The European Commission has received several complaints from UK internet users whose personal data had been used without their consent by a behavioural advertising technology known as ‘Phorm' by internet service providers.
The US-based software company Phorm analyses customers' web surfing to find out users' interests and then deliver targeted advertising to users when they visit certain websites.
BT has admitted, in April 2008, that it had tested the Phorm system in 2006 and 2007 without informing customers involved in the trial. From October to December 2008, BT carried out a new trial but this time on invitation. The second trial has resulted in several complaints to the Information Commissioner’s Office (ICO).
According to the Commission such trials may have broken the EU privacy laws since BT has not asked consent from its costumers. Since July 2008, the European Commission has been asking the UK Government how it has implemented the EU privacy laws in the context of the Phorm case.
According to the UK Government, Phorm is conformed to EU legislation. The Government has clarified that Phorm does not reveal the identity of the user and it is not possible to link a user ID and profile to a given individual. Phorm's system does not store personal data or browsing histories.
The UK Government has replied to the European Commission saying that "Users will be presented with an unavoidable statement about the product and asked to exercise choice about whether to be involved. Users will be able to easily access information on how to change their mind at any point and are free to opt in or out of the scheme."
However, the European Commission is not happy with the UK reply. The Commission is investigating the UK’s implementation of EU privacy laws. The Commission has said that it “has concerns that there are structural problems in the way the UK has implemented EU rules ensuring the confidentiality of communications.”
According to the European Commission there are several problems with the UK's implementation of the EU Directive on privacy and electronic communications and the EU Data Protection Directive. Under these Directives EU Member States are required to ensure the confidentiality of communications by prohibiting interception and surveillance without the user's consent. Furthermore, Member States are required, under the Data Protection Directive, to establish sanctions in case of infringements. It also provides that independent authorities must be charged with supervising implementation.
The Commission has pointed out that under the UK law it is an offence to unlawfully intercept communications but solely ‘intentional’ interception. Interception is also deemed to be lawful when the interceptor has ‘reasonable grounds for believing’ that consent to interception has been provided.
Under the EU Data Protection Directive and the Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector, the users consent must be “freely given, specific and informed” before their personal data being processed.
Moreover, the Commission is concerned with the absence, in the UK, of an independent national supervisory authority to deal with interception of communications by private companies.
Consequently, on 14 April, the European Commission has opened an infringement proceeding against the UK. The Commission has sent a letter of formal notice which is the first stage of an infringement proceeding. The UK has two months to present its views. If the UK does not reply to that letter or if the Commission considers the UK’s observations unsatisfactory, the Commission may issue a reasoned opinion asking the UK to remove the infringement within a specified time limit. According to the Commission the UK has failed to implement certain aspects of the above mentioned directives. The Commission may refer the UK to the ECJ if it does not reply to the reasoned opinion or if the Commission considers the reply not satisfactory, meaning – if the UK law is not amended according to the Commission demands.
The EU Telecoms Commissioner, Viviane Reding, has said “We have been following the Phorm case for some time and have concluded that there are problems in the way the UK has implemented parts of EU rules on the confidentiality of communications.” Therefore, she called on the UK to change its “national laws and ensure that national authorities are duly empowered and have proper sanctions at their disposal to enforce EU legislation on the confidentiality of communications.”
A BERR spokeswoman has said "We will be considering the issues raised and will respond within the required timeframe. It would be inappropriate to comment further at this time.”
It should be recall that the Data Retention (EC Directive) Regulations 2009, intended to complete the transposition of the EU Data Retention Directive into UK law, came into force on 6 April 2009. Dr Richard North rightly pointed out, in the EU Referendum blog, that under such Regulations "Public Communications Service Providers" are required to retain "communications data" and to “(…) keep a record of the IP address allocated by the internet access service provider and the user ID of the subscriber or registered user of the internet access service.” Such data will be accessed by the police, security and intelligence agencies and additional public authorities under the Regulation of Investigatory Powers Act 2000 (RIPA).
Consequently, Dr Richard North has said “(…) we have an interesting situation where a commercial firm which wants to make use of anonymous information is prohibited from doing so, while the authorities are allowed free access to key information that will enable identities to be established and user patterns monitored.”
