Criticisms Hit ICO for ‘Error of Judgment’ On ACS:Law Data Protection Lapses

Jay Decenella, IT audit expert
May 11, 2011 /

A data privacy group has slammed on Tuesday the Information Commissioner’s Office (ICO) for reducing the financial penalty against a law firm charged with violating data protection laws because it had gone dormant.

Information Commissioner Christopher Graham received criticisms from Privacy International for slashing the fines of £200,000 against ACS:Law, as he initially announced, to only £1,000 after the law firm has stopped trading.

The ICO was previously criticized by privacy groups when it gave Google Inc. only a slap on the wrist after the search giant’s Street Views cars inadvertently collected highly sensitive data of German users last year. Google could have been fined £500,000 but the ICO had reduced the penalty to an undertaking in which the search giant vowed to improve the way it handles personal data.

Yesterday, the ICO fined ACS:Law solicitor Andrew Crossley with £1,000 after he had allegedly violated the Data Protection Act when details of thousands of file sharers in the law firm’s Web site were leaked September last year.

According to Graham, the law firm could have been fined £200,000, given the severity of the data breach, had it not ceased its business. The responsibility to pay the fine falls on Crossley as he was a sole trader, Graham noted.

The penalty would then beat ICO’s largest fine so far, which was imposed on Hertfordshire County Council after its employees sent personal data of sexually abused children to wrong recipients twice through fax.

Privacy International director Simon Davies said the information commissioner has just created a “corporate loophole” for companies that violate the Data Protection Act in his decision.

According to Davies, the decision tells company directors that they can violate the Data Protection Act and put the firm’s business to a halt for a moment to avoid getting penalized.

Davies described Graham’s ruling to be “another monumental error of judgement” and accused the ICO of failing to understand the implication of the decision.

He was quoted by reports as saying the ruling could mean that “the basis of corporate immunity is closure of a company.”

However, Graham defended his decision, saying “penalties are a tool for achieving compliance with the law and, as set out in our criteria, we take people’s circumstances and their ability to pay into account.”

In September 2010, the ACS:Law Web site suffered distributed denial of service (DDoS) attack launched by hacktivist group Anonymous, resulting in the leakage of personal details of thousands of file sharers.

The Web site has been the subject of several hacking forums due to its controversial actions against people it charges with illegal file sharing.

In his decision favoring the defendants over ACS:Law’s illegal file sharing claim last month, Judge Birss described Crossley’s actions to be “amateurish and slipshod” and said he “brought the legal profession into disrepute.”

Birss ruled that Crossley breached the solicitors’ code of conduct when his law firm sent thousands of letters to people who were accused of illegal downloading. The letter sought about £500 in settlement.

 

Share your opinion