Criminal Intent
No criminal intent - that's nonsense. It's arrant nonsense. These police types know what criminal intent means. They know what section 8 of the Criminal Justice Act says, and it is disgraceful that they have chosen to disregard it completely.
BT and Phorm (or whatever they called themselves then) processed personal data (including sensitive personal data) without the knowledge or consent of the data subject. They intended to do that processing, they intended not to inform the data subject, and they intended not to obtain informed consent for the processing. That's criminal intent. They committed about 10000 offences with clear and obvious criminal intent.
BT and Phorm interecepted communications in the course of transmission by a public communications system without the consent of both parties to the communication. They intended to do that interception, and they intended not to obtain the consent of either party to the communication. That's criminal intent. They committed another many tens of thousand offences (one for each communication intercepted) with clear and obvious criminal intent.
Unless of course you want to believe that they didn't intend to do those things - that they did, for example (despite their clear admission that they did not) intend to obtain the consent of the people whose communications they intercepted and whose personal data they processed, or that they didn't actually that the data should be processed, or that they didn't intend to get hold of any communications while in transmission and make them available to someone for a purpose other than the purposes of a public communications system.
They even claim to have taken legal advice about what they were going to do - a pretty clear that they intended to do it. Apparently they got bad advice - but that doesn't remove the criminal intent, not for one moment.
They probably broke other parts of the data protection legislation (did they register this processing of personal data, as required by the act?) and (if they were using a cookie system to handle the classifications to select adverts) they were clearly (since they obviously knew how cookies worked) reckless as to whether sensitive personal data would be exposed to third parties (reckless as to the consequence of their action - that is enough to satisfy the requirement for mens rea if handing that sensitive personal information to the web sites involved is illegal) but let's just concentrate on the tens of thousands of big and nasty offences. and ignore the tens of thousands of minor ones.
Anyway, we now know what the data protection act means: It is an offence to process sensitive personal data without jumping through the appropriate hoops - unless of course the processor is one of the Establishment's friends in big business and the data subject is one of the common people.
And of course the RIP act means that it's an offence to intercept communications in certain circumstances, but those circumstances don't include any where the interceptor is one of the Establishment's friends in big business and at least one of the parties to the communication is one of the common people.