Reding on Phorm: UK and BT under fire

In a video posted on her website this morning, Viviane Reding, the European Union's Commissioner for Information Society and Media, said that Europeans must have the right to control how their personal information is used, and said that the Commission would take action wherever EU Member States failed to ensure that new technologies such as behavioural advertising, RFID 'smart chips' or online social networking respected this right.

She particularly has BT, its proposed use of Phorm software to serve targeted ads based on users' online behaviour, and the UK legal framework concerning the protection of citizens' privacy in her sights. There was a major row when in transpired that BT had trialled Phorm in 2006 and 2007 without obtaining its customers permission to use information about them.

BT's trials resulted in complaints to the UK's the Information Commissioner's Office (ICO), which is responsible for data protection, and to the UK police. BT carried out invitation-only trials in autumn last year, and won regulator Ofcom's approval for its "˜proper' use in March, a highly controversial decision.

The Commission has written several letters to the UK authorities since July 2008, asking how they have implemented relevant EU laws in the context of the Phorm case.

Reding stated, "We have been following the Phorm case for some time and have concluded that there are problems in the way the UK has implemented parts of EU rules on the confidentiality of communications. I call on the UK authorities to change their national laws and ensure that national authorities are duly empowered and have proper sanctions at their disposal to enforce EU legislation on the confidentiality of communications.

"This should allow the UK to respond more vigorously to new challenges to ePrivacy and personal data protection such as those that have arisen in the Phorm case. It should also help reassure UK consumers about their privacy and data protection while surfing the internet."

The Commission has opened an infringement proceeding against the UK to address problems with its implementation of EU ePrivacy and personal data protection rules, under which EU countries must ensure, among other things, the confidentiality of communications by prohibiting interception and surveillance without the user's consent.

Under UK law, which is enforced by the UK police, it is an offence to unlawfully intercept communications. However, the scope of this offence is limited to "˜intentional' interception only. Also, interception is also considered lawful when the interceptor has "˜reasonable grounds for believing' that consent to interception has been given.

The UK has two months to reply to this first stage of an infringement proceeding. If the Commission receives no reply, or if the observations presented by the UK are not satisfactory, the Commission may decide to issue a reasoned opinion (the second stage in an infringement proceeding). If the UK still fails to fulfil its obligations under EU law after that, the Commission will refer the case to the European Court of Justice.