The European Commission began legal action against the U.K. Tuesday over its failure to protect Internet users from Phorm — a covert behavioral advertising technology tested by the U.K.’s biggest fixed line operator, BT, in 2006 and 2007.
The move signals growing concern in Brussels over the way new Internet-based technologies are using people’s personal data. In addition to taking legal action against the U.K., the Commission also issued a general warning to all 27 E.U. countries to uphold privacy laws, especially regarding social-networking Web sites and users of RFID (radio frequency identification) technologies.
The Commission, the executive body of the European Union responsible for upholding laws, said the U.K. had failed to enforce E.U. data protection and privacy rules, because broadband Internet subscribers were not informed that their browsing was being tracked.
“We have been following the Phorm case for some time and have concluded that there are problems in the way the U.K. has implemented parts of E.U. rules on the confidentiality of communications,” said Viviane Reding, the E.U.’s telecom commissioner.
She called on the U.K. to change its national laws and ensure that its national privacy authority is given greater powers to tackle privacy threats from emerging technologies. “This should allow the U.K. to respond more vigorously to new challenges to eprivacy and personal data protection such as those that have arisen in the Phorm case. It should also help reassure U.K. consumers about their privacy and data protection while surfing the Internet,” Reding said.
In a video blog posted Tuesday, Reding said E.U. rules are adequate to deal with new technologies, but that they are not always being properly enforced at national level.
“Technologies like Internet behavioral advertising can be useful for businesses and consumers but they must be used in a way that complies with E.U. rules,” Reding said.
“European privacy rules are crystal clear: a person’s information can only be used with their prior consent. We cannot give up this basic principle, and have all our exchanges monitored, surveyed and stored in exchange for a promise of ‘more relevant’ advertising. I will not shy away from taking action where an E.U. country falls short of this duty,” said Reding in her video message.
She also called on social-networking companies to reinforce privacy protection online.
In February the Commission brokered an agreement between 17 major social-networking sites to improve privacy, especially of minors. The companies promised to ensure child safety and committed to enabling and encouraging users to employ a safe approach to personal information and privacy.
Later this month the companies will inform the Commission about their individual safety policies and how they will implement the agreement’s principles.
Reding also singled out RFID technology as a potential area for concern. The smart chips integrated in products would only realize their economic potential “if they are used by the consumer and not on the consumer,” Reding said. “No European should carry a chip in one of their possessions without being informed precisely what they are used for, with the choice to remove or switch it off at any time,” she said.
In April last year BT admitted that it had tested Phorm in 2006 and 2007 without informing customers involved in the trial.
BT carried out a new trial of the technology from October to December in 2008 but this time it did seek prior consent from subscribers. BT’s trials resulted in a number of complaints to the U.K. data protection authority — the Information Commissioner’s Office and to the U.K. police, as well as to the Commission.
The U.K. government has two months to respond to the letter of formal notice sent Tuesday. Failure to do so, or failure to address the problems highlighted in the letter will force the Commission to issue a so-called reasoned opinion, the final step before taking the U.K. government to the European Court of Justice, the E.U.’s highest legal authority.