where action is justified," said the ICO spokeswoman. "Enforcing and defending the rights of the UK public under the Data Protection Act has always been — and remains — central to the work of the Information Commissioner's Office."
A BT spokeswoman declined to comment on the ICO investigation or any legal discussions, and declined to say whether disciplinary action against any BT employees had taken place as a result of the breach.
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.