European Commission raps U.K. over ad-targeting technology
Article 5.1 of the Directive 2002/58/EC (Directive on privacy and electronic communications) of the European Parliament
Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorized to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality.
The United Kingdom is being accused of breaking European privacy rules in allowing the use of a British technology that targets ads at internet users based on their online behaviour.
The European Commission launched infringement proceedings against the U.K. Tuesday over concerns about how well confidentiality is being protected during the use of a technology developed by Phorm Inc.
"We have been following the Phorm case for some time and have concluded that there are problems in the way the U.K. has implemented parts of EU rules on the confidentiality of communication," said EU telecoms commissioner Viviane Reding in a statement.
Phorm, in partnership with internet service providers, uses a technique called deep-packet inspection to intercept and examine information as it passes through the internet. That information, such as what websites the user visited and what search terms they used, is then analyzed to deliver ads that the user is more likely to be interested in. Phorm says privacy protection is built into the technology so that:
- Internet users remain anonymous while their information is collected and analyzed.
- No information that could identify someone is stored by the company.
- Browsing behaviour is only stored when it matches pre-approved categories that do not include sensitive topics such as illegal activities.
Nevertheless, the European Commission said that since April 2008, it has received several questions from U.K. citizens and U.K. members of the European Parliament about Phorm. In response, the commission wrote several letters to U.K. authorities starting in July 2008 asking how they implemented EU privacy laws in the context of the Phorm case. Analysis of the answers pointed to "structural problems" in implementation of the rules, the European Commission said in a news release.
Specifically, the EU is concerned because U.K. allows interception of communications if:
- It is not considered "intentional."
- The interceptor has "reasonable grounds for believing" that it had consent to intercept the communications.
The EU sent a letter of notice about the proceeding to the U.K. Tuesday, and the U.K. has two months to reply. If the commission does not receive a satisfactory reply, it may issue a "reasoned opinion" about the case. If the country does not respond to the commission's satisfaction or is still considered in breach of the law after that, the case will be referred to the European Court of Justice.
Commission cracking down
Telecoms commissioner Reding said in an online video Tuesday that Europeans have the right to control their personal information and the commission will take action whenever member states fail to ensure that new technologies respect that right.
Phorm refers to its technology as "open internet exchange" and sells the technology in a package called Webwise that includes security and customization features. The company announced last week that it will launch its service sometime in the next year. It has already conducted tests with at least one British ISP.
The company drew fire after a memo leaked last spring showed British Telecom tested Phorm's technology on 30,000 BT subscribers without their consent and raised questions about the Phorm's claims about its privacy protection measures. BT has since conducted new, invitation-based trials. Two other British ISPs, Virgin Media Group and the Carphone Warehouse PLC (which owns the Talk Talk brand) have also signed agreements with Phorm.
Brooks Dodds, chief privacy officer for Phorm, has written an essay on his company's technology for a special website on deep-packet inspection launched by the Privacy Commissioner of Canada last month.