Data protection act
I still can't see how they can get round the data protection act, I can't see how they can argue that your browser profile isn't personal data, it's now considered that your ip address can be considered as potentially identifiying, and even if this isn't the case data contained within the html pages or post data certainly will contain identifiable data. At least some of that data will be "sensitive personal data" (if a user visits lots of gay porn sites, particular religiour websites, logs into trade union websites you can get a good guess at most of the following)
"In this Act “sensitive personal data” means personal data consisting of information as to—(a) the racial or ethnic origin of the data subject, (b) his political opinions, (c) his religious beliefs or other beliefs of a similar nature, (d)
whether he is a member of a trade union (within the meaning of the [1992 c. 52.] Trade Union and Labour Relations (Consolidation) Act 1992), (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings."
Schedule 3 (Sensitive personal data) of the data protection act requires that "1
The data subject has given his explicit consent to the processing of the personal data." there are other permisable justifications but none of these are relevant.
Based on this I can't see how they can legally function. Now they are going to argue that their annonymizer removes the personal data and it isn't stored...
however the DPA states:
""processing”, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including—
(a) organisation, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the information or data;"
By this definition the very act of the "Anonymizer" obtaining the information (being forwarded your web request or web page) and then erasing what they consider the sensitive/personally identifying stuff then they are processing the data and therefore fall under the data protection act. This is particularly the case as even if they don't have any personally identifiable data yet they will in all likely hood gain identifiable data in the future
"“personal data” means data which relate to a living individual who can be identified—
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,"