In June 2011 the ICO threw out a complaint by PI and No-CCTV against a company called 'Internet Eyes', a subscription site offering a cash bounty to anyone who scans online CCTV images and reports alleged shoplifters. We asserted that the enterprise was in breach of data protection but the ICO disagreed, deciding instead to allow the company to proceed subject to signing an undertaking of good behaviour.
At the time, Privacy International described the decision to mandate bad information practices through an undertaking of good conduct as being the equivalent of "requiring the doctor for a prison execution chamber to sign a Health and Safety undertaking". In our view Undertakings have become an easy way out for the regulator and for transgressors. In many circumstances they are a licence to conditionally continue bad privacy practices.
The decision alarmed many rights advocates but did not come as a surprise to PI, which in almost twenty years has almost never secured a successful complaint with the ICO even when colleague commissioners across Europe had supported our position. This was the case particularly with fingerprinting of school children, Google Street View, wireless network harvesting, privacy settings on Social Networking sites, online advertising, financial privacy, data sharing, electronic visual surveillance, road & traffic surveillance and regulation of offshore Internet companies.
The decision to require an undertaking, although constituting ninety percent of all regulatory action by the ICO, is subject to no formal guidance. Senior officials at the ICO clearly recognized that the decision to issue an undertaking was an error of judgment, but by the time they had learned of the decision the course of action could not be reversed. They instead decided to engineer aggressive media management to bury a potentially critical news story.
The ICO, which is in effect a quasi-judicial body, had in our view always exhibited a bizarre internal culture that was far removed from the consistent advocacy demonstrated by some other regulators. It has traditionally taken a pragmatic rather than a principled position on privacy issues, hence the almost complete absence of judgments in favour of stronger privacy.