UK to bring interception rules into line with EU privacy law

Claire Walker

Austria is not the only EU Member State in trouble with the European Commission. Following last week’s post by Datonomy’s Austrian correspondent, the UK Government has responded to the Commission’s recent censure by publishing proposals to tighten up rules on the interception of Internet and email communications.
At the end of September, the European Commission referred the UK to the ECJ over failure to fully implement EU rules on the confidentiality of Internet and email communications (see the 7 October post by Gemma) and this week the Home Office published its proposals for closing the relevant loopholes in the UK statute book.
Regular readers of Datonomy will recall that this debacle dates back to early 2009 and was triggered by concerns about the privacy issues raised by the online behavioural advertising service Phorm.
To recap, the Commission identified a mismatch between certain requirements of the ePrivacy Directive and the UK’s interception regime, which is set out in legislation which pre-dates that Directive, namely the Regulation of Investigatory Powers Act 2000.
To recap, the detail of the Commission’s complaint is as follows:
• there is no independent national authority to supervise the interception of some communications, although the establishment of such authority is required under the ePrivacy and Data Protection Directives, in particular to hear complaints regarding interception of communications
• current UK law authorises interception of communications not only where the persons concerned have consented to interception but also when the person intercepting the communications has ‘reasonable grounds for believing’ that consent to do so has been given. These UK provisions do not comply with EU rules defining consent as “freely given, specific and informed indication of a person’s wishes”
• current UK law prohibiting and providing sanctions in case of unlawful interception are limited to ‘intentional’ interception only, whereas EU law requires Members States to prohibit and to ensure sanctions against any unlawful interception regardless of whether committed intentionally or not.
The Home Office proposals to bring UK legislation fully into line with the ePrivacy Directive are contained in this 10 page consultation document: “Regulation of Investigatory Powers Act 200: proposed amendments affecting lawful interception”. The Government accepts that it needs to make legislative changes, and proposes the following.
• Amending section 3(1) RIPA which currently makes interception lawful where both sender and intended recipient have given their consent to the interception or where the person carrying out the interception “has reasonable grounds for believing” that consent has been given. This second limb is incompatible with the requirement in data protection legislation for consent to be “freely given specific and informed”, and will be removed. The consultation seeks views from communications service provides on the practical impact of the requirement for specific consent to interception.
• Sanctions for unintentional interception: RIPA already imposes criminal sanctions for intentional unlawful interceptions. To bring UK legislation into line with the ePrivacy Directive, an additional sanction covering all interceptions – intentional or otherwise – is needed. The Home Office proposes a civil monetary penalty (fine) of up to £10,000 for unintentional unlawful interceptions by CSPs, imposed by the Interception of Communications Commissioner (IoCC). The consultation also sets out proposals on additional powers for the IoCC, and for rights for CSPs to appeal (to the First Tier Tribunal) in disputed cases.
With the UK Government under pressure to comply with fully with EU data protection law, there is a shorter than usual consultation window – until 7 December – to respond to the Government’s proposals for legislative change. ISPs’ reactions to the proposals are awaited with interest.
It must be remembered that the UK’s interception regime, although it went through a future-proofing exercise in 2000, has its roots in a bygone age of postal and voice telephone communications , long before the advent of online behavioural advertising techniques. This member of the Datonomy team predicts that – as with the impending stricter requirements for users’ consent to website cookies – the challenge will lie not in amending the statute book, but in the practicalities of establishing internet users’ consent – in a workable way – in a constantly evolving online environment.

One thought on “UK to bring interception rules into line with EU privacy law”

Leave a Reply

Your email address will not be published. Required fields are marked *