The Adequacy Standard

The key purpose of the Directive was to harmonize EU Member States’ laws, so that each Member State could transfer data to other Member States, while still safeguarding the fundamental rights and freedoms of their citizens.  If data controllers in one State transferred data to a third country that failed to protect personal data, the State’s protection of personal data would be lost once the Member State transferred the data to the third country.

Article 25 of the Directive prohibits Member States from transferring data to a third country, unless the third country ensures an adequate level of protection. Article 26 of the Directive outlines exceptions to the requirement that a third country have adequate protection in third countries.

For example, if the laws of a third country (e.g. Canada) fails to provide adequate protection of personal data, then a data controller located in a Member State would be prohibited from transferring personal data to Canada, unless an exception happened to apply. Without this exception, a transfer of data could lead to a data or information embargo.

Data Embargos

A data or information embargo would result in serious consequences on both Member State and third country. The Member State government may be prohibited from sending information to the third country regarding individuals in that country.

For instance, a Member State might prevent a private bank in the Member State from transferring information about its customers to Canadian financial institutions. Or perhaps a Member State might prohibit a European employer from sending information about its employees to its Canadian subsidiaries.

Article 26 outlines a number of exceptions to any such data embargo. Specifically, even if a sector or activity is found to lack adequate private protection, the Directive would still permit the transfer of personal data out of the EU if:

• The party desiring to send the data has entered into a contract approved by the privacy office in the EU member country (thus committing the party to providing certain protections)
• The individual has unambiguously consented to the data transfer
• The transfer is necessary to complete a transaction
• The data are otherwise public

It’s worth mentioning that the American credit reporting industry’s privacy protections should certainly satisfy the EU Data Protection Directive. The US Federal Credit Reporting Act (FCRA) includes the types of protections that EU Member States have incorporated into their laws, namely notice to consumers and the opportunity for them to correct any incorrect or inaccurate information in their files.

Working Party

Article 29 of the Directive establishes that a Working Party will advise the Commission on data protection matters, as well as contribute to the uniform application of the national data protection measures. Essentially, the Working Party is an independent advisory group, composed of a representative from each Member State’s supervisory authority, a representative of the Community and a representative of the Commission.

The responsibilities of the Working Party include examination of Member States’ data protection laws, as well as consulting with the Commission on the level of protection available in Member States and third countries.

Adequacy and US Data Protection

The United States’ sectoral approach to data protection is derived from the American philosophy that laws should ensure citizens’ access to government, while still protecting them from government. While this enables the US to extensively regulate its public sector, it generally prevents the federal government from limiting interactions between private citizens. As a result, the US commitment to the free flow of information also favors a narrow regulatory approach to data protection.

Essentially, whether the Directive prohibits certain data transfers to the US largely depends upon what constitutes an adequate level of protection. The Directive requires a standard of adequacy that should be assessed in light of all the circumstances surrounding the transfer, yet fails to elaborate about this standard. Earlier data protection measures require a standard of equivalency, rather than adequacy.

For instance, the OECD Guidelines, as well as the COE Convention do not define or use an adequacy standard for data transfers to third countries. In the same vein, the traditional legislation of most European countries establishes a standard of equivalency, rather than adequacy.

However, since the October 2008 enactment of the European Commission’s Directive on Data protection, the Safe Harbor framework has been developed which bridges the gap between some US privacy laws and the EC’s adequacy requirements.

Summary

This article takes a look at the European Commission’s Directive on Data Protection (95/46/EC), and the establishment of the adequacy requirement, which prevents Member States from transferring data to a third country, unless the third country ensures an adequate level of protection. The Directive also explores certain related concepts, including the Working Party and data/information embargoes. Finally, the article takes a look at the US data protection approach and its ability to meet the EC’s adequacy standard.

CIPP Exam Preparation

In preparation for the Certified Foundation Examination (Foundations), a privacy professional should be comfortable with topics related to this post, including:

• EU Data Protection Directive – Adequacy (I.C.c.i.4.a.)

Safe Harbor in a nutshell
During October 1998, the European Commission’s Directive on Data Protection was enacted, prohibiting the transfer of personal data from European Union (EU) member states to non-EU nations that did not meet the privacy protection standard. In order to facilitate the transfer of information between EU-based organizations and US-based organizations, the Safe Harbor framework was developed.

US-based organizations may qualify for Safe Harbor statues in two different ways. They may join self-regulatory privacy programs following the requirements of Safe Harbor. Alternatively, they may choose to develop organization-specific self-regulatory privacy policies, in line with the requirements of Safe Harbor.

What is CARU?
In 1974, the Children’s Advertising Review