EU Commission steps up UK legal action over privacy and personal data protection

On 29 October 2009, the European Commission (EC) moved to the second phase of infringement proceedings against the UK for failing to implement as national law the full protection of EU rules on privacy and personal data protection in relation to use of electronic communications.

European laws require EU countries to protect the confidentiality of people's electronic communications, such as internet browsing or email, by prohibiting their unlawful interception and surveillance without the user's consent.

Behavioural advertising and deep packet inspect technology is known as "Phorm" by internet service providers. Phorm technology works by constantly analysing customers' web surfing to determine user interests and preferences. It then delivers targeted advertising to those users when they visit certain websites. You may recall, back in April we provided an analysis on Phorm and the associated data protection issues.

The EC had received a number of complaints about the use of Phorm technology from UK internet users and initiated the first phase of infringement proceedings against the UK by sending a letter of formal notice issued on 14 April 2009, which the UK failed to respond to adequately.

This second phase of infringement proceedings (which takes the form of a reasoned opinion by the EC that an infringement exists) has been issued because of the UK government's continued inability to clamp down on the use of Phorm.

Following an analysis of the answers provided by the UK to its formal notice, the EC has concerns that there are structural problems in the way that the UK has implemented EU rules protecting the confidentiality of an individual's electronic communications. More specifically, the EC has identified three gaps in existing UK laws governing the confidentiality of electronic communications which it wants the UK to redress:

• There is no independent national authority to supervise the interception of electronic communications as required under the ePrivacy and Data Protection Directives.
• Current UK law under the Regulation of Investigatory Powers Act 2000 (RIPA) authorises the interception of electronic communications, not only where the individual has consented but also where the person intercepting the communication has "reasonable grounds for believing" that consent to do so has been given. This contravenes EU rules which define consent as being a freely given, specific and informed indication of a person's wishes.
• The RIPA provisions prohibiting and providing sanctions in cases of unlawful interception are limited to "intentional" interception only, whereas EU law requires Member States to prohibit and to ensure sanctions against any unlawful interception, regardless of whether the interception was intentional or not.

If the UK fails to reply or provides an unsatisfactory response to this second phase of infringement proceedings then the EC may refer the case to the European Court of Justice.

This alert was written by Valerie Evans, valerie_evans@wragge.com, an associate in Wragge & Co LLP's Data Protection team.