Republished: UK Government fails to respond to the EU about Phorm
Originally published on Benscomputer.no-ip.org 13 Aug 2008
Below is a copy of a letter the EU sent to the UK Government at the end of june. As reported on The Register, the Government has yet to respond. The letter was sent at the end of June, which means that the deadline has been missed. Apparantly the Government would not comment on exactly why they had missed the deadline, and it's not entirely clear what happens next. Potentially our government could find itself having to defend it's actions (or more to the point, lack of action) in Luxembourg.
Dear Sir,
I am writing to you in relation to certain issues arising from the past and future deployment by some major
United Kingdom Internet Service providers of the technology provided by a company called 'Phorm' to serve their
customers with targeted advertisements based on prior analysis of these customers' internet usage.
In March 2008, a number of news items appeared in the media concerning the planned use by United Kingdom ISPs of
the Phorm technology. Many of these publications raised issues concerning the impact of this technology on the
privacy of Internet users. The information published on the web also included an e-petition submitted to the
Prime Minister and a complaint made to the Information Commissioner's Office (ICO). In addition, in early April
2008, BT published a briefing according to which it had performed trials of the Phorm technology in autumn 2006
and summer 2007. In a TV interview, a BT representative confirmed that these trials had been performed without
informing the customers affected and obtaining their consent.
The European Commission has already been contacted by Members of the European Parliament from the United Kingdom
who communicated the concerns of their constituents regarding the deployment of Phorm technology. The issue has
also been the subject of several written parliamentary questions addressed to the Commission by MEPs asking the
Commission to comment on the applicability of WU legislation and also to set out its intended action in relation
to the previous trials. Finally, a number of individuals have also written to the Commission directly to express
their concerns and invite it to intervene in the matter.
In order to provide the response that is expected from it, the Commission needs to base itself on a clear
understanding of the position of the United Kingdom authorities. Several EU law provisions concerning privacy
and electronic communications may be applicable to other activities involved in the deploment of Phorm
technology by ISPs.
In particular, Directive 2002/58/EC on privacy and electronic communications, which particularises and
complements for the electronic communications sector the general personal data protection principles defined in
the directive 94/45/EC (Data Protection Directive), obliges Member States to ensure the confidentiality of
communications and related traffic through national legislation. They are required to prohibit listening,
tapping, storage or other kinds of interception or surveillance of communications and the related traffic data
by persons other than the users without their consent (Article 5(1)). The consent must be freely given, specific
and an informed indication of the user's wishes (Article 2(h) of Directive 95/46/EC). Traffic data may only be
processed for certain defined purposes and for a limited period. The subscriber must be informed about the
processing of traffic data and, depending on the purpose of processing, prior consent of the subscriber or user
must be obtained (Article 6 of Directive 2002/58/EC).
In the light of the above, we would highly appreciate it if the United Kingdom authorities could provide us with
information on (1) the current handling by the United Kingdom authorities of the issues arising from the past
trials of the Phorm technology by BT and on (2) the position of the United Kingdom authorities regarding the
planned deployment of the Phorm technology by ISPs.
As regards the first issue, according to applicable EU law the responsibility for investigating complaints
concerning such trials and determining whether the national legal provisions implementing the requirements of
the relevant EU legislation have been complied with lies with the competent national authority(-ies) in the
United Kingdom. The Information Commissioner's Office (ICO), which is responsible for enforcing the United
Kingdom Data Protection Act 1998 (DPA) and Privacy and Electronic Communications Regulations 2003 (PECR), has
made a number of statements on Phorm. In its latest published statement of 18 April 2008, the ICO analyses the
conformity of the deployment of the Phorm technology with the DPA and the PECR. At the same time, the ICO
indicates that it does not have responsibility for enforcing the Regulation of Investigatory Powers Act 2000
(RIPA), which has been invoked by some individuals who question whether the use of Phorm entails an unlawful
interception of communications under this Regulation. In this respect, the ICO refers to a statement by the Home
Office, which says that it is questionable whether the use of Phorm's technology involves an interception within
the meaning of RIPA and that it does not consider that RIPA was intended to cover such situations. The ICO
concludes on the issue of RIPA by stating that it will not be pursuing this matter. At the same time, the ICO
statement does not include any indication as regards the intentions of the ICO in relation to the investigation
of possible breaches of other relevant legal provisions* in the past trials of the Phorm technology.
Second, as regards the issues arising with regard to the planned future deployment of the Phorm technology,
there appears to be a certain discrepancy between how it is envisaged by the ICO, the ISPs and Phorm itself. One
of the most significant issues in this regard is the way in which customers will express their consent to the
application of Phorm technology in their case. While the ICO seems to suggest that the consent of users for the
Phorm technology should be on an opt-in basis and also BT seems to confirm this approach, Phorm has indicated
that it intends to tackle user consent through providing 'transparent meaningful user notice'.
I would therefore be grateful to receive the response of the United Kingdom authorities on the following
questions:
1. What are the United Kingdom laws and other legal acts which govern activities falling within the scope of
Articles 5(1) and 6 of Directive 2002/58/EC on privacy and electronic communications and Articles 6, 7 and 17(1)
of Directive 95/46/EC?
2. Which United Kingdom authority(-ies) is (are) competent (i) to investigate whether there have been any
breaches of the national law transposing each of the above-mentioned provisions of Community law arising from
the past trials of Phorm technology carried out by BT and (ii) to impose any penalties for infringement of those
provisions where appropriate?
3. Have there been any investigations about the past trials of Phorm technology by BT and what were their
results and the conclusions of the competent authority(-ies)? Are there ongoing investigations about possible
similar activities by other ISPs?
4. What remedies, liability and sanctions are provided for by United Kingdom law in accordance with Article
15(2) of the Directive on privacy and electronic communications, which may be sought by users affected by the
past trials of the Phorm technology and may be imposed by the competent United Kingdom authority(-ies) including
the courts?
5. According to the information available to the United Kingdom authorities, what exactly will be the
methodology followed by the ISPs in order to obtain their customers' consent for the deployment of Phorm
technology in accordance with the relevant legal requirements and what is the United Kingdom authorities'
assessment of this methodology?
Given the urgency of this matter I would highly appreciate receiving your reply within one month of receipt of
this letter.
Yours sincerely,
Fabio Colasanti