On April 14, 2009, the European Commission announced that it had launched an infringement proceeding against the United Kingdom for failure to comply with EU law, alleging problems with the U.K.'s implementation of EU privacy and data protection rules and how these rules are applied in the specific context of behavioral advertising that uses Phorm, Inc.'s technology.
Phorm is an advertising technology company specializing in Interest-based advertising solutions for Internet service providers. Phorm's advertising technology analyzes Internet users' web surfing behavior to determine their interests and deliver targeted advertising to users when they visit Web sites operated by Phorm's customers.
When U.K. fixed operator BT revealed in April 2008 that it had been testing Phorm's technology on its customers without consent or prior notice, Internet users in the U.K. started lodging complaints with the European Commission concerning the effect of Phorm's behavioral advertising technology on their privacy rights.
Following an assessment of these complaints, the European Commission concluded that U.K. law currently does not offer the necessary protection of Internet users' privacy and personal data as required by EU rules, finding problems with the way in which the U.K. has implemented the EU ePrivacy and data protection rules. The Commission alleged that U.K. law does not ensure, for example, the confidentiality of Internet users' communications.
Under U.K. law, it is an offense to intercept unlawfully communications — arguably including for the purposes of behavioral advertising — but the scope of the offense is limited to “intentional” interception only. Furthermore, interception is considered lawful if there are “reasonable grounds” for assuming that consent to the interception has been given.
According to the European Commission, U.K. law does not comply with the EU Directive on privacy and electronic communications (Directive 2002/58/EC), which specifies that users must provide their consent to interceptions or surveillance of their communications and related traffic data.
In addition, the European Commission is concerned that the U.K. currently does not have an independent supervisory authority that can adequately deal with such interceptions.
Accordingly, the European Commission opened an infringement proceeding against the U.K. under Article 226 of the EC Treaty for an alleged infringement of EU law (in this case the directives that make up the telecoms/ privacy regulatory framework). The infringement proceeding has two procedural phases.
In the first phase of the proceeding, the commission sends a letter of formal notice and invites the EU Member State (in this case the U.K.) to reply within two months. If it receives no reply, or if the U.K.’s reply is considered unsatisfactory, the European Commission can initiate a second phase of the infringement proceeding by issuing a reasoned opinion expressing its views and concerns.
If the U.K. does not take satisfactory measures to fulfill its obligations under EU law within a specified time limit, the Commission can ultimately refer the case to the European Court of Justice, which would typically be accompanied by a proposal on financial sanctions.
The final decision to impose financial sanctions lies with the Court of Justice. EU Member States are under an obligation to take the necessary measures to comply with a judgment of the Court of Justice.