Request for full disclosure of BERRs response to the EU commission

P Seurre made this Freedom of Information request to Department for Business, Enterprise and Regulatory Reform

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

Dear Sir or Madam,

BERR have recently responded to the EU commissions request for information on the potentially illegal trials undertaken by phorm and BT, however it would appear that BERR have chosen to not fully release the contents of this reply.

Please could you provide a copy of the entire response that was provided to the EU commission.

Yours faithfully,

Patrick Seurre

Francis Irving left an annotation ()

Blog post from the Open Rights Group which explains context of this request http://www.openrightsgroup.org/2008/09/1...

Anon left an annotation ()

You can discuss the BERR response to the EU along with other discussions regarding general online privacy on the following forum: https://nodpi.org

Dear Sir or Madam,

I believe that you are supposed to reply within 20 working days. My understanding that failure to do so is against the law. I would appreciate a reply to my FoI request. If such a reply is not forthcoming within the next day or so then I may consider asking for a review of this failure to provide an answer to a simple request.

Yours sincerely,

Patrick Seurre

Balchin Patrick (BR2),

Dear Mr Seurre

Thank you for your e-mail of 15 October 2008 09:26.

I can confirm that you will receive a reply this afternoon.

Regards

Patrick Balchin

Patrick Balchin,
Department for Business, Enterprise and Regulatory Reform,
1 Victoria Street
London
SW1H 0ET
Direct Tel: 0207 215 1772
E-mail [email address]
[1]http://www.getsafeonline.org/

show quoted sections

Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

References

Visible links
1. http://www.getsafeonline.org/

Balchin Patrick (BR2),

1 Attachment

Dear Mr Seurre

I refer to your request of 17 September 2008 made under the Freedom of
Information Act 2000.

Please find the reply to your enquiry attached.

Please accept my sincere apologies for being one day late with the
reply.

Yours sincerely

Patrick Balchin

<<Final reply sent to Patrick Seurre re FoI case 08-0617.doc>>
Patrick Balchin,
Department for Business, Enterprise and Regulatory Reform,
1 Victoria Street
London
SW1H 0ET
Direct Tel: 0207 215 1772
E-mail [email address]
[1]http://www.getsafeonline.org/

show quoted sections

Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

References

Visible links
1. http://www.getsafeonline.org/

Dear Balchin Patrick (BR2),

In regards to the following section of your reply:

'Section 27 (1) (b) exempts information if its disclosure would, or would be likely to prejudice, relations between the United Kingdom and any international organisation. This would include, for example, the European Commission.'

The letter in question has been sent to the European commission. The idea that its release would have the effect you're talking about is not something I think most people would accept. They already have a copy! The EU seem also quite happy to release what they have said (a full copy of their initial letter sent to the UK government is easily available) so any inhibition appears to exist solely in the mind of the UK government.

You also mention negotiations. There are no negotiations at this stage. The EU has simply asked why the government here believes that Phorm does not contravene EU law that should be implemented in the UK. Where are the negotiations? This is a red herring as I'm concerned, since this has nothing to do with the current situation in regards to this letter.

As a result I don't believe that this is an acceptable part of any refusal to release the contents of the letter to the general public.

In regards to this section of your reply:

'Section 35 (1) (a) provides that information is exempt if it relates to the formulation or development of government policy'

I'm curious: how can explaining the assertions given out by the government that Phorm does not break the law be considered as development or formulation of government policy? This point is invalid too in my opinion (unless you're proposing that the government wants to allow private enterprises the option of ignoring laws it doesn't like).

I don't believe that anything contained in the letter that you have provided amounts to a reasonable refusal under the Freedom of Information act. As a consequence of this I would like to request an internal review of this decision.

Yours sincerely,

Patrick Seurre

Balchin Patrick (BR2),

Dear Mr Seurre
Thank you for your e-mail of 15 October requesting an internal review to
the FoI response you received.

I would be grateful if you would treat this e-mail as acknowledgement
that I have received your request and duly noted it.

