The European Commission has launched infringement proceedings against the UK government, claiming that European rules on e-privacy and data protection have been inadequately implemented in Britain. The Commission is concerned by what it sees as "structural problems in the way the UK has implemented EU rules ensuring the confidentiality of communications".

The action results from a Commission investigation following complaints that "black box" technology used by some UK Internet Service Providers ("ISPs") to serve up targeted ads, based on users' web browsing history, infringed the users' privacy rights.

Business impact

  • The UK may be forced to amend its existing legislation to tighten the rules on interception of communications (including online activity) without the explicit consent of the sender and recipient.
  • Aside from any amendments prompted by the EU Commission's action, the current lack of judicial consideration of "interception" in the context of existing UK law could have a significant effect on the take up of third party behavioural advertising tools, such as Phorm. This may tend to give a competitive advantage to larger, more sophisticated ISPs which develop and operate their own online behavioural advertising ("OBA") tools in-house, e.g. Google.  
  • OBA looks set to increase in commercial importance due to (a) the general shift in advertising spend away from traditional media and towards online options and (b) because OBA tends to result in higher conversion rates than online contextual advertising (ads shown based on the page then being viewed).  
  • There is a pressing commercial imperative to resolve the legal uncertainties surrounding the lawfulness of OBA technology, such as Phorm. There is no less urgency from a public relations perspective, too: the public need reassurance that OBA does not equate to a threat to their privacy, before its image becomes irrevocably tarnished.  

Background

In April 2008, the Commission first started to receive complaints from UK citizens and UK Members of the European Parliament arising out of the use by some UK ISPs of a behavioural advertising technology known as ‘Phorm’. The use of Phorm has attracted some controversy, not least because in April 2008, BT admitted that it had tested Phorm in 2006 and 2007, without informing customers involved in the trial. BT later carried out a new, invitation-based, trial of the technology in October-December 2008.

The Commission has written several letters to the UK authorities since June 2008, asking how they have implemented relevant EU laws in the context of the Phorm case. Following an analysis of the answers received, the Commission still has concerns that the way the UK has implemented EU rules fails to protect the confidentiality of communications.

Three main issues were identified by the Commission:-

Consent - The EU E-Privacy Directive (2002/58/EC) requires EU Member States to prohibit unlawful interception and surveillance unless the users concerned have consented (Article 5(1)). However, under the UK Regulation of Investigatory Powers Act 2000 (section 3(1)), interception is deemed to be lawful merely when the interceptor has ‘reasonable grounds for believing’ that consent to interception has been given by sender and recipient. Further, the Data Protection Directive (95/46/EC) requires consent to be ‘freely given, specific and informed’ (Article 2(h)).

Intentional interception - UK law establishes the offence of unlawfully intercepting communications, however, this is limited to ‘intentional’ interception only. There is no such qualification in EU law.

Supervision – The UK lacks an independent national supervisory authority for the purposes of enforcing the law governing such interceptions. This is required by the EU Data Protection and E-Privacy Directives.

The UK authorities have until mid-June 2009 to respond. If a satisfactory response is not received, the Commission may decide to issue a reasoned opinion. The UK would then have a final opportunity to make the changes to national law required. If the Commission was still not satisfied that EU legislation had been correctly implemented, it could then refer the matter to the European Court of Justice.

Phorm's Webwise service

Phorm's technology works by real time tracking and analysis of customers' web surfing to determine their interests. It also makes use of a temporary Webwise cookie. Phorm claims – and this has been accepted by the Information Commissioner's Office – that they do not hold personally identifiable information on any users. When a user visits the website of a third party which has subscribed to the Webwise service, the user is served targeted advertising based on the categories of interest which Phorm has identified from his previous browsing.

Phorm's OBA technology is complex and has been the subject of some scrutiny by IT experts. It appears that third party websites can block the operation of Webwise by preventing Phorm from scanning their sites; the major online retailer, Amazon, has reportedly done so. This means that Phorm cannot log the fact that a user has visited the site.

The following factual and legal issues relevant to Phorm's OBA product remain to be clarified: (a) whether the service amounts to an interception of a communication, (b) whether, if so, it is an interception between (i) user and ISP or (ii) user and the third party whose website is being viewed by the user, (c) whether such interception is lawful and (d) whether this position would be affected, if the UK government makes the changes to national law sought by the Commission.

According to documents recently made public under the Freedom of Information Act 2000, the Home Office apparently confirmed in informal guidance given to Phorm that it did not consider the technology constituted an interception; contrary views have however, been expressed, e.g. by the Foundation for Information Policy Research. Judicial consideration is eagerly awaited.