Failed UK dotcoms stir up privacy storm

Personal information gleaned from the databases of failed UK dotcoms is being sold in the US to the highest bidder.

There was considerable anger among privacy watchdogs in the US when it was discovered that UK-based boo.com, Toysmart and Craftshop, which had UK customers, all sold off their databases when they went into receivership.

It is understood that this information included phone and credit card numbers, home addresses, and statistics on shopping habits.

Mathew Chambers, an insolvency accountant at accountancy firm Williams and Chambers, said that such data is an extremely valuable asset for a receiver to offset company debt. "When a company has little in the way of tangible assets, intangibles such as databases and company lists are the only thing that can be sold off."

In a situation where a dotcom's assets will only net 10p on every pound, anything valuable, such as a database of customers, will do much to offset company debts, he said.

Chambers predicted that the situation would get much worse as more dotcom companies go into receivership and their databases are sold around the world.

However, unlike the situation in the US, such database sales are against the UK's Data Protection Act, which requires the customer to be contacted each time their data is used for another purpose.

Boo.com's database
Fashionmall, the US company which bought Boo's database of 350,000 customers, has agreed to email all of them to ask their permission to continue to use their information. This is mainly because Boo had signed up to strict European guidelines on data, and was even awarded a hallowed Truste certificate because of its pledge to safeguard customer information.

But Samantha Brierley, compliance manager for the UK Data Protection Registrar, said customers should have been contacted by Boo before the sale took place.

Strictly speaking, it would have been illegal for the data to be handed over to Fashionmall without customers being asked, and if the Registrar had known about the sale she could have stepped in to prevent it taking place until customers had been notified.

However, Brierley admits that once the data had left the country there was little the Registrar could do to prevent its use in the US - or even prevent it being sold on to other companies.

While the Registrar would normally take action against a company that had broken data protection rules, if they go bankrupt there is nothing that can be done, she explained.

However, she advises customers to write to the receivers the moment they hear of a dotcom going to the wall, saying what they want done with their data, and also to notify the Registrar so that she can monitor the situation.

But in the case of US companies such as Craftshop and Toysmart that have data about UK people on their books, there is nothing that anyone can do to stop their private information changing hands.

A spokesman for Truste pointed out: "It is inappropriate and potentially illegal to sell information if it was collected under the assumption that it would not be shared. It is an invasion of privacy and if not quickly handled could happen again and again."

A former chairman of Craftshop, Angus MacKey, said that, legally, any company that buys a company name is entitled to use the customer list.

"We just can't take them to sell them to anyone that is interested. The company name and its customer list have to go together," he said.

A data day problem
Rupesh Chandrani, a solicitor at Theodore Goddard, argued that it is nearly impossible to know if a dotcom holds data on you or your business because some US organisations snatch and store data whenever you visit their site.

But web companies in this country have to tell the Data Protection Registrar what they intend to do with the information and this is posted on the Registrar's website.

"If you want to disagree with how your data is used, you should contact the company. If the company is in receivership, you should contact the receiver - although this might be a bit of long shot," said Chandrani.

He added that it is in each dotcom's interest to make sure that its databases are up to date with the names of people that want to be there. "A database has more value to a purchasing company if it has been cleaned before it is sold," he explained.

Chandrani believes that liquidators will have to be careful about selling data on as they could be held legally responsible for misusing the information by selling it - particularly to a country, such as the US, that did not have the same standard of privacy laws as the UK.

He said there has yet to be a UK test case on this issue, but predicted that the matter will become more important as the number of failed UK dotcoms grows.