EC takes action against the UK over its handling of personal data protection

The European Commission (EC) last week launched an infringement proceeding against the UK over e-privacy and personal data protection. This came following BT’s launch of the trial behavioural advertising technology known as Phorm. Although the trial had the permission of the Information Commissioner’s Office, it has triggered a number of complaints from UK Internet users. The EC has concluded that Phorm was breaching consumer privacy directives, and has requested that all member states comply with EU data protection rules. In the UK’s case, this may require a change in the law.
Privacy becomes more important as the Internet gets personal
Even as early as 2001, in a British government survey, most consumers expressed their worries about the ways their information might be being used without their knowledge when using various electronic services, particularly the Internet. With increasing broadband penetration and the Internet becoming more and more part of our day-to-day lives, the amount of personal data in circulation increases ever more.

The more users become aware of these issues, the more worried they become – e-privacy complaints have soared in recent years. Phorm, whilst being the subject of this intervention, is just one of these cases. The technology provides a behavioural targeting advertising system that enables ISPs to analyse customers’ web-surfing habits to deliver targeted advertising to each user.

The EC requested UK legislation be toughened up
The EC has been following the case of BT and Phorm since last year, when BT’s trial prompted numerous complaints. Consumer privacy and data protection is receiving increasing attention from Brussels as it becomes a more important regulatory issue. The EC now feels it is time to take legal action against BT’s Phorm trial to protect customers’ privacy under the EU rules.

The EC is now addressing several problems that emerged during its enquiry into the UK situation. It has concluded that the UK failed, to some degree, to maintain the confidentiality of communications by allowing interception and surveillance without users’ consent – one of the most important principles of privacy and personal data protection. Under UK law, interception could be considered lawful when the interceptor has ‘reasonable grounds’ for believing that consent has been given. Therefore, it is not completely in line with the EC’s principle of receiving users’ consent before interception.

The UK also came under fire for its lack of an independent national supervisory authority dealing with interceptions. As a result, the EC believes the current UK legal framework does not completely comply with the EU Data Protection Directive of 2002 and fails to protect customers’ privacy, and has asked the UK to clean up its act.

New technologies will be used consistently across Europe
The EC has reiterated that all member states must comply with EU rules on privacy and data protection. Whilst it sees new technologies as being beneficial to consumers and businesses, it states that those technologies must be used in a way that complies with EU rules aimed at protecting citizens.

The complex set of issues raised by e-privacy and personal data protection rules have far-reaching implications for online search and digital advertising. With the EC stressing that it will protect the privacy of European citizens and control how their personal information is used, we may see the EC increasingly monitoring the compliance of member states and investigating new technologies (such as online social networking) to ensure that they are used in a way that guarantees confidentiality of communications.