On 29 October 2009, the European Commission announced that it has moved to the second phase of the infringement proceedings against the United Kingdom for failing to implement EU e-privacy and data protection rules relating to the privacy of online communications. The Commission decided to take action against the United Kingdom in the wake of the secret trials conducted in 2006 and 2007 by BT of controversial behavioural advertising technology - Webwise, developed by Phorm - that enables participating organisations to track and to profile internet use. The Commission is concerned specifically by the lack of an independent national authority in the United Kingdom for interception of communications and what it considers inadequate safeguards and sanctions in the Regulation of Investigatory Powers Act 2000 (RIPA).

BACKGROUND

The European Commission launched the first phase of the action against the UK Government on 14 April 2009. Its concerns were prompted by BT's trials of Webwise and it claimed that the United Kingdom had failed to protect internet users against the unlawful interception of communications data, specifically with regard to the profiling of user behaviour for online behavioural advertising.

Webwise works by mirroring a user's request to visit a website at the moment he requests to enter it. This data is then profiled and anonymised to erase any trace linking the data to the user, e.g., the IP address. A randomly generated ID is allocated to the user and, along with the anonymised data, is sent to a Phorm managed server, which categorises the data so that it can be linked with relevant advertising through its OIX advertising exchange platform. The result is that advertising targeted to the user appears on his computer screen.

Despite the Information Commissioner’s Office (ICO) indicating that there had been no breach of any UK laws by BT or Phorm, the European Commission completed its own inquiries and has threatened to take the UK Government to the European Court of Justice for allowing the trials to operate and for failing to take appropriate action.

The relevant regulation in this area derives from the e-Privacy Directive (2002/58/EC), which requires EU Member States to ensure confidentiality of the communications and related traffic data by prohibiting unlawful interception and surveillance unless the users concerned have consented to this (Article 5(1)). The Data Protection Directive (95/46/EC) specifies that user consent must be "freely given, specific and informed" (Article 2(h)), and Member States are to establish appropriate sanctions in case of infringement and independent authorities must be charged with supervising implementation.

THE SECOND PHASE

In the Commission’s press release announcing the second phase (IP/09/1626), it stated that it is maintaining its position on the United Kingdom failing to comply with EU rules provided in the e-Privacy Directive. Specifically, the Commission has identified three "gaps" in UK rules governing the confidentiality of electronic communications. First, there is no independent national authority to supervise interception of communications. Second, RIPA authorises interception of communications when the person intercepting the communications has "reasonable grounds for believing" that consent to do so has been given, which does not comply with EU rules defining consent as freely given, specific and informed. Third, RIPA provisions do not tally with EU law which ensures sanctions against any unlawful interception regardless of whether committed intentionally or not.

COMMENT

The UK Government had until 29 December 2009 to reply to this second stage of the infringement proceeding. If the Commission is not satisfied with the response, it may refer the case to the European Court of Justice.

Telecommunications Reforms

The European Parliament and the Council of Ministers have reached agreement on the European Union’s package of telecommunications reforms, comprising five directives that include provisions relating to internet access, cookies and data security breaches.

INTERNET ACCESS

The new Framework Directive provides that restrictions on end-users' internet access, in particular to deal with online copyright infringement, may "only be imposed if they are appropriate, proportionate and necessary within a democratic society". Such measures may only be taken "with due respect for the principle of presumption of innocence and the right of privacy" and as a result of "a prior, fair and impartial procedure" guaranteeing "the right to be heard… and the right to an effective and timely judicial review".

This is a watered down version of the European Parliament’s original proposal that no restriction should be applied without a prior ruling by judicial authorities and was agreed following conciliation between the Parliament and the Council.

E-PRIVACY

In relation to storage of cookies on a user’s terminal, the e- Privacy Directive is to include a provision that this is only permitted on condition that the subscriber or user concerned has given his or her consent. However, this does not prevent storage and access to information for the sole purpose of carrying out the transmission of a communication, or as strictly necessary to provide a user with a service requested explicitly by the user.

Requiring prior consent for use of a cookie that is not “strictly necessary” may, for example, mean that users will be presented with pop-up messages or other alerts requesting consent to storage of a cookie. However, Recital 66 of the Directive states that "the user's consent to processing may be expressed by using the appropriate settings of a browser or other application".

With respect to data breaches, the e-Privacy Directive requires communications providers to inform the data protection authority and their customers about data security breaches that are likely to affect them, such as data loss that could result in identity theft.

Further changes include the possibility for any person affected negatively by spam, including ISPs, to bring effective legal proceedings against spammers.

OTHER REFORMS

A new European telecommunications authority, named BEREC (Body of European Regulators Electronic Communications), is to be established with the aim of ensuring fairer competition and more consistency of regulation on telecoms markets.

New rules will also give national telecoms authorities the power to set minimum quality levels for network transmission services so as to promote "net neutrality" and "net freedoms" for European citizens. New transparency requirements mean that consumers must be informed, before signing a contract, about the nature of the service to which they are subscribing.

As well as information on the minimum service quality levels, consumers will be entitled to better information on compensation and refunds if such levels are not met.