The UK is in trouble yet again for infringing the EU Directive on privacy and electronic communications which requires EU Member States to ensure confidentiality of the communications and related traffic data by prohibiting unlawful interception and surveillance unless the users concerned have consented (Article 5(1) of Directive 2002/58/EC.
The EU Data Protection Directive specifies that user consent must be freely given specific and informed (Article 2(h) of Directive 95/46/EC. In addition Article 24 of the Data Protection Directive requires Member States to establish appropriate sanctions in case of infringements and Article 28 says that independent authorities must be charged with supervising implementation. These provisions of the Data Protection Directive also apply in the area of confidentiality of communications.
According to the Commission the UK has failed to adhere to this and has decided enough is enough.
For more than a year now the Commission has received several questions from UK citizens and UK Members of the European Parliament concerned about the use of a behavioural advertising technology known as Phorma by Internet Service Providers in the UK.
Phorm technology targets customers web surfing to determine users interests and then delivers targeted advertising to users when they visit certain websites. The crucial test is that BT admitted that it had tested Phorm in 2006 and 2007 without informing customers involved in the trial. It is in the absence of such testing that resulted in a number of complaints to the UK data protection authority – the Information Commissioner and to the UK police.
The Commission had expressed a number of concerns that there were structural problems in the way the UK has implemented EU rules ensuring the confidentiality of communications.
Under UK law, it is an offence to unlawfully intercept communications, the offence is an arrestable offence. However, the scope of this offence is limited to intentional interception only. BT and other ISPs were using these techniques to market a service more effectively.
Interception is considered to be lawful when the interceptor has reasonable grounds for believing that consent to interception has been given. So a user must give their consent. The Commission was also concerned that the UK did not have an independent national supervisory authority dealing with such interceptions.
The UK has two months to reply to this first stage of an infringement proceeding, the letter of formal notice sent today. If the Commission receives no reply, or if the observations presented by the UK are not satisfactory, the Commission may decide to issue a reasoned opinion (the second stage in an infringement proceeding). If the UK still fails to fulfil its obligations under EU law after that, the Commission will refer the case to the European Court of Justice.