In 2009 the European Commission sued the UK for alleged failure to implement parts of EU privacy directives 95/46/EC and 2002/58/EC impacting interception of communications. Now Brussels has dropped the action following recent changes to the Regulation of Investigatory Powers Act. Manana Shrimpling reports.
Topic: Online Advertising
Who: European Commission and the UK
When: 26 January 2012
Law as stated at: 29 February 2012
The European Commission has dropped its infringement case against the UK for improperly implementing EU rules on ePrivacy and data protection on the confidentiality of communications.
The Commission instigated the proceedings in April 2009 following concerns about Phorm's online behavioural advertising ("OBA") technology and the UK's failure to address complaints by UK internet users about the use of OBA software by ISPs (see April 2009 marketinglaw.co.uk article Behavioural advertising in new storm). The case was referred by the Commission to the European Court of Justice in September 2010.
The Commission considered there to be 3 gaps in UK's laws governing the confidentiality of electronic communications:
1. there was no independent national authority to supervise the interception of communications (as required under the ePrivacy and Data Protection Directives), in particular to hear complaints regarding interception of communications. Complaints were instead handled by ICO and the police;
2. the Regulation of Investigatory Powers Act 2000 ("RIPA") authorised interception of communications not only where the persons concerned consented to interception, but also when the person intercepting the communication had "reasonable grounds for believing that" consent to do so had been given. Under the EU Data Protection Directive, consent must be freely given, specific and informed; and
3. RIPA provisions on prohibiting unlawful interceptions were limited to "intentional" interception only. EU law requires prohibition of any unlawful interception, regardless of whether committed intentionally or not.
In May 2011, the UK amended RIPA so as not to allow interception of users' electronic communications without their explicit consent. It also established a monetary penalty (maximum £50,000) to deal with breaches of confidentiality in electronic communications. This new civil sanction is administered by the Interception of Communications Commissioner ("ICC"), who will hear complaints about unlawful interception. The ICC has published guidance on how he will exercise his new functions.
The Commission considers that these changes, which came in force on 16 June 2011, now properly implement the EU rules.
Why this matters:
The revised rules have particular relevance in the context of the use of ISP traffic monitoring technologies (such as Phorm) for OBA. Phorm's technology works by constantly analysing a user's web surfing to determine their interests and deliver targeted advertising when the user visits certain sites. The revised rules make it clear that opt-in consent will need to be obtained for such traffic monitoring, even where no personal data may be being processed.
With the use of cookie technologies for OBA also now requiring express consent from website users, advertisers will need to be aware that they should seek and obtain that opt-in consent from internet
users if using OBA software, or potentially face monetary penalties.