Privacy & Information Security Law Blog

Following numerous complaints about the use of behavioral advertising technology by internet service providers, the European Commission (the “Commission”) launched infringement proceedings against the United Kingdom for an alleged failure to keep people’s online details confidential. The EU Telecoms Commissioner, Viviane Reding, has called upon the UK to change its national laws to ensure the confidentiality of communications by prohibiting interception and surveillance without the user's consent. If the UK does not comply, the Commission can issue a final warning before taking the UK to the European Court of Justice.

Legal Background
In the UK, those who collect and use data through behavioral advertising technology must comply with the Data Protection Act 1998 (as amended) (the “DPA”), as well as the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “Privacy Regulations”). In addition, any organization which chooses to “monitor” or “intercept” online communications must also comply with the Regulation of Investigatory Powers Act 2000 (“RIPA”) and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (the “LBP Regulations”).

These legislative instruments implemented various EU Directives in the UK. Under Article 226 of the EC Treaty, the European Commission is responsible for ensuring that European Community law is correctly enacted into the local laws of individual Member States. If a Member State fails to comply with European Community law, the European Commission can bring infringement proceedings, and may ultimately refer the case to the European Court of Justice (the “ECJ”). Here, the European Commission has commenced infringement proceedings by issuing a formal notice to the UK. The UK has two months to respond or to comply voluntarily by amending the relevant legislation.

Phorm’s Advertising Tracker System
The debate began with the introduction of Phorm Inc.’s advertising tracker system which allows the company to track the identity and web habits of individual computers by tracing their unique Internet Protocol addresses.

Earlier this week a document was published on “Wikileaks” revealing that British Telecom (one of the UK’s leading telephone operators) had commenced a trial of Phorm’s system in 2006. British Telecom acknowledged in April 2008 that it had used Phorm without customer consent in 2006 and in 2007. The UK’s data protection authority, the Information Commissioner’s Office (the “ICO”), investigated British Telecom’s trial of the Phorm system.

In April 2008, the ICO published a response to the concerns voiced about the use of Phorm. Following several complaints from individuals and privacy experts, the ICO forced Phorm to require its customers to “opt-in” rather than “opt-out” of its use. In response to this, British Telecom reassured the ICO that its trial of Phorm did not permit customers’ web browsing activities to be monitored unless customers positively opted-in to participate. British Telecom also confirmed that its use of Phorm does not store personally identifiable information, URLs or IP addresses or retain browsing histories and that search information is deleted almost immediately and is not retrievable. This is also stated on Phorm’s website.

In practical terms, it appears that personal data is collected by Phorm but is subsequently anonymized.

Behavioral advertising technology is beneficial for both users and businesses as users discover more of what interests them and businesses find a more cost-effective way to communicate with users. Effective online advertising helps to create low barriers to online market entry which in turn facilitates competition and innovation.

Legal Implications
If the European Commission finds that the UK has not correctly implemented legislation which governs behavioral advertising technology, the UK will potentially need to amend the DPA, the Privacy Regulations and RIPA. In addition, the European Commission may insist that more effective sanctions be included in the UK legislation. Such amendments would undoubtedly result in significant changes in practices for UK online businesses, employers and social networking sites. Monitoring and interception practices will be restricted and “implied consent” may not be sufficient. The use of opt-in consent, currently required for direct marketing activities throughout Europe, may also be required as a precondition to the use of cookies, web beacons and user tracking systems which currently only require opt-out consent.

Hunton & Williams will provide updates, on this blog, of the status of these infringement proceedings and consider the potential implications, in particular, for retailers and social networking sites going forward.