Commission sues UK over Phorm
In 2006 and 2007, BT used a technology called Phorm on users of its internet service for a trial period without informing them what it was doing. Phorm was a form of behavioural advertising technology which analyses internet use, so as to deliver users advertising that matched the users’ respective Internet use. When this was revealed in 2008, there was public outcry, resulting in complaints to the Information Commissioner’s Office and the police. Although BT claimed that what it had done was legal, it did stop using the technology and no other ISP adopted it.
Problem solved, you might have thought. But no, the Commission has started an infringement action as in its view the legislation the UK government stated implemented the Data Protection Directive (95/46/EC) and the ePrivacy Directive (Directive 2002/58/EC) – that is the Regulation of Investigatory Powers Act (RIPA) and the Data Protection Act (DPA) – did not constitute full implementation. The Commission commenced action in April 2009 sending a ‘letter of notice’ in which the Commission stated that, in its investigation of the UK authorities’ response to complaints about Phorm, it had become aware of the shortcomings in the legislation. This letter is essentially a request for information; a chance for the Member State to explain itself. In its letter, the Commission noted three areas of deficiency:-
- that RIPA applied only to intentional interceptions
- that interception is deemed to be lawful when the interceptor has reasonable grounds to believe that consent to the interception had been given; and
- there was no independent regulatory oversight.
According to the Commission, the two directives require protection in respect of unintentional interceptions as well as those that are intentional – the obligation in Article 5(1) ePrivacy Directive requires Member States to ensure confidentiality of the communications and related traffic data by prohibiting unlawful interception and surveillance unless the users concerned have consented to this. Further, the reasoable belief exception does not match the requirement that consent be given, and that that consent must be ‘freely given, specific and informed indication of a person’s wishes’ (see article 2h Data Protection Directive). The directives also required the existence of a body to supervise the interception of some communications and to hear complaints (see Article 28 Data Protection Directive); further, the limited scope of RIPA means that some interception will be without remedy (see obligation in Article 24 Data Protection Directive).
Following the usual procedure for infringement actions, and after analysing the UK’s response to its formal letter, the Commission formally called on the UK to amend its laws in a letter in October 2009 in a ‘reasoned opinion’, thus opening the second stage of the infringment proceedings. The UK then had a period of 2 months in which to respond. It is only now that the next step in proceedings is happening, with the case against the UK being referred to the Court of Justice under what is now Article 258 TFEU. Only about 10% of actions started by the Commission are actually referred to the court.
The DPA and RIPA have both been much criticised, not only for being confusingly drafted, but also for not reflecting the requirements of EU law – and also Article 8 ECHR. According to law firm Pinsent Masons the Commission, as part of its review of the implementation of the Data Protection Directive across the EU, had been in contact with the UK previously relating to a range of issues.
It is interesting to note the timing of the Commission’s decision in this regard, given that the UK is in the process of a call for evidence to inform the UK’s position when the Data Protection Directive is reviewed at EU level, and it is nearly a year since the expiry of the 2 month period after the issuance of a reasoned opinion. The Ministry of Justice consulation on the DPA is still open – til the 6th October. The issues on which MoJ is consulting are:-
- data subjects’ rights;
- obligations of data controllers;
- powers and penalties of the Information Commissioner;
- the principles-based approach
- exemptions under the DPA; and
- international transfers;
which seems to be a significant chunk of the DPA.