Yours sincerely

Patrick Balchin

Patrick Balchin,
Department for Business, Enterprise and Regulatory Reform,
1 Victoria Street
London
SW1H 0ET
Direct Tel: 0207 215 1772
E-mail [email address]
http://www.getsafeonline.org/

show quoted sections

Richard McMillan left an annotation ()

Text of the letter in question, addressed to Kim Darroch:

Dear Sir,

I am writing to you in relation to certain issues arising from the past and future deployment by some major United Kingdom Internet Service providers of the technology provided by a company called 'Phorm' to serve their customers with targeted advertisements based on prior analysis of these customers' internet usage.

In March 2008, a number of news items appeared in the media concerning the planned use by United Kingdom ISPs of the Phorm technology. Many of these publications raised issues concerning the impact of this technology on the privacy of Internet users. The information published on the web also included an e-petition submitted to the Prime Minister and a complaint made to the Information Commissioner's Office (ICO). In addition, in early April 2008, BT published a briefing according to which it had performed trials of the Phorm technology in autumn 2006 and summer 2007. In a TV interview, a BT representative confirmed that these trials had been performed without informing the customers affected and obtaining their consent.

The European Commission has already been contacted by Members of the European Parliament from the United Kingdom who communicated the concerns of their constituents regarding the deployment of Phorm technology. The issue has also been the subject of several written parliamentary questions addressed to the Commission by MEPs asking the Commission to comment on the applicability of WU legislation and also to set out its intended action in relation to the previous trials. Finally, a number of individuals have also written to the Commission directly to express their concerns and invite it to intervene in the matter.

In order to provide the response that is expected from it, the Commission needs to base itself on a clear understanding of the position of the United Kingdom authorities. Several EU law provisions concerning privacy and electronic communications may be applicable to other activities involved in the deploment of Phorm technology by ISPs.

In particular, Directive 2002/58/EC on privacy and electronic communications, which particularises and complements for the electronic communications sector the general personal data protection principles defined in the directive 94/45/EC (Data Protection Directive), obliges Member States to ensure the confidentiality of communications and related traffic through national legislation. They are required to prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than the users without their consent (Article 5(1)). The consent must be freely given, specific and an informed indication of the user's wishes (Article 2(h) of Directive 95/46/EC). Traffic data may only be processed for certain defined purposes and for a limited period. The subscriber must be informed about the processing of traffic data and, depending on the purpose of processing, prior consent of the subscriber or user must be obtained (Article 6 of Directive 2002/58/EC).

In the light of the above, we would highly appreciate it if the United Kingdom authorities could provide us with information on (1) the current handling by the United Kingdom authorities of the issues arising from the past trials of the Phorm technology by BT and on (2) the position of the United Kingdom authorities regarding the planned deployment of the Phorm technology by ISPs.

As regards the first issue, according to applicable EU law the responsibility for investigating complaints concerning such trials and determining whether the national legal provisions implementing the requirements of the relevant EU legislation have been complied with lies with the competent national authority(-ies) in the United Kingdom. The Information Commissioner's Office (ICO), which is responsible for enforcing the United Kingdom Data Protection Act 1998 (DPA) and Privacy and Electronic Communications Regulations 2003 (PECR), has made a number of statements on Phorm. In its latest published statement of 18 April 2008, the ICO analyses the conformity of the deployment of the Phorm technology with the DPA and the PECR. At the same time, the ICO indicates that it does not have responsibility for enforcing the Regulation of Investigatory Powers Act 2000 (RIPA), which has been invoked by some individuals who question whether the use of Phorm entails an unlawful interception of communications under this Regulation. In this respect, the ICO refers to a statement by the Home Office, which says that it is questionable whether the use of Phorm's technology involves an interception within the meaning of RIPA and that it does not consider that RIPA was intended to cover such situations. The ICO concludes on the issue of RIPA by stating that it will not be pursuing this matter. At the same time, the ICO statement does not include any indication as regards the intentions of the ICO in relation to the investigation of possible breaches of other relevant legal provisions* in the past trials of the Phorm technology.

