EC Steps Up Legal Action Over Privacy, Personal Data Protection in U.K.
October 30, 2009 // Published as a news service by IHS
The European Commission (EC) announced on Oct. 29 it moved to the second phase of an infringement proceeding against the United Kingdom over the U.K.'s failure to provide its citizens with the full protection of European Union (EU) rules on privacy and personal data protection when using electronic communications.
European laws state that EU countries must ensure the confidentiality of people's electronic communications, such as email or Internet browsing, by prohibiting their unlawful interception and surveillance without the user's consent.
The EC maintains these rules have not been fully put in place into U.K. national law and therefore the EC will send the U.K. a reasoned opinion.
Specifically, the EC said the U.K. is failing to comply with EU rules protecting the confidentiality of electronic communications, as provided for in Directive 2002/58/EC on privacy and electronic communication and Directive 95/46/EC on personal data protection.
The EC's action follows a thorough analysis of the response by U.K. authorities to the EC's letter of formal notice - the first phase in an infringement proceeding - sent to them on April 14 (see IP/09/570).
The EC launched this first legal action following its inquiry into the response given by the U.K. authorities to citizen complaints about the use of behavioral advertising by Internet service providers.
The EC identified the following three specific gaps in existing U.K. rules governing the confidentiality of electronic communications:
- There is no independent national authority to supervise interception of communications, although the establishment of such authority is required under the privacy and personal data protection directives, in particular to hear complaints regarding interception of communications.
- The current U.K. law - the Regulation of Investigatory Powers Act 2000 (RIPA) - authorizes interception of communications not only where the person concerned has consented to interception, but also when the person intercepting the communications has 'reasonable grounds for believing' that consent to do so has been given. These U.K. law provisions do not comply with EU rules defining consent as a freely given, specific and informed indication of a person's wishes.
- The RIPA provisions prohibiting and providing sanctions in case of unlawful interception are limited to 'intentional' interception only, whereas the EU law requires member states to prohibit and to ensure sanctions against any unlawful interception, regardless of whether committed intentionally or not.
"People's privacy and the integrity of their personal data in the digital world is not only an important matter, it is a fundamental right, protected by European law," said EC Telecoms Commissioner Viviane Reding. "That is why the Commission is vigilant in ensuring that EU rules and rights are put in place."
"Ensuring digital privacy is a key for building trust in the Internet. I therefore call on the U.K. authorities to change their national laws to ensure that British citizens fully benefit from the safeguards set out in EU law concerning confidentiality of electronic communications."
The U.K. has two months to reply to this second stage of the infringement proceeding. If the EC receives no reply, or if the response presented by the U.K. is not satisfactory, the EC may refer the case to the European Court of Justice.
Background
The EU directive on privacy and electronic communications requires EU member states to ensure confidentiality of communications and related traffic data by prohibiting unlawful interception and surveillance unless the users concerned have consented to this (Article 5(1) of Directive 2002/58/EC).
The EU directive on personal data protection specifies that user consent must be 'freely given, specific and informed' (Article 2(h) of Directive 95/46/EC). Moreover, Article 24 of that directive requires member states to establish appropriate sanctions in case of infringements, and Article 28 says that independent authorities must be charged with supervising implementation. These provisions of the directive also apply in the area of confidentiality of communications.
For more information, see the EC's web page on eCommunications Infringement Procedures.
Source: European Commission (EC).