EC threatens UK with legal action over online privacy

The European Commission is threatening to take the UK to court over its failure to protect consumers' online privacy.

The European Commission is threatening to take the UK to court over its failure to protect consumers' online privacy.

The Home Office said in response: "We are firmly committed to protecting users' privacy and data. We are considering the commission's letter and will respond in due course."


The exchange of letters is a sequel to earlier disquiet at the commission over the UK's tolerance of deep packet inspection technology sold by behavioural marketing technology supplier Phorm.

The European Commission said the UK implementation of EU rules on online data protection fell down in three ways.

There was no independent national authority to supervise interception of communications, in particular to hear complaints regarding interception of communications, as required.

The current UK law (the Regulation of Investigatory Powers Act 2000 or RIPA) authorises interception of messages where the interceptor has reasonable grounds for believing the person has opted in to have his or her messaged intercepted. EU rules required consent to be freely given, specific and informed, the commission said in a statement.

RIPA prohibits and provides sanctions against unlawful, intentional interception only. EU law sanctions against any unlawful interception, intentional or not.

BT ran secret tests on its internet subscribers using Phorm's technology. When the tests were exposed it created a controversy. BT, Virgin Media and others who were considering using Phorm's technology subsequently ditched their plans.

Targeting advertising based on a user's online behaviour has attracted controversy around the world. It is the basis for Google's AdWords and similar advertisement-serving technology.

The US Federal Trade Commission has issued guidelines on the issue, as has the UK Internet Advertising Bureau (IAB). Those complying with the IAB's guidelines include AOL, Google, Microsoft/MSN and Yahoo, while those signed up to support the IAB's principles include Phorm and 24/7 Real Media.

Nick Stringer, head of regulatory affairs at the IAB, said consumer information should be clear and explicit about how to deal with served advertising, show how to switch it off, and how to opt out of receiving it.

The IAB has set up a dedicated website,, where consumers can opt out of receiving advertisements.

Consumers who want to opt out of receiving targeted advertising can also go to the Network Advertising Initiative (NAI) where they can delete scores of tracker cookies (small programs that tell the advertiser where you go online) at a single click.

This may give temporary relief from unwanted advertising. Companies that build internet routers and switches are building deep packet inspection tools into the hardware of next generation equipment.

This will make it easier for internet service providers to see what content their servers carry, and who sends and receives it. They could then sell this information to advertisers or give it to law enforcement officials when they detect unlawful content or suspicious users.

Video – Online privacy: industry self-regulation in practice

Read more on IT legislation and regulation