Following public concern over the use of Phorm, Inc.'s behavioural
advertising technology by UK Internet Service Providers (ISPs), the
European Commission has issued proceedings to address what it
perceives as structural problems in the UK's implementation of
European privacy Directives. In particular, the Commission
considers that the absence of active user consent may be
insufficient to ensure the confidentiality of electronic
communications. This is likely to raise concerns among ISPs and
website owners that want to take advantage of Phorm's Webwise
technology, and may force them to re-visit their proposed consent
mechanisms.
Phorm's controversial "Webwise" product
Webwise, the brand name of a behavioural advertising system
developed by Phorm, has recently raised concerns at the Commission,
due to its potential to allow internet use to be monitored. Webwise
works by tapping into a user's ISP network to assess their online
activity. More specifically, it identifies a user's webpage
choices, and search engine searches, by inspecting the HTTP cookies
stored on their browser. The information obtained can then be made
available to enable advertisers to target their advertisements to
the user according to the user's recent online activity.
While Phorm has already announced its discussions for the use of
this online marketing tool with several UK ISPs, the fact that such
monitoring appears to be lawful in the UK has caused the Commission
to question the UK's compliance with its obligations under Article
5(1) of the Privacy and Electronic Communications Directive
(2002/58/EC) (the Privacy Directive).
__________________________________________________
The Privacy Directive
Article 5(1) of the Privacy Directive obliges EU Member States to
prohibit, by way of adequate domestic legislation, any interception
or surveillance (which may encompass Webwise's monitoring of
cookies) of any electronic communication (including those between a
user's browser and their ISP), without the user's consent.
For these purposes, the EU Data Protection Directive (Directive
95/46/EC) (the Data Protection Directive) requires that consent
must be freely given, specific and informed and that a user's
browsing habits must not be observed without their active
agreement.
__________________________________________________
The Commission views UK law as inadequate
The Commission had commenced infringement proceedings against the
UK on the basis that the UK's Privacy and Electronic Communications
(EC Directive) Regulations 2003 (the PECR)) do not implement
Article 5(1) of the Privacy Directive in two principal respects:
- they do not properly prohibit the unlawful surveillance of
communications; and
- they lack a sufficient definition of "consent".
The Commission is also concerned that the PECR do not authorise an
independent supervising authority to regulate the interception of
electronic communications and that they makes no provision for the
interception of electronic communications.
The Department for Business, Enterprise and Regulatory Reform
(BERR) is coordinating the Government's response to the Commission
which, if unsatisfactory, could lead to heavy fines from the
European Court of Justice.
Amid public concern, some companies, such as Amazon.com and the
Wikipedia Foundation, have already requested that their websites be
exempt from scans by the Webwise system.
The extent of UK law: a question of consent
While the PECR successfully implement into UK law some aspects of
the Privacy Directive in relation to the use of cookies, they are
likely to fall short of the "consent" requirement under the
Directive, which requires a user's active approval.
The Regulation of Investigatory Powers Act 2000 (RIPA), the UK's
"wire-tap" law, goes some way in attempting to fill the gap left by
the PECR in terms of the consent requirements under Article 5(1) of
the Privacy Directive. However, the use of Webwise has highlighted
that neither the PECR nor RIPA (or any other UK legislation) impose
an obligation on a person undertaking surveillance of electronic
communications (in this case, Phorm) to obtain active consent from
the person whose communications are under surveillance (which
would, of course, rather defeat the object in the case of RIPA!).
The Information Commissioner took the view that Phorm could operate
Webwise in a way which is in compliance with the Data Protection
Act 1998 and PECR but only if it operated on an opt-in basis (i.e.
with "consent", as defined in the Data Protection Directive).
Any future for Phorm?
Phorm is facing an uphill battle in overcoming challenges to
Webwise. For now, they will have to wait and see if the UK
Government's response to the Commission's allegation persuades the
latter that UK law is sufficient. Otherwise, the Commission may
undertake legal action to force the UK to revise its legislation in
line with European law.
Those ISPs and website owners wishing to take advantage of the
Webwise technology will be following the Commission's decision with
interest. While we cannot second guess this, it is likely that any
consent obtained by both the users and websites that intend to use
the Webwise technology will need to be given proactively, on an
opt-in basis, and will need to be clearly visible, rather than
embedded in the websites' standard terms and conditions.
Please click on the links below for the other articles in
the July 2009 IP/IT newsletter
Contacts
Mark Lubbock
T: +44 (0)20 7638 1111
E: mark.lubbock@ashurst.com
Ian Starr
T: +44 (0)20 7638 1111
E: ian.starr@ashurst.com
This newsletter is not intended to be a comprehensive review of
all developments in the law and practice, or to cover all aspects
of those referred to. Readers should take legal advice before
applying the information contained in this publication to specific
issues or transactions.