Phorm invented a technology for ISPs to use to track users' web use in order to serve them ads that were related to the recorded internet activity. ISP BT used this technology without telling users, which led to complaints to UK regulators and the Commission that this broke privacy laws.
BT later said that it would not use Phorm's technology, and no other UK ISP has used it.
In examining the complaints, the European Commission assessed the legal protections available in the UK for the privacy of internet users and their communications. It has twice written to the UK Government demanding that UK laws be changed to better implement EU directives.
The Commission said in April and October of 2009 that the Regulation of Investigatory Powers Act (RIPA), the Data Protection Act do not fully implement the Privacy and Electronic Communications Directive and the Data Protection Directive.
It asked the UK to change the law but has now said that it will take the UK to the European Court of Justice (ECJ) to force it to do so.
"The Commission considers that UK law does not comply with EU rules on consent to interception and on enforcement by supervisory authorities," said a Commission statement. "The Commission considers that existing UK law governing the confidentiality of electronic communications is in breach of the UK's obligations under the ePrivacy Directive and the Data Protection Directive."
The Commission said that UK law failed to meet the requirements of EU directives in three respects.
"There is no independent national authority to supervise the interception of some communications, although the establishment of such authority is required under the ePrivacy and Data Protection Directives, in particular to hear complaints regarding interception of communications," said the Commission.
"Current UK law authorises interception of communications not only where the persons concerned have consented to interception but also when the person intercepting the communications has ‘reasonable grounds for believing’ that consent to do so has been given. These UK provisions do not comply with EU rules defining consent as 'freely given, specific and informed indication of a person’s wishes'," it said.
"Current UK law prohibiting and providing sanctions in case of unlawful interception are limited to ‘intentional’ interception only, whereas EU law requires Members States to prohibit and to ensure sanctions against any unlawful interception regardless of whether committed intentionally or not," said the Commission.
The Information Commissioner's Office enforces the Data Protection Act and said in a Home Office consultation last year that it believed there to be gaps in the way that UK citizens' privacy is protected.
"Where the private sector, either through their own provision of services, or through being placed under a legal obligation, are intercepting communications of services users, there are gaps in the regulatory regime," it said. "The only recourse for a private sector breach is prosecution for a criminal offence. This is different from the position that applies to the public sector. Arguably there is a need for an appropriately empowered regulator, who can provide advice and guidance and ultimately impose civil sanctions against private sector players."