Original URL: http://www.theregister.co.uk/2009/04/14/eu_phorm_formal/

Brussels to sue UK over Phorm failures

ICO and Phorm respond

By Christopher Williams

Posted in Broadband, 14th April 2009 10:55 GMT

Updated The European Commission has revealed plans to sue the UK government over its failure to take any action against BT and Phorm for their secret broadband interception and profiling trials.

Last year The Register revealed the pair had run covert wiretaps on tens of thousands of broadband lines in two trials in 2006 and 2007, to profile web use on behalf of advertisers.

In a statement released today, EU telecoms Commissioner Viviane Reding said the Phorm case showed UK laws needed to be tightened to protect consumers and comply with the ePrivacy Directive. New Labour signed the UK up to the ePrivacy Directive in 2002 and it came into force in October 2003.

"I call on the UK authorities to change their national laws and ensure that national authorities are duly empowered and have proper sanctions at their disposal to enforce EU legislation on the confidentiality of communications," Reding said.

"This should allow the UK to respond more vigorously to new challenges to ePrivacy and personal data protection such as those that have arisen in the Phorm case."

Under UK legislation, responsibility for enforcing the ePrivacy Directive lies with the Information Commissioner's Office (ICO). It had discussions with BT and Phorm about the secret trials but declined to take any action. The ICO accepted BT's argument that it would have been hard to explain Phorm's interception and profiling system to internet users whose communications it was being tested on.

The ICO did not immediately respond to a request for comment today; we'll update this story when it does.

Announcing the infringement action, the Commission also said it was concerned that the UK does not have an authority to regulate interception of communications by private companies.

The ICO does not have responsibility for enforcing the Regulation of Investigatory Powers Act (RIPA), which governs interception, and the Office of the Surveillance Commissioners is mandated only to investigate interceptions by public authorities. The police meanwhile declined to act over BT and Phorm's trials, saying there was "implied consent" and a lack of criminal intent.

The Commission said: "Under UK law, which is enforced by the UK police, it is an offence to unlawfully intercept communications. However, the scope of this offence is limited to 'intentional' interception only.

"Moreover, according to this law, interception is also considered to be lawful when the interceptor has 'reasonable grounds for believing' that consent to interception has been given. The Commission is also concerned that the UK does not have an independent national supervisory authority dealing with such interceptions."

After it had carried out the two trials, Phorm sought advice from the Home Office on whether its technology complied with RIPA. An official replied that he believed it could be if consent was sought from each broadband customer. Outside legal experts have since disputed that advice, arguing consent would also be needed from every website whose data was intercepted.

The Commission's action follows several months of letter-writing back and forth between Brussels and Whitehall. It has sent the Department for Business, Enterprise and Regulatory Reform (BERR), which handles UK government communications with the Commission, two months' notice of formal action. If it receives no reply or an unsatisfactory reply, it may decide to issue "a reasoned opinion", which is the next stage of the infringement process.

If following that the government does not bring UK law into line with European obligations, the Commission could sue in the European Court of Justice in Luxembourg. It has powers to heavily fine member states who infringe EU law.

A BERR spokeswoman confirmed officials had received the Commission's notice. "We will be considering the issues raised and will respond within the required timeframe. It would be inappropriate to comment further at this time," she said.

At time of publication spokespeople for BT and Phorm had not returned our calls. Again, we'll update this story when they do. Previously both have claimed they took legal advice prior to the trials, but refused to reveal what it said.

We've reproduced the Commission statement in full on the next page. ®

Update

Phorm returned our call via email just after 4pm. It sought to soothe investors, saying it does not expect the Commission's action to have any impact on its plans. It did not address the legal status of its previous secret trials.

Here's the statement in full:

The EU Commission has announced today that it is starting infringement proceedings against the UK Government concerning the alleged failure of UK legislation to conform in certain respects with EU e-privacy and personal data protection rules. This is obviously a matter for the Commission and the UK Government.

However, in so far as the Commission's announcement references Phorm's technology, we should like to make the following points clear. Phorm's technology is fully compliant with UK legislation and relevant EU directives. This has been confirmed by BERR and by the UK regulatory authorities and we note that there is no suggestion to the contrary in the Commission's statement today. We do not envisage the Commission’s proceedings will have any impact on the company's plans going forwards.

Furthermore, Phorm's system stands out from other online advertising systems in that it does not store personal data, or browsing histories. Finally, consistent with UK and EU legislation, and in anticipation of any changes that may be made to the law in the future, our system offers un-missable notice and clear and persistent choice to consumers.

This release clarifies any misunderstandings that may have arisen following the Commission's announcement.

