EC Gives UK Two Months To Improve Online Privacy

The European Commission (EC) has increased its pressure on the UK government to establish clear regulations on privacy and data protection that are in line with EU standards.

The EC has moved infringement proceedings against the UK government over its inaction on online privacy to the second stage, and given a two month deadline for response, before the case goes to the European Court of Justice

European law states that EU countries must ensure the confidentiality of people’s electronic communications, including email and internet browsing, by prohibiting their interception and surveillance without the user’s consent. However, The EC believes that these rules have not been adequately implemented in the UK and, as a result, is moving into the second phase of its infringement proceeding.

“People’s privacy and the integrity of their personal data in the digital world is not only an important matter, it is a fundamental right protected by European law,” said EU Telecoms Commissioner Viviane Reding. “That is why the Commission is vigilant in ensuring that EU rules and rights are put in place.”

The EC’s decision to step up its assault on online privacy laws in the UK is related to the government’s failure to crack down on the use of behavioural advertising technology known as ‘Phorm’, which delivers targeted ad campaigns by using broadband ISPs to monitor users’ behaviour. The Commission first opened its infringement proceeding in April, following a series of complaints by UK internet users about the use of Phorm by internet service providers.

Since the initial case was brought against the government, several online companies, such as Amazon UK have boycotted Phorm’s behavioural ad system. Initially planning to use it, BT did a U-turn and dropped it in July

Privacy campaigner, The Open Rights Group, welcomed Amazon’s move back in April, saying that “By choosing to block the contentious online advertising system from scanning its web pages, these firms have taken the positive choice to protect their users’ privacy and their own brands.”

The EC’s latest proceeding is a result of the UK authorities’ failure to take positive action since the letter of formal notice was sent to them by the Commission in April. The second phase addresses three specific gaps in the rules governing the confidentiality of electronic communications in the UK, which do not meet with EU e-privacy and personal data protection rules:

• There is no national authority to supervise the interception of communications and hear complaints relating to infringement of personal data protection laws.
• Communications can be intercepted when the person intercepting has ‘reasonable grounds for believing’ that consent has been given, even though the EU defines consent as “freely given specific and informed indication of a person’s wishes”.
• The Regulation of Investigatory Powers Act (RIPA) does not allow sanctions to be imposed on people who unlawfully intercept communications unless the interception was “intentional”. Under EU law, Member States are required to prohibit and ensure sanctions against any unlawful interception regardless of whether or not it was committed intentionally.

The Commission has given the UK government two months to reply to this second stage of the infringement proceeding before it refers the case to the European Court of Justice.

In a statement Reding calls on the UK authorities to “change their national laws to ensure that British citizens fully benefit from the safeguards set out in EU law concerning confidentiality of electronic communications.”