Second, as regards the issues arising with regard to the planned future deployment of the Phorm technology, there appears to be a certain discrepancy between how it is envisaged by the ICO, the ISPs and Phorm itself. One of the most significant issues in this regard is the way in which customers will express their consent to the application of Phorm technology in their case. While the ICO seems to suggest that the consent of users for the Phorm technology should be on an opt-in basis and also BT seems to confirm this approach, Phorm has indicated that it intends to tackle user consent through providing 'transparent meaningful user notice'.

I would therefore be grateful to receive the response of the United Kingdom authorities on the following questions:

1. What are the United Kingdom laws and other legal acts which govern activities falling within the scope of Articles 5(1) and 6 of Directive 2002/58/EC on privacy and electronic communications and Articles 6, 7 and 17(1) of Directive 95/46/EC?

2. Which United Kingdom authority(-ies) is (are) competent (i) to investigate whether there have been any breaches of the national law transposing each of the above-mentioned provisions of Community law arising from the past trials of Phorm technology carried out by BT and (ii) to impose any penalties for infringement of those provisions where appropriate?

3. Have there been any investigations about the past trials of Phorm technology by BT and what were their results and the conclusions of the competent authority(-ies)? Are there ongoing investigations about possible similar activities by other ISPs?

4. What remedies, liability and sanctions are provided for by United Kingdom law in accordance with Article 15(2) of the Directive on privacy and electronic communications, which may be sought by users affected by the past trials of the Phorm technology and may be imposed by the competent United Kingdom authority(-ies) including the courts?

5. According to the information available to the United Kingdom authorities, what exactly will be the methodology followed by the ISPs in order to obtain their customers' consent for the deployment of Phorm technology in accordance with the relevant legal requirements and what is the United Kingdom authorities' assessment of this methodology?

Given the urgency of this matter I would highly appreciate receiving your reply within one month of receipt of this letter.

Yours sincerely,

Fabio Colasanti

Dear Balchin Patrick (BR2),

I appreciate the previous speedy reply that you sent me, however I note that you have given no indication as to when I can expect the review to be completed.

This appears to go against advice given out by the ICO (see: http://www.ico.gov.uk/upload/documents/l... - see the second and fourth bullet point on page 2).

The document linked to above also appears to mention that they would normally expect such reviews to be completed within the same 20 working day limit as the initial reply sent out for any request.

Please could you give some indication as to when the review will be completed.

I can appreciate that this is not the only request that you have to deal with, but unless I'm told otherwise I will assume that the same 20 day limit applies here and will be expecting the appeal to be concluded by Weds 19th November.

Yours sincerely,

Patrick Seurre

Balchin Patrick (BR2),

Dear Mr Seurre

Thank you for your e-mail.

BERR's target for completion of FOI internal reviews is twenty days as
recommended by the Information Commissioner, and in fact predates the
recommendation as it has been our target since 1 January 2005, when the
FOI access right came into force. However we reserve the right to take
longer if the case is complex. In all events we aim to respond to the
applicant in no more than 40 working days.

Yours sincerely

Patrick Balchin

show quoted sections

Dear Balchin Patrick (BR2),

It seems that I got the date wrong. 20 working days from the 15th puts the end of the period on the 12th Nov, not later than this as I had previously mentioned.

I have not yet recieved the results of the internal review. Please could you explain why this is as I have a hard time believing that this could be considered a complex case that requires further time.

Yours sincerely,

Patrick Seurre

Dear Balchin Patrick (BR2),

In addition to my previous message: I am beginning to suspect that this lack of an answer is little more than a delaying tactic, especially given the length of time taken to reply to other similar requests raised through the whatdotheyknow.com website.

If I do not recieve a reply before the end of Friday this week then I will be taking the matter up with the ICO directly as I do not believe that any more time than this should be required to complete the review.

Once again I appreciate that you probably have other matters to attend to, however any reply sent later than this represents an unacceptable delay in my opinion, especially since there has been no justification given for taking more than the recommended 20 days.

We're already on the 24th working day today by the way since the request for the review was initially made, and a little more than a calendar month. This just takes the review into account, never mind the initial request. I really would appreciate a reply ASAP.

