The EU puts the UK in the dock over internet privacy concerns

Civitas, 6 October 2010

The UK is being taken to court by the EU Commission for failing to comply with EU laws governing internet privacy and advertising, writes Natalie Hamill. The Commission is concerned that the UK’s legislation contravenes EU law and does not sufficiently protect the privacy of internet users.

The case emanates from a lengthy investigation into UK internet practices, triggered initially by criticism of the method of data collection used in a BT internet pilot. In 2006 and 2007, BT ran secret pilots for a service called Phorm which used targeted advertising to make ‘content and advertising more relevant to consumers’. To do this, Phorm used lists websites that individuals had recently visited, which allowed it to tailor its advertising content to the browsing history of their broadband customers.

Despite consumers being unaware of Phorm’s ‘snooping’, the practice was deemed legal in the UK thanks to the Regulation of Investigatory Powers Act 2000 (although this legislation had initially been intended to assist in surveillance for terrorism). Phorm insisted that all the information it used was anonymous and therefore could not be used for ‘spying’, but rather it was simply used to tailor advertising to browsing tastes; a mechanism they hoped would attract big advertising bucks from companies who, with this information, could specifically target their ideal audience. For the EU Commission, however, the UK’s regulation that allows such interception of data contradicts two EU directives (the ePrivacy Directive, and the Data Protection Directive). This is because the UK regulation:

• Fails to provide an independent national authority to supervise the interceptions of data. (Thus there is no body for consumers to complain to if necessary).
• Allows communications to be intercepted in the UK without consent having been given (on account of a ‘reasonable grounds’ clause (meaning the interceptor doesn’t have to gain the specific consent of the individual, only ‘reasonable grounds to believe’ that consent would be given).
• Allows for ‘unintentional’ interception (both unintentional and intentional interception are illegal under the EU directives).

Because EU directives supersede national legislation, the UK has been referred to the European Court of Justice (ECJ) over the matter. If the UK is found to have failed to comply with the EU directives it will face staggering fines for each day it continues to breach them. A Home Office statement said the UK Government was ‘disappointed’ that the case had been referred to the ECJ, and insisted the Government is working to come in line with the EU on this.

Internet usage is relatively high across the EU (60% of adults in the UK access the internet at least once a day) and will continue to rise over the next decade. Furthermore, the internet is borderless and immensely powerful, both as a means of connecting people and distributing information. Therefore, it does make sense to develop continuity and consistency in the law governing it.

However, whether it was necessary to for the EU to move against the UK’s regulation at this stage is not clear, especially as EU officials themselves are still striving to find the elusive balance between the need to monitor data for security reasons, and the desire to protect browsers’ data and privacy (consider the MEPs row on tightening online piracy measures versus consumer rights just two weeks ago)!