EU opens case over privacy and personal data
It seems Phorm is continuing to have a rocky ride to being a live product in the UK, the European Commission has sent a formal notice starting an infringement proceeding, concerned mainly with how the UK has implemented European data protection laws and how these relate to Phorm and potentially other behavioural advertising systems.
"The Commission has written several letters to the UK authorities since July 2008, asking how they have implemented relevant EU laws in the context of the Phorm case. Following an analysis of the answers received the Commission has concerns that there are structural problems in the way the UK has implemented EU rules ensuring the confidentiality of communications.
Under UK law, which is enforced by the UK police, it is an offence to unlawfully intercept communications. However, the scope of this offence is limited to ‘intentional’ interception only. Moreover, according to this law, interception is also considered to be lawful when the interceptor has ‘reasonable grounds for believing’ that consent to interception has been given. The Commission is also concerned that the UK does not have an independent national supervisory authority dealing with such interceptions.
The UK has two months to reply to this first stage of an infringement proceeding, the letter of formal notice sent today. If the Commission receives no reply, or if the observations presented by the UK are not satisfactory, the Commission may decide to issue a reasoned opinion (the second stage in an infringement proceeding). If the UK still fails to fulfil its obligations under EU law after that, the Commission will refer the case to the European Court of Justice."Extract from press release
The emphasis is on ensuring that customers of an ISP whose browsing habits are being tracked have given clear informed consent to the system being used on their connection. Under current UK law there only needs to be "reasonable grounds for believing" someone has consented.
This does not mean that this is the end for Phorm, there is nothing it seems stopping it deploying the system under an opt-in system that exceeds UK law requirements and satisfies European law. What it does mean is that we may see this case drag on depending on the UK response, with the final stage being appearing at the European Court of Justice. A win for the EU in the European Court would force changes to UK law.
The BBC amongst other websites has covered the news, and Nicholas Bohm from FIPR appears to back an additional requirement that would require sites to give consent so that they can be trawled. In theory this can be accomplished easily with websites utilising a robots.txt file, however that could exclude them from search engines which is a price they wouldn't want to pay.