Yours sincerely,

Patrick Seurre

Balchin Patrick (BR2),

Dear Mr Seurre
Thank you for your e-mail toady and the one you sent to me yesterday.

Please be assured of our best endeavours to reply to your request as
soon as possible.

Your sincerely

Patrick Balchin

Patrick Balchin,
Department for Business, Enterprise and Regulatory Reform,
1 Victoria Street
London
SW1H 0ET

show quoted sections

Dear Balchin Patrick (BR2),

With all due respect what you say may well be the case, but comments I've heard elsewhere - including my MP referring to the government as being 'impossible' over FoIA requests - leads me to suspect that such requests are not being dealt with as quickly as possible (although in all fairness he may not have been referring specifically to BERR in his reply).

I also note that your reply contains no explanation as to why this is taking so long. The suggested 20 day limit is supposed to be the maximum, not the suggested time at which the reply is sent (although even this has been exceeded in this case)

This limit has now been passed with no justification being given as to why this limit has been exceeded.

You have a single document. You have the choice of either standing by the original decision and withhold it or overriding the decision and release it. Where's the complexity that requires extra time?

I would appreciate knowing when the review will be completed by and why, if possible, more time is needed to complete the review.

Yours sincerely,

Patrick Seurre

Balchin Patrick (BR2),

Dear Mr Seurre
Thank you for your e-mail.

BERR's policy on the conduct of an internal review is laid out below:

1. Following complaints relating to the Freedom of Information Act or
Environmental Information Regulations, all requests for information must
be handled in accordance with the Freedom of Information Act. If
information has been withheld in response to a request, the applicant
can apply for the case to be reviewed internally by the Department.
2. Within BERR,
Internal reviews are normally carried out by the Director-General of the
appropriate policy area if the official (and his/her line management)
wish to uphold their original decision. The target for response is 20
working days unless the matter is complex.
Where the original refusal decision is taken by a Director General, the
Permanent Secretary or a Minister (including the Secretary of State),
the same person may undertake the internal review.
3. The review submission to the Director General should cover at
least:
* A short introduction for the Director General covering the
essentials of the FoI Act and a reminder of the Director General's role
in adjudicating internal reviews of non-disclosure
* a description of the information at issue
* any arguments in favour of the complainant's case
* the FoI exemption(s) relied on
* the arguments why, in the Directorate's view, the information
requested should continue to be refused (whether in part or in full),
insofar as an exemption is public interest tested, a discussion of the
public interest in disclosure weighed against the public interest in
maintaining the exemption
* any commentary on the application of the exemption(s) considered
relevant e.g. advice received from the FoI Clearing House, the IRU or
lawyers
* any further information relevant to the case
4. The submission should set out whether, given the passage of time,
information originally refused can now be disclosed. In these
circumstances the Director General should be specifically asked to
confirm whether the original refusal was correct and, in addition,
whether the information should now be disclosed.
5. The review case must set out both the complainant's and the
Department's position fully and impartially.
6. The response letter must inform the applicant of his/her further
right of appeal to the Information Commissioner.
7. It is usual (though not obligatory) for the Director General to
write directly to the complainant following the internal review. This
indicates to the complainant that the issues have been considered at an
authoritative level and by a person unconnected with the original
decision.
8. It is acceptable for the submission to include a draft reply to the
complainant.
9. As noted above, the BERR target for conducting internal reviews into
our administration of the FoI Act is 20 working days unless the matter
is complex.
10. The Information Rights Unit must be consulted on the preparation of
the review case. Specific advice will need to be sought from the Unit
where the complaint relates to a matter other than a refusal of
information.
11. These arrangements also apply to complaints regarding BERR's
administration of the Environmental Information Regulations.

For your information, a Director General within BERR is a member of the
Senior Civil Service and is the second most senior Civil Service grade
in the Department. It is the equivalent of a Grade 2 or a Deputy
Secretary in the previous terminology applied to such posts. A table
explaining these titles is attached for your convenience.

Yours sincelerely

Patrick Balchin

show quoted sections

Dear Balchin Patrick (BR2),

Thank you for the information, however this does not answer my question: when will the review be completed?

