The European Union Commission has decided to refer the United Kingdom to the European Union Court of Justice for not fully implementing rules laid down in both Directive 2002/58/EC (the “ePrivacy Directive”) and Directive 95/46/EC (the “Data Protection Directive”). Under European Union law, a Directive is not directly enforceable, but must be implemented by each Member State in its national legislation. A directive is binding, however, as to the result to be achieved.
British Telecom admitted in 2008 that it had carried out in 2006 and 2007 secret testing of Webwise, a behavioral advertising technology developed by Phorm. Webwise tracked and constantly analyzed users’ Internet activity to determine their interests in order to provide them with targeted advertising.
Users complained about what they thought were unlawful interceptions of communications. They complained to the Information Commissioner’s Office (ICO), which is UK’s independent authority on personal data protection, and to the police.
The EU Commission inquired into the UK government action to respond to these complaints. It grew concerned that data protection EU laws protecting the confidentiality of communications by prohibiting interception and surveillance without users’ consent had not been adequately implemented by the UK.
Recital 24 of the ePrivacy Directive states that the use of devices which can be used to gain access and store information located on terminal equipment of users of electronic communications networks is allowed only “for legitimate purposes, with the knowledge of the users concerned.”
Article 5(1) of the ePrivacy Directive requires Member States to ensure, through national legislation, the confidentiality of electronic communications. They must prohibit listening, tapping, storage or other kinds of interception or surveillance of communications, unless the users consent to it.
Under the UK Regulation of Investigatory Powers Act of 2000 (RIPA), it is a crime to intercept communications intentionally. It is legal, however, to intercept a communication if the interceptor has “reasonable grounds for believing” that consent to intercepting has been given.
RIPA thus does not comply, in view of the Commission, with the definition of “data subject’s consent,” set out by article 2(h) of the Data Protection Directive as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.” Article 7(a) of the Data Protection Directive states that the data subject must have given his consent “unambiguously.”
The Commission also considered that UK law does not comply with EU rules on enforcement by supervisory authorities, as the UK does not have an independent national supervisory authority supervising the interception of communications.
The Commission has the power to commence an infringement proceeding against a Member State which the Commission believes infringes EU law. The Commission opened an infringement proceeding against the UK in April 2009, by sending a letter of formal notice, which is the first stage of an infringement proceeding. The Commission, not satisfied by UK response to the letter of formal notice, moved to the second stage of an infringement proceeding in October 2009 by announcing it would send the UK a reasoned opinion on the matter.
The Commission found the reply to the reasoned opinion unsatisfactory, and referred the case to the Court of Justice this last September. If the Court of Justice establishes an infringement, the UK will be required to take the necessary measures to comply with the judgment.
It will be interesting to follow how the EU Court of Justice will decide this case. Could it be possible that online behavioral advertising programs would be considered unlawful interception of communication, if users do not consent to it?
The issue of Internet users’ consent is hotly debated right now in the UK. Should users consent to cookies being stored their computers? Directive 2009/136/EC, nicknamed the “cookie directive,” entered into force on December 19, 2009, and must be transposed by Member States by May 25, 2011. Recital 66 of the Directive states that “users must be provided with clear and comprehensive information when engaging in any activity which could result in storing or gaining of access [to their equipment].” The new article 5(3) of the ePrivacy Directive, as amended by the “cookie directive,” requires a user’s consent before storing cookies, after the user has been provided “with clear and comprehensive information.” How Member States will implement this requirement, and how the European Court of Justice will rule in the Phorm case, will be watched closely in the next months by online behavioral marketers.