The UK is in hot water after failing, according to the European Commission, to implement properly European data protection legislation safeguarding consumers against unwarranted behavioural advertising. Phil Lee reports.
Topic: Privacy
Who: European Commission / Home Office
When: 14 April 2009
Where: UK
Law stated as at: 28 April 2009
What happened:
The online behavioural advertising ("OBA") saga looks set to run and run. In yet another unexpected twist, the European Commission has now instigated infringement proceedings against the UK over its alleged failure to properly implement the Data Protection and ePrivacy Directives. The action arises out of concerns voiced by the Commission about the treatment of Phorm's OBA technology under UK law, with the UK apparently having failed to abate these concerns despite receiving "several letters" from the Commission. In a press release (http://europa.eu/rapid/pressReleasesAction.do?reference=IP/09/570), EU Telecoms Commissioner, Vivianne Reading, said: "We have been following the Phorm case for some time and have concluded that there are problems in the way the UK has implemented parts of EU rules on the confidentiality of communications."
The Commission has highlighted the following concerns over the UK's implementation of European data protection legislation:
1. Consent issues: The EU Data Protection Directive requires user consent to be "freely given specific and informed".
However, under the Regulation of Investigatory Powers Act 2000 ("RIPA"), communications between two parties can intercepted lawfully where the interceptor has "reasonable grounds" for believing that both parties consent to the interception.
This has particularly relevance in the context of OBA ISP traffic monitoring technologies (such as Phorm), which work on the basis of intercepting and analysing user traffic. Reasonable grounds for believing a user has consented could arguably permit an opt-out approach to this type of OBA. This action by the Commission, however, suggests it favours an opt-in approach.
2. Intentional interception: RIPA also makes it an offence to intercept communications between two parties. However, the offence is limited to circumstances where the interception is "intentional" only – again, possibly supporting an opt-out view of the OBA world (i.e. if a user fails to opt out, could subsequent interception for OBA traffic monitoring be said to be intentionally unlawful?). The fact that the Commission has raised this issue perhaps serves to further suggest it favours opt-in.
3. Supervisory authority: The Commission has cited an additional concern that the UK has no "independent national supervisory authority" for supervising communications interceptions. In the UK, RIPA is enforced by the police, under the watchful eye of the Home Office. The Commission clearly feels that the Home Office is not sufficiently independent; possibly, because the Home Office will have a vested interest in authorising communications interceptions in the interests of combating terrorism and organised crime. Could this mean that ICO will get powers to enforce RIPA breaches in future?
Why this matters:
Recent developments at a UK, EU and wider international level indicate that there are three broad categories of OBA in the minds of the regulators: (i) ISP traffic monitoring (the Phorm model); (ii) first party advertising through cookie technologies (the Amazon model); and (iii) third party advertising through cookie technologies (the Facebook beacon model). The recent action taken by the Commission indicates that it is focussing its attentions on the first of these, ISP traffic monitoring, and suggests a leaning towards opt-in requirements.
What this does not do, however, is clarify whether opt-in or opt-out is required for OBA served through cookie technologies. The industry clearly favours an opt-out approach to OBA and this view is supported by recent developments in both the US (the FTC self-regulatory principles for OBA) and the UK (the IAB self-regulatory OBA good practice guidelines), each of which stop short of calling for opt-in.
The UK now has two months to reply to the Commission. If the Commission still is not satisfied following this reply, it will issue an opinion and potentially pursue further action through the European Court of Justice. Either way, a resolution to this issue still seems some way off.