Remember when the European Commission threatened the UK with legal action over its online privacy and data protection laws in April? The EC is back to remind us that action is still on-going and warn the UK government that it could have to defend itself in court if it doesn’t respond to the commission’s criticisms within two months. Release.
The EC disagreed with the Home Office’s decision to pass technology developed by on-net behavioural targeting ad company Phorm as legal and called for an overhaul of UK rules on privacy. This hasn’t happened, so the commission will now send the government a “reasoned opinion” on the situation. That doesn’t sound too bad, but it’s one step before taking the UK to the European Court of Justice which would force a rule change.
Media commissioner Viviane Reding isn’t kidding — she says in the EC’s statement: “People’s privacy and the integrity of their personal data in the digital world is not only an important matter, it is a fundamental right, protected by European law,” she says. “I therefore call on the UK authorities to change their national laws to ensure that British citizens fully benefit from the safeguards set out in EU law concerning confidentiality of electronic communications.” The commission doesn’t name Phorm but confirms that the original action was launched after UK citizens’ “complaints about the use of behavioural advertising by internet service providers”.
If the government wants to avoid a day in court, Reding has set out three problems it must solve:
— The UK doesn’t have an independent national body to “supervise interception of communications” and deal with privacy/data complaints, although this is required as part of the EU-wide ePrivacy and Data Protection Directives.
— The Regulation of Investigatory Powers Act 2000 (RIPA) doesn’t comply with EU law because it allows communications to be intercepted when the person doing the phone tapping or web snooping only has “reasonable grounds for believing” that they have legal permission or personal consent to do it.
— RIPA only covers “intentional” interceptions, but the EU statutes say member states must legislate on unintentional breaches too.