EU Commission to take UK to court over alleged privacy law failings

The EU Commission is taking the UK to court over the UK’s apparent failure to protect the privacy of people’s communications adequately and in accordance with European standards.
The case centres on the UK Government’s response to the BT/Phorm web monitoring scandal. In 2008, BT trialled technology made and promoted by Phorm to track its users’ online activity, using the data to match advertising to people’s perceived interests. However, the trials were done without BT customer’s knowledge or permission, and as such provoked a myriad of complaints to both privacy regulator the Information Commissioner’s Office (ICO) and to the police, not only from its own customers, but from the press and privacy groups as well.
Despite the uproar, the trials were declared legal in the UK, (although BT ditched the technology after the complaints came to light). The Commission, unimpressed with the outcome, twice wrote to the UK Government stating that current laws were inadequate and should be changed to properly implement EU law. But even the Commission’s warnings were not enough to compel change. So now the Commission is taking the UK to the European Court of Justice (ECJ) to force compliance.
Specifically the Commission has said that UK law fails to meet the requirements of two EU directives, the Privacy and Electronic Communications Directive and the Data Protection Directive in three respects:
• “there is no independent national authority to supervise the interception of some communications … in particular to hear complaints regarding interception of communications” despite the fact that this is a requirement under EU law;
• “current UK law authorises interception of communications not only where the persons concerned have consented to interception” but also more worryingly “when the person intercepting the communications has ‘reasonable grounds for believing’ that consent to do so has been given.” Such provisions do not comply with EU rules defining consent as “freely given, specific and informed indication of a person’s wishes”;
• current UK law prohibiting and providing sanctions in case of unlawful interception are limited to ‘intentional’ interception only, whereas EU law requires Members States to prohibit and to ensure sanctions against any unlawful interception regardless of whether committed intentionally or not.”
The Information Commissioner Office has somewhat acknowledged the Commission’s findings by admitting that there are “gaps” in the regulatory regime and that there is a need for “an appropriately empowered regulator, who can provide advice and guidance and ultimately impose civil sanctions against private sector players”. Whether this admittance coupled with the threat of court action will finally convince the UK to act is another matter, but it is hopefully another step in protecting privacy and personal data.

Leave a Reply

Your email address will not be published. Required fields are marked *