Monday, 2 November 2009

Commission vs UK - electronic privacy & data protection failure

There have been reports e.g. in the Independent, Out-Law about the European Commission's announcement of 29 October 2009 that they are moving to the second phase of infringement proceedings against the UK for failing:

"to provide its citizens with the full protection of EU rules on privacy and personal data protection when using electronic communications. European laws state that EU countries must ensure the confidentiality of people's electronic communications like email or internet browsing by prohibiting their unlawful interception and surveillance without the user's consent. As these rules have not been fully put in place in the national law of the UK, the Commission today said that it will send the UK a reasoned opinion."

The summary table Electronic Communications - 2002 Regulatory Framework - Infringement procedures opened for incorrect implementation now lists against United Kingdom "Incorrect application of EU rules on confidentiality of communications" with the date of the formal notice being 14/04/2009 and reasoned opinion (date of reasoned opinion) being 29/10/2009.

No copy of the "reasoned opinion" which the Commission are sending to the UK seems to be available.

EU press releases:

All this arose because behavioural advertising company Phorm offered ISPs a way to make money from ads by monitoring all web surfing of the ISP customers, and BT conducted trials of Phorm technology without their customers' knowledge or consent. The UK Home Office had even given "advice" to Phorm about the legalities of their operation.

Lots of people objected to the extremely wide ranging nature of the monitoring, and a concerted campaign e.g. the ORG's letter to some big name sites succeeded in getting a number of major sites like Amazon to opt out of the Phorm system (if you were an e commerce site, would you want some third party tracking what your customers do on your site?).

There were also complaints to the Commission, where, to put it simplistically, if UK laws allow this sort of thing then UK law isn't protecting the privacy of electronic communications adequately as required by EU law (Privacy and Electronic Communications Directive and Data Protection Directive.).

For those interested, some sources:

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.