Home & Office

EC acts against UK over data protection

In the wake of BT's secret trials of Phorm's ad-serving technology, the European Commission has formally called on the UK to toughen up and enforce its data-protection laws
Written by David Meyer, Contributor

The European Commission has launched infringement proceedings against the UK, claiming the country is not sufficiently complying with European data-protection laws.

The action was initiated on Tuesday, following complaints over BT's trials — carried out in 2006 and 2007 without user consent — of technology from the behavioural advertising company Phorm. The technology allows an internet service provider (ISP) such as BT to monitor its customers' surfing habits, so that it can deliver targeted advertising to each user.

In June, the Information Commissioner's Office (ICO), which has responsibility for enforcing UK data-protection laws, said it would not launch an investigation into the BT trials. The Commission subsequently told ZDNet UK that it was investigating the trials, but would not challenge the UK's decision to take no action against BT and Phorm unless it was clear that a "serious mistake" had been made.

However, in February the Commission threatened formal action against the UK, saying the government had failed to "provide a satisfactory response to the Commission's concerns on the implementation of European law in the context of the Phorm case".

That formal action was launched on Tuesday. In a statement, the Commission said the proceedings addressed "several problems" with the UK's implementation of EU e-privacy and personal data-protection rules. Under those rules, EU countries have to ensure the confidentiality of communications by prohibiting the interception and surveillance of such communications without the user's consent.

"Technologies like internet behavioural advertising can be useful for businesses and consumers, but they must be used in a way that complies with EU rules," telecoms commissioner Viviane Reding said in the statement. "These rules are there to protect the privacy of citizens and must be rigorously enforced by all member states."

Reding called on the UK authorities to change national laws, and to make sure national authorities have the powers and sanctions at their disposal to enforce EU legislation on the confidentiality of communications.

"We need a change of [UK] legislation to make sure something like this [BT's secret trials] cannot happen," a spokesman for Reding's office told ZDNet UK. "This would need to happen rather quickly. [The UK government has] delivered us political assurances that they are aware of the problem and want to address it, but what we are looking for is a legal assurance. We cannot be satisfied with just nice words."

The spokesman said the Commission was neutral about Phorm itself, as such services can be useful.

"But that is something the consumer should decide," the spokesman said. "If the consumer does not [opt in], or they do not say anything, then they should not expect to be targeted in such a way. We have serious doubts whether this European principle is properly enforced and respected in the UK."

The UK authorities now have two months in which to respond to the Commission. If the Commission is not satisfied with that response, it will then take the case into its second phase by issuing a "reasoned opinion". The UK would then have another two months to change its legislation to reflect the EU principles. If it fails to do this, the Commission said that the case will be taken to the European Court of Justice.

Asked for comment, the ICO gave ZDNet UK a statement in which it said: "The ICO regulates and enforces the Data Protection Act, Freedom of Information Act and Privacy and Electronic Communications Regulations. These infringement proceedings from the EU appear to relate to the interception of communications, which is not part of the ICO's remit. Interception of communications is covered by the Regulation of Investigatory Powers Act [RIPA], which is separate to the Data Protection Act and not regulated by the ICO."

The Home Office, which has responsibility for RIPA, declined to comment, saying it was not a matter for that office. The Department for Business, Enterprise and Regulatory Reform (BERR) had not replied to a request for comment at the time of writing.

Editorial standards