Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

UK's privacy laws illegally inadequate, says Europe

UK laws protecting the privacy of people's communications are inadequate, the European Commission has said. The Commission has launched a legal case against the UK over its implementation of European Union Directives.14 Apr 2009

The Commission's investigation was sparked by outrage over trials by BT of a system which monitors web use and tries to match advertising to people's perceived interests. The trials were done without BT customers' knowledge or permission.

The Commission has investigated complaints made to it and to police and has found the UK's laws inadequate in protecting the privacy of communications.

"The Commission has concerns that there are structural problems in the way the UK has implemented EU rules ensuring the confidentiality of communications," said a Commission statement.

BT used technology made and promoted by Phorm to track users' online activity. It has since run trials in which it did ask users' permission. The Commission said that BT's trials have been the subject of complaints to privacy regulator the Information Commissioner's Office (ICO) and to police.

The Commission believes that UK laws do not properly implement two Directives aimed at protecting privacy, the Privacy and Electronic Communications Directive and the Data Protection Directive.

The Privacy and Electronic Communications Directive outlaws interception and surveillance of communication without either the user's permission or a legalising process, such as a warrant. The Data Protection Directive sets out rules for how personal data should be collected and used, requiring the permission or in some cases just the informing of a person, depending what data is collected and why.

The Commission said that the laws stemming from these Directives do not properly cover all interceptions, that their definitions of 'consent' are inadequate, and that the lack of an independent supervising authority for interception is a worry.

"Under UK law, which is enforced by the UK police, it is an offence to unlawfully intercept communications," said the Commission statement. "However, the scope of this offence is limited to ‘intentional’ interception only. Moreover, according to this law, interception is also considered to be lawful when the interceptor has ‘reasonable grounds for believing’ that consent to interception has been given."

The Commission has begun proceedings against the UK for its alleged inadequate protection of telecoms users' privacy.

"Technologies like internet behavioural advertising can be useful for businesses and consumers but they must be used in a way that complies with EU rules," said EU Telecoms Commissioner Viviane Reding. “These rules are there to protect the privacy of citizens and must be rigorously enforced by all Member States."

"We have been following the Phorm case for some time and have concluded that there are problems in the way the UK has implemented parts of EU rules on the confidentiality of communications," said Reding. "I call on the UK authorities to change their national laws and ensure that national authorities are duly empowered and have proper sanctions at their disposal to enforce EU legislation on the confidentiality of communications."

The Commission's actions come after it had quizzed UK authorities about the action they took in the wake of complaints about Phorm's technology. It said that once it had analysed UK authorities' responses it realised there were "structural problems" in the way the UK has implemented the EU laws.

Reding said that law changes were necessary. "This should allow the UK to respond more vigorously to new challenges to ePrivacy and personal data protection such as those that have arisen in the Phorm case. It should also help reassure UK consumers about their privacy and data protection while surfing the internet," she said.

The UK has two months in which to issue a response to the claims. If it does not respond at all to the process the Commission can take the case to the European Court of Justice (ECJ).