On the 14th April 2009, the European Commission (EC) started legal action against the UK via a formal letter to the British Government. This action was taken following complaints by UK Internet users about Internet Service Provider (ISP)-based behavioural targeting company Phorm.

The Commission has accused the Government of breaching its obligations under the EU ePrivacy Directive, after having failed to deliver a regulatory response to the long and controversial dispute surrounding Phorm's secret trials of Internet interception and profiling technology that took place with BT in 2006 and 2007 without BT's customers' consent. In particular, the action highlights problems in relation to how the UK has implemented certain EU regulations concerning confidentiality of communications. The UK Government now has to re-examine its legislation on online privacy.

The infringement proceedings come at the same time that European legislators are finalising amendments to the ePrivacy Directive. It is expected that the changes will make it harder for online operators to implement user profiling technologies and tracking cookies.

Phorm and Targeted Advertising

  • Phorm works with UK ISPs in monitoring what websites their consumers visit and uses the data gathered for behavioural advertising campaigns.
  • The technology operates by tracking the sites visited by users whose ISPs have signed up to Phorm's service, and matches certain keywords from site content to an "anonymous" profile. The users are then targeted with adverts that have been tailored to their habits recorded from previous use.
  • This method has raised fears about invasions of privacy because it runs in conjunction with ISPs. This differs from previous targeted-advertising systems, which only use data collected from partner websites visited by users, who must have opted in (and therefore consented to) the use of "cookie" technology when they accepted the Terms of Use of certain websites they have visited.
  • BT has admitted to trials of Phorm's technology in 2006/2007 without informing their customers or obtaining their consent. A further official trial was conducted in 2008 by the two companies which complied with EU rules on consent.
  • Phorm has issued a statement distancing itself from the legal proceedings, announcing that its technology is fully compliant with EU and UK law. Further, the statement outlines its intention to go ahead with its plans in conjunction with BT, in rolling out its Internet monitoring technology to customers by the end of the year. This will include further trials, although Phorm plans to give customers clear notification and the ability to opt out.
  • Phorm has further been involved in talks with other ISPs, such as Virgin Media and TalkTalk. Following the controversy, Amazon has stated publicly that it will not allow Phorm's technology to track users across its sites.

The European Directive on Privacy and Electronic Communications and current law in the UK

  • The EU's ePrivacy Directive, the provisions of which must have been included in the national law of member states by October 2003, requires that member states ensure, among other things, the confidentiality of communications by prohibiting interception and surveillance without the user's consent.
  • Although targeted advertising is not illegal under the Directive, EU rules stipulate that consumers must be informed that they are being monitored.
  • Under law in the UK, it is an offence to unlawfully intercept communications. However, this only applies to "intentional" interception. The law requires for the interception to be considered lawful only when the interceptor has 'reasonable grounds for believing' that consent has been given.
  • The City of London Police dropped an investigation of the BT/Phorm trials last year, allegedly owing to the complexities involved and the significant cost implications. It was decided that, as there was no criminal intent by BT, no offence had been committed and further, those taking part in the trials were deemed by the police to have given their 'implied consent' owing to the benefit to the consumer that the service would bring.
  • In response to the controversy, the UK Government stated that the technology could only be rolled out if consumers consented and it was easy for them to opt out.
  • The EC has written several letters to the UK authorities since summer 2008, querying the implementation of certain EU laws in the context of the Phorm dispute. The EC considers the response to have been inadequate and has concerns about structural problems in the way the UK has implemented EU rules preserving the confidentiality of communications.
  • The EC's further concern is that the UK does not have an independent national supervisory authority dealing with interceptions of data.

Changes in ePrivacy Directive: Consent to be Required for Cookies

European legislators are currently finalising a review of the ePrivacy Directive and the debate over Phorm and the use of cookies has had a major influence on proposed amendments to the law. Current legislative proposals will strengthen consent requirements for the use of cookies and other profiling technology, moving away from current rules which allow the use of cookies unless a user exercises a right to refuse ('opts out') the storing of a cookie on his or her computer. Under the new rules, users will need to give consent to the use of a cookie after having been provided with clear and comprehensive information. Providers of online services fear that users may need to see a pop-up window and click to agree to a cookie every time one is used. Commentary on the proposals suggests that the consent may be given when a user sets his browser to automatically accept cookies, but this commentary is not a legally binding part of the Directive and does not have to be implemented into national law. The final position won't be known until later in May when European legislators finish their ePrivacy Directive review.

What next?

The Department for Business, Enterprise and Regulatory Reform (BERR) is coordinating the Government's response which must be submitted within two months.

If BERR's response is deemed unsatisfactory by the EC, and Britain does not change domestic law to comply with EU Directives, the EC can issue a final warning before the UK is taken to the European Court of Justice (ECJ). The ECJ can compel the UK to change its national laws, as well as levying heavy fines on the Government for non-compliance.

This is clearly part of a wider issue regarding data privacy and follows in the wake of comments by the European Commissioner for Consumers two weeks ago, which stated that organisations involved in social networking must do more to respect consumer privacy or regulators would intervene.

Indeed, BERR is set to publish the final Digital Britain report in early summer 2009, which will deliver the UK's policies on Internet regulation and demonstrate the Government's commitment to addressing the contentious issues surrounding the ready availability of personal data on the Internet in today's digital space.

The EC's press release can be viewed at: europa.eu/rapid/pressReleasesAction.do?reference=IP/09/570&format=HTML&aged=0&language=EN&guiLanguage=en