The European Commission has rejected the UK's defence of its electronic privacy laws and will continue to pursue legal action against the Government in a case sparked by BT's use of Phorm web activity monitoring without telling its subscribers.
The Commission believes that UK laws do not properly implement the two EU Directives that protect online privacy, the Data Protection Directive and the Privacy and Electronic Communications (PECR) Directive.
"European laws state that EU countries must ensure the confidentiality of people's electronic communications like email or internet browsing by prohibiting their unlawful interception and surveillance without the user's consent," said a Commission statement.
The Commission launched its case against the UK in April of this year. It has now read the Government's response and said that it will continue to the next phase of the case, which is the sending of a 'reasoned response'.
If the Commission is not satisfied with the UK's reply to this 'reasoned response' then it can refer the case to the European Court of Justice.
BT used technology invented by Phorm to monitor some of its users' internet activity and serve them ads that Phorm believed were more appropriate for those users. This was done without users' knowledge or permission. Later trials were conducted with subscribers' permission and BT has since said that it will not use Phorm's technology.
Outraged users have complained to privacy regulator the Information Commissioner's Office (ICO) and to the Commission. These complaints led to the Commission's action.
"People's privacy and the integrity of their personal data in the digital world is not only an important matter, it is a fundamental right, protected by European law. That is why the Commission is vigilant in ensuring that EU rules and rights are put in place," said EU Telecoms Commissioner Viviane Reding. “Ensuring digital privacy is a key for building trust in the internet. I therefore call on the UK authorities to change their national laws to ensure that British citizens fully benefit from the safeguards set out in EU law concerning confidentiality of electronic communications."
The Commission said that the UK's Regulation of Investigatory Powers Act (RIPA) does not properly implement EU law because it allows exceptions that the EU law does not.
"[RIPA] authorises interception of communications not only where the persons concerned have consented to interception but also when the person intercepting the communications has ‘reasonable grounds for believing’ that consent to do so has been given. These UK law provisions do not comply with EU rules defining consent as freely given specific and informed indication of a person’s wishes," said the Commission.
"The RIPA provisions prohibiting and providing sanctions in case of unlawful interception are limited to ‘intentional’ interception only, whereas the EU law requires Members States to prohibit and to ensure sanctions against any unlawful interception regardless of whether committed intentionally or not," it said.
The Commission also said that the UK broke the EU law because there was no "independent national authority to supervise interception of communications", which is required by the Directives.
The ICO is responsible for ensuring that all organisations comply with the Data Protection Act, which enacts the Data Protection Directive. There are also Surveillance Commissioners who oversee police and state interceptions of communications and an Interception of Communications Commissioner.
The exact area of responsibility of each of these authorities, though, is not clear. In a response to a Home Office consultation process earlier this year the ICO itself said that "even the Government have struggled in fully understanding where the ICO regulatory competence begins and ends when it comes to communications data".
The ICO said that the regulation of interception is inadequate. "Where the private sector, either through their own provision of services, or through being placed under a legal obligation, are intercepting communications of services users, there are gaps in the regulatory regime," it said. "The only recourse for a private sector breach is prosecution for a criminal offence. This is different from the position that applies to the public sector. Arguably there is a need for an appropriately empowered regulator, who can provide advice and guidance and ultimately impose civil sanctions against private sector players."
Consumer activist body Consumer Focus condemned what it said was the Government's failure to protect individuals' privacy. “Our electronic communications are regularly intercepted and used by Government and industry without our consent," said the group's Linda Weatherhead. "Privacy has become devalued in the digital world as technology evolves faster than the rights of the people using it."