It may also be worth noting the lack of any information as to why BERR is treating this as a complex issue when there appears to be no complexity involved in this case. From my point of view this seems like a fairly simple decision.

I appreciate the time that you have taken in trying to keep me up to date and appropriately informed, but at the same time I do not believe that this delay is acceptable. I will still be raising the matter with the ICO next week if I have not recieved the results of the review by then - 28 working days after the request for a review - and will specifically ask them to look into the delay in this case (unless of course you can explain to me why there is a need for extra time in regards to decicing whether to release a single letter sent to the European commission).

The person conducting the review may or may not hold a senior position in the department, but with respect I don't see how this can justify the apparent delay in finishing the review.

Yours sincerely,

Patrick Seurre

Balchin Patrick (BR2),

Dear Mr Seurre

Thank you for your e-mail.

I have consulted with colleagues in the Department's Information Rights
Unit and they have sent me the following texxt, which I hope explains
the Department's policy on the timescale that can be invoked to
undertake an internal review.

"There is no prescription for internal reviews under the Act. The Code
of Practice under s45 lays down best practice for complaint handling,
but only says that target times should be "reasonable". It is the
Information Commissioner's opinion that "reasonable" should be taken to
mean a target of 20 working days and an absolute limit of 40."

I am pleased to be able to tell you that this department has had those
targets in place since 1 January 2005.

Yours sincerely

Patrick Balchin

Patrick Balchin,
Department for Business, Enterprise and Regulatory Reform,
1 Victoria Street
London
SW1H 0ET
Direct Tel: 0207 215 1772
E-mail [email address]
http://www.getsafeonline.org/
http://www.berr.gov.uk/whatwedo/sectors/...

show quoted sections

Dear Balchin Patrick (BR2),

I'd like to quote from the PDF file mentioned in one of my previous emails:

---
In view of all the above the Commissioner considers that a reasonable time for completing an internal review is 20 working days from the date of the request for review.
---

Note that no mention is made of 20 to 40 days here. Just 20 days.

And almost as importantly:

---
There may be a small number of cases which involve exceptional circumstances where it may be reasonable to take longer. In those circumstances, the public authority should, as a matter of good practice, notify the requester and explain why more time is needed.
---

So up to 40 days is not reasonable in the ICO's opinion if there is no justification for the delay, and there doesn't appear to be any such justification here otherwise you would have mentioned it (at least if you really do try and adhere to the recommendations of the ICO - the ICO also recommends that requesters such as myself be told why we're being asked to give you extra time when such time is needed).

Once again, I'm quite prepared to wait if I'm told why you need the extra time. You have not as yet done so.

If I don't get the results of the review by the start of next week, or at least an explanation of why you need extra time then I will be contacting the ICO.

I don't believe that more than 20 days constitutes a reasonable time in this case, and would like to know why the recommended target of 20 days has been exceeded here.

Yours sincerely,

Patrick Seurre

Balchin Patrick (BR2),

Dear Mr Seurre

I am pleased to be able to tell you that the internal review has now
been completed and a response will be sent to you later today .

Many thanks for your patience in this matter

Yours sincerely

Patrick Balchin

Patrick Balchin,
Department for Business, Enterprise and Regulatory Reform,
1 Victoria Street
London
SW1H 0ET
Direct Tel: 0207 215 1772
E-mail [email address]
http://www.getsafeonline.org/

show quoted sections

Dear Balchin Patrick (BR2),

Thank you for keeping me updated.

Yours sincerely,

Patrick Seurre

Balchin Patrick (BR2),

1 Attachment

  • Attachment

    Letter to Patrick Seurre from Mark Gibson Internal Review of FoI request.pdf

    308K Download View as HTML

Dear Mr Seurre

Freedom of Information case 08/0617

Further to my e-mail earlier this afternoon, please find attached the
decision of the internal review that you asked for.

Yours sincerely

Patrick Balchin

Patrick Balchin,
Department for Business, Enterprise and Regulatory Reform,
1 Victoria Street
London
SW1H 0ET
Direct Tel: 0207 215 1772
E-mail [email address]
http://www.getsafeonline.org/

show quoted sections