Brussels to sue UK over Phorm failures
ICO and Phorm respond
Updated The European Commission has revealed plans to sue the UK government over its failure to take any action against BT and Phorm for their secret broadband interception and profiling trials.
Last year The Register revealed the pair had run covert wiretaps on tens of thousands of broadband lines in two trials in 2006 and 2007, to profile web use on behalf of advertisers.
In a statement released today, EU telecoms Commissioner Viviane Reding said the Phorm case showed UK laws needed to be tightened to protect consumers and comply with the ePrivacy Directive. New Labour signed the UK up to the ePrivacy Directive in 2002 and it came into force in October 2003.
"I call on the UK authorities to change their national laws and ensure that national authorities are duly empowered and have proper sanctions at their disposal to enforce EU legislation on the confidentiality of communications," Reding said.
"This should allow the UK to respond more vigorously to new challenges to ePrivacy and personal data protection such as those that have arisen in the Phorm case."
Under UK legislation, responsibility for enforcing the ePrivacy Directive lies with the Information Commissioner's Office (ICO). It had discussions with BT and Phorm about the secret trials but declined to take any action. The ICO accepted BT's argument that it would have been hard to explain Phorm's interception and profiling system to internet users whose communications it was being tested on.
The ICO did not immediately respond to a request for comment today; we'll update this story when it does.
Announcing the infringement action, the Commission also said it was concerned that the UK does not have an authority to regulate interception of communications by private companies.
The ICO does not have responsibility for enforcing the Regulation of Investigatory Powers Act (RIPA), which governs interception, and the Office of the Surveillance Commissioners is mandated only to investigate interceptions by public authorities. The police meanwhile declined to act over BT and Phorm's trials, saying there was "implied consent" and a lack of criminal intent.
The Commission said: "Under UK law, which is enforced by the UK police, it is an offence to unlawfully intercept communications. However, the scope of this offence is limited to 'intentional' interception only.
"Moreover, according to this law, interception is also considered to be lawful when the interceptor has 'reasonable grounds for believing' that consent to interception has been given. The Commission is also concerned that the UK does not have an independent national supervisory authority dealing with such interceptions."
After it had carried out the two trials, Phorm sought advice from the Home Office on whether its technology complied with RIPA. An official replied that he believed it could be if consent was sought from each broadband customer. Outside legal experts have since disputed that advice, arguing consent would also be needed from every website whose data was intercepted.
The Commission's action follows several months of letter-writing back and forth between Brussels and Whitehall. It has sent the Department for Business, Enterprise and Regulatory Reform (BERR), which handles UK government communications with the Commission, two months' notice of formal action. If it receives no reply or an unsatisfactory reply, it may decide to issue "a reasoned opinion", which is the next stage of the infringement process.
If following that the government does not bring UK law into line with European obligations, the Commission could sue in the European Court of Justice in Luxembourg. It has powers to heavily fine member states who infringe EU law.
A BERR spokeswoman confirmed officials had received the Commission's notice. "We will be considering the issues raised and will respond within the required timeframe. It would be inappropriate to comment further at this time," she said.
At time of publication spokespeople for BT and Phorm had not returned our calls. Again, we'll update this story when they do. Previously both have claimed they took legal advice prior to the trials, but refused to reveal what it said.
We've reproduced the Commission statement in full on the next page. ®
Phorm returned our call via email just after 4pm. It sought to soothe investors, saying it does not expect the Commission's action to have any impact on its plans. It did not address the legal status of its previous secret trials.
Here's the statement in full:
The EU Commission has announced today that it is starting infringement proceedings against the UK Government concerning the alleged failure of UK legislation to conform in certain respects with EU e-privacy and personal data protection rules. This is obviously a matter for the Commission and the UK Government.
However, in so far as the Commission's announcement references Phorm's technology, we should like to make the following points clear. Phorm's technology is fully compliant with UK legislation and relevant EU directives. This has been confirmed by BERR and by the UK regulatory authorities and we note that there is no suggestion to the contrary in the Commission's statement today. We do not envisage the Commission’s proceedings will have any impact on the company's plans going forwards.
Furthermore, Phorm's system stands out from other online advertising systems in that it does not store personal data, or browsing histories. Finally, consistent with UK and EU legislation, and in anticipation of any changes that may be made to the law in the future, our system offers un-missable notice and clear and persistent choice to consumers.
This release clarifies any misunderstandings that may have arisen following the Commission's announcement.
The ICO returned our call via email at about 4.30pm. It argued that the Commission was referring to intercept law and so implied it was not directly involved.
In assessing the ICO's argument, note that PECR is the set of regulations implementing the ePrivacy Directive (as referred to by the European Commission) in the UK. Here's the statement in full:
The ICO regulates and enforces the Data Protection Act, Freedom of Information Act and Privacy and Electronic Communications Regulations. These infringement proceedings from the EU appear to relate to the interception of communications, which is not part of the ICO's remit. Interception of communications is covered by the Regulation of Investigatory Powers Act, which is separate to the Data Protection Act and not regulated by the ICO.
The ICO has been involved in discussions with Phorm regarding the technology's compliance with the DPA and PECR only. A system such as Phorm can operate in a way which is in compliance with both these acts but must be sensitive to the concerns of users. Information must be provided to individuals that enables them to make a meaningful choice about whether or not to be involved in the use of the technology. The ICO will keep this technology under review as it develops.
Sponsored: Becoming a Pragmatic Security Leader