Grandson of Phorm: the European Commission is referring the UK to the European Court -
"for not fully implementing EU rules on the confidentiality of electronic communications such as e-mail or internet browsing. Specifically, the Commission considers that UK law does not comply with EU rules on consent to interception and on enforcement by supervisory authorities. The EU rules in question are laid down in the ePrivacy Directive 2002/58/EC and the Data Protection Directive 95/46/EC."
I previously mentioned that in October 2009 the Commission had stepped up its action against the UK on this front, and the referral today is the final step, after their clearly unsuccessful attempts to get the UK to fix its inadequate e-privacy laws.
From the Commission press release:
"The infringement procedure was opened in April 2009 (IP/09/570), following complaints from UK internet users notably with regard to targeted advertising based on analysis of users’ internet traffic. The Commission previously requested the UK authorities in October 2009 (IP/09/1626) to amend their rules to comply with EU law.
The Commission launched the legal action against the UK in April 2009 following citizens' complaints about how the UK authorities had dealt with their concerns about the use of behavioural advertising by internet service providers (targeted advertising based on prior analysis of users’ internet traffic). These complaints were handled by the UK Information Commissioner’s Office, the UK personal data protection authority and the police forces responsible for investigating cases of unlawful interception of communications.
The Commission considers that existing UK law governing the confidentiality of electronic communications is in breach of the UK's obligations under the ePrivacy Directive 2002/58/EC and the Data Protection Directive 95/46/EC in three specific areas:
- there is no independent national authority to supervise the interception of some communications, although the establishment of such authority is required under the ePrivacy and Data Protection Directives, in particular to hear complaints regarding interception of communications
- current UK law authorises interception of communications not only where the persons concerned have consented to interception but also when the person intercepting the communications has ‘reasonable grounds for believing’ that consent to do so has been given. These UK provisions do not comply with EU rules defining consent as "freely given, specific and informed indication of a person’s wishes"
- current UK law prohibiting and providing sanctions in case of unlawful interception are limited to ‘intentional’ interception only, whereas EU law requires Members States to prohibit and to ensure sanctions against any unlawful interception regardless of whether committed intentionally or not."
For those interested, the main UK laws in question are:
- the unfortunately-acronymed Privacy and Electronic Communications Regulations (PECR), and
- the Regulation of Investigatory Powers Act (RIPA).
The Commission also has raised wider issues with the UK over the (in)adequacy of the UK Data Protection Act more generally, so we'll see if further infringement action also results on that front.
©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.