EC To Sue UK For Inaction Over Phorm

The European Commission has warned the UK government it will take legal action over its failure to protect users from the Phorm behavourial ad targeting software which has been used by BT.

Phorm, produced by a London company, contravenes EU ePrivacy and personal data protection rules which cover the confidentiality of communications, says the EC, because it intercepts and monitors user actions – in some cases, without the user’s consent.

BT has admitted that it tested Phorm without getting user consent, and UK consumers have taken their complaints to the EC, after the UK givernment did not respond to their satisfaction.

According to the EC, the UK has two months to reply to a letter of formal notice sent this week which marks the first stage of the infringement proceeding. If the UK fails to respond adequately and “fulfil its obligations under EU law”, the Commission warned that it will refer the case to the European Court of Justice.

“Technologies like internet behavioural advertising can be useful for businesses and consumers but they must be used in a way that complies with EU rules. These rules are there to protect the privacy of citizens and must be rigorously enforced by all Member States,” said EU telecoms commissioner Viviane Reding.

According to Reding, the EC has been tracking the Phorm case since 2008 and has concluded that the UK authorities failed to address confidentiality issues raised by Phorm. “I call on the UK authorities to change their national laws and ensure that national authorities are duly empowered and have proper sanctions at their disposal to enforce EU legislation on the confidentiality of communications.”

The EC claims that tightening rules over confidentiality should help reassure consumers that personal data remains personal, said Reding.

“This should allow the UK to respond more vigorously to new challenges to ePrivacy and personal data protection such as those that have arisen in the Phorm case,” she said. “It should also help reassure UK consumers about their privacy and data protection while surfing the internet.”

Phorm technology works by analysing customers’ web surfing to determine their interests and then delivers targeted advertising. The EC said that in April 2008 BT admitted that it had tested Phorm in 2006 and 2007 without informing customers involved in the trial.

“BT’s trials resulted in a number of complaints to the UK data protection authority – the Information Commissioner’s Office (ICO) and to the UK police,” the EC said in a statement.

BT was contacted for comment on its use of Phorm and the EC legal action but said it “had no comment to make.’

The EC said it has written several letters to the UK authorities since July 2008 asking how the government had applied EU data protection and privacy laws around Phorm.

“Following an analysis of the answers received the Commission has concerns that there are structural problems in the way the UK has implemented EU rules ensuring the confidentiality of communications,” the EC stated.

The Commission also said that the UK currently does not legislate against “non-intentional” interceptions of data and allows interceptions in cases where there is a reasonable belief that the user knows their data has been intercepted. The EC also expressed concerned that the UK does not have an “independent national supervisory authority” to deal with complex issues around data interceptions.

Jim Killock, executive director of digital freedom campaign organisation The Open Rights Group, said that is has long argued that Phorm is an invasion of internet users’ privacy.

“Following our call for intervention, the EU has implicitly recognised the system involves unlawful interception because it does not obtain permission from both the user and the website owner,” he said. “The UK authorities consistently deny this claim, although it is unclear precisely which part of Government is responsible for enforcing related legislation. Fortunately, the EU has also expressed concerns with procedure, which should ensure similar technologies receive proper scrutiny in future.”

Phorm was founded in 2002 as 121Media based in London, and took on the name Phorm In May, 2007. The company has extensive information on its site about privacy issues including the following statement. “Designed with both user protection and online targeting effectiveness as equal priorities, Phorm has kept privacy issues and laws at the forefront of our efforts to deliver greater security and a more relevant internet to web consumers.”