Lets clarify this
1. The only reason the ICO were able to take enforcement action is because the company running the database was not registered with the ICO as controlling personal data. That is the only criminal offense which took place here - if they had registered themselves with ICO at a cost of £35 a year then they would have avoided this prosecution.
2. David Smith, deputy Information Commissioner himself stated last Saturday on a panel at the Convention on Modern Liberty that ICO have NO enforcement powers under DPA when it comes to registered institutions/corporations.
3. David Smith, deputy Information Commissioner himself stated last Saturday on a panel at the Convention on Modern Liberty that the ICO registration fee was a TAX on businesses and contributes to the ICO's annual budget.
So there you have it, for a fee of £35 per year any company or organisation can basically do whatever the hell they like with personal data. They might get told off by the ICO if they break the DPA but they certainly won't be prosecuted.
With reference to points 2 and 3 above watch the video yourself to see him saying those things, it is available here:
http://www.openrightsgroup.org/2009/03/04/good-practice-in-behavioural-advertising/
It is the second video (the Q&A panel) which contains the relevant statements - readers might also be interested in the deputy information commissioner's statement that ICO don't need to take action against Phorm because the public are doing such a good job of it. Oh and also that people in the UK don't have a right to privacy, only a right that others respect their privacy....the guy is a complete idiot in my book.