Update 2

The ICO returned our call via email at about 4.30pm. It argued that the Commission was referring to intercept law and so implied it was not directly involved.

In assessing the ICO's argument, note that PECR is the set of regulations implementing the ePrivacy Directive (as referred to by the European Commission) in the UK. Here's the statement in full:

The ICO regulates and enforces the Data Protection Act, Freedom of Information Act and Privacy and Electronic Communications Regulations. These infringement proceedings from the EU appear to relate to the interception of communications, which is not part of the ICO's remit. Interception of communications is covered by the Regulation of Investigatory Powers Act, which is separate to the Data Protection Act and not regulated by the ICO.

The ICO has been involved in discussions with Phorm regarding the technology's compliance with the DPA and PECR only. A system such as Phorm can operate in a way which is in compliance with both these acts but must be sensitive to the concerns of users. Information must be provided to individuals that enables them to make a meaningful choice about whether or not to be involved in the use of the technology. The ICO will keep this technology under review as it develops.

Telecoms: Commission launches case against UK over privacy and personal data protection

The Commission has opened an infringement proceeding against the United Kingdom after a series of complaints by UK internet users, and extensive communication of the Commission with UK authorities, about the use of a behavioural advertising technology known as 'Phorm' by internet service providers. The proceeding addresses several problems with the UK's implementation of EU ePrivacy and personal data protection rules, under which EU countries must ensure, among other things, the confidentiality of communications by prohibiting interception and surveillance without the user's consent. These problems emerged during the Commission's inquiry into the UK authorities' action in response to complaints from internet users concerning Phorm.

"Technologies like internet behavioural advertising can be useful for businesses and consumers but they must be used in a way that complies with EU rules. These rules are there to protect the privacy of citizens and must be rigorously enforced by all Member States," said EU Telecoms Commissioner Viviane Reding. "We have been following the Phorm case for some time and have concluded that there are problems in the way the UK has implemented parts of EU rules on the confidentiality of communications. I call on the UK authorities to change their national laws and ensure that national authorities are duly empowered and have proper sanctions at their disposal to enforce EU legislation on the confidentiality of communications. This should allow the UK to respond more vigorously to new challenges to ePrivacy and personal data protection such as those that have arisen in the Phorm case. It should also help reassure UK consumers about their privacy and data protection while surfing the internet."

Since April 2008, the Commission has received several questions from UK citizens and UK Members of the European Parliament concerned about the use of a behavioural advertising technology known as ‘Phorm’ by Internet Service Providers in the UK. Phorm technology works by constantly analysing customers' web surfing to determine users' interests and then deliver targeted advertising to users when they visit certain websites. In April 2008, the UK fixed operator, BT, admitted that it had tested Phorm in 2006 and 2007 without informing customers involved in the trial. BT carried out a new, invitation-based, trial of the technology in October-December 2008. BT's trials resulted in a number of complaints to the UK data protection authority – the Information Commissioner’s Office (ICO) and to the UK police.

The Commission has written several letters to the UK authorities since July 2008, asking how they have implemented relevant EU laws in the context of the Phorm case. Following an analysis of the answers received the Commission has concerns that there are structural problems in the way the UK has implemented EU rules ensuring the confidentiality of communications.

Under UK law, which is enforced by the UK police, it is an offence to unlawfully intercept communications. However, the scope of this offence is limited to 'intentional' interception only. Moreover, according to this law, interception is also considered to be lawful when the interceptor has 'reasonable grounds for believing' that consent to interception has been given. The Commission is also concerned that the UK does not have an independent national supervisory authority dealing with such interceptions.

The UK has two months to reply to this first stage of an infringement proceeding, the letter of formal notice sent today. If the Commission receives no reply, or if the observations presented by the UK are not satisfactory, the Commission may decide to issue a reasoned opinion (the second stage in an infringement proceeding). If the UK still fails to fulfil its obligations under EU law after that, the Commission will refer the case to the European Court of Justice.

Background

The EU Directive on privacy and electronic communications requires EU Member States to ensure confidentiality of the communications and related traffic data by prohibiting unlawful interception and surveillance unless the users concerned have consented (Article 5(1) of Directive 2002/58/EC). The EU Data Protection Directive specifies that user consent must be ‘freely given specific and informed’ (Article 2(h) of Directive 95/46/EC). Moreover, Article 24 of the Data Protection Directive requires Member States to establish appropriate sanctions in case of infringements and Article 28 says that independent authorities must be charged with supervising implementation. These provisions of the Data Protection Directive also apply in the area of confidentiality of communications.

A detailed overview of telecoms infringement proceedings is available at:

http://ec.europa.eu/information_society/policy/ecomm/implementation_enforcement/infringement/