"The Commission has opened an infringement proceeding against the United Kingdom after a series of complaints by UK internet users, and extensive communication of the Commission with UK authorities, about the use of a behavioural advertising technology known as ‘Phorm' by internet service providers. The proceeding addresses several problems with the UK's implementation of EU ePrivacy and personal data protection rules, under which EU countries must ensure, among other things, the confidentiality of communications by prohibiting interception and surveillance without the user's consent. These problems emerged during the Commission’s inquiry into the UK authorities’ action in response to complaints from internet users concerning Phorm."
Vivianne Reding, the EU telecommunications commisioner adds:
“We have been following the Phorm case for some time and have concluded that there are problems in the way the UK has implemented parts of EU rules on the confidentiality of communications. I call on the UK authorities to change their national laws and ensure that national authorities are duly empowered and have proper sanctions at their disposal to enforce EU legislation on the confidentiality of communications. This should allow the UK to respond more vigorously to new challenges to ePrivacy and personal data protection such as those that have arisen in the Phorm case. It should also help reassure UK consumers about their privacy and data protection while surfing the internet.”
This is excellent news for anyone who has followed the Phorm story. First, the EC action will be based on problems with the legality of the general way Phorm works, not the one off blunder of starting trials without getting proper consents last year. In essence the charge - which was explained in a clear memorandum from FIPR by Nicholas Bohm over a year ago - is that Phorm intercept communications between users and websites on the basis of consent from the user, but not from the website. This is wiretapping and/or spyware by any other name, which is why the EU objection is based on Art 5(3) of the ePrivacy Directive, which deals with the confidentiality of electronic communications.
Secondly the EC action clearly contemplates not just the UK's misinterpretation of Art 5(3) but also its failure to provide a proper institution to supervise unauthorised interception by the private sector. The Interception Tribunal established under RIPA 2000 is empowered only to look at police and public sector interception of communications. Responsibility should fall to the UK Information Commisioner, but he has seemed unwilling to take up that role vis a vis Phorm to date.
All in all this is excellent news. See more on Phorm in my chapter on targeted advertising in the upcoming (really) Edwards and Waelde eds Law and the Internet (3rd edn) but for the moment see ORG blog on the issue.
All this is ironic as only a week ago, Phorm announced they were really finally about to go live in the UK. With proceedings for illegality from the Commision hovering on the horizon, it will be a brave ISP who launches Phorm right now on their worried customers.