The UK government has failed to implement adequate communications privacy legislation and must take steps to strengthen privacy safeguards, the European Commission has found.
The Commission on Thursday went to the second stage of privacy infringement proceedings against the UK government, saying the government had not adequately enacted European privacy laws.
Commission spokesperson Martin Selmayr told ZDNet UK that the Commisision initially launched its infringement action following complaints from UK citizens. Members of the public and privacy campaigners approached the Commission after the UK government declined to take action following secret trials of behavioural advertising by BT in 2006 and 2007, which BT performed without gaining customer consent. BT had been trialling advertising technology from a company called Phorm.
"The Commission got many complaints from citizens and via email, and MEPs asked parliamentary questions. Our attention was drawn to that in quite a substantial way," said Selmayr."It's clear the Commission had to take action. This is the last chance [for the UK] to settle the matter."
Information commissioner Viviane Reding said in a statement on Thursday that the aim of the Commission was to bring about a change in UK law.
"People's privacy and the integrity of their personal data in the digital world is not only an important matter, it is a fundamental right, protected by European law," Reding said. "I therefore call on the UK authorities to change their national laws to ensure that British citizens fully benefit from the safeguards set out in EU law concerning confidentiality of electronic communications."
The Commission said the UK had failed to comply with both the European e-Privacy Directive and the Data Protection Directive. Selmayr said that, specifically, the UK had failed to form an independent national authority to supervise the interception of communications.
The Commission also criticised the Regulation of Investigatory Powers Act (Ripa) as it does nor require that people give informed, specific consent to their communications being intercepted for purposes such as behavioural advertising, while sanctions under Ripa only apply when unlawful interception is intentional rather than simply being unlawful.
The part of UK government responsible for Ripa is the Home Office. A Home Office spokesperson told ZDNet UK on Thursday that the government had received a letter from the Commission regarding the data-protection action.
"We are firmly committed to protect users' privacy and data," said the spokesperson. "We are considering the Commission's letter, and will respond in due course."
The UK government now has two months to respond to the letter. Should the Commission be dissatisfied by the UK response, it will launch proceedings against the UK government in the European Court of Justice (ECJ).
"If the UK government signals that it will start to change the law, we can stay the proceedings and wait for the legislative process to be completed", said Selmayr. "But the EU community is based on the rule of law. If the European Court of Justice becomes involved and says the UK violated the law, it is possible to ask for financial penalties."
The Commission launched the infringement proceedings against the UK in April 2009, after the Information Commissioner's Office, the UK government, the UK police and the Crown Prosecution Service said BT had not infringed UK law by performing the trials.
Privacy campaigner Alex Hanff, who pushed for a UK prosecution of Phorm and BT over the trials, welcomed the Thursday's announcement, but called it "a double-edged sword".
"It's good news that the Commission is upholding our rights, but it's disappointing it's taken the EC to do that — the UK government should already be upholding our rights," said Hanff. "If the case goes to the ECJ, it's the UK taxpayer that will foot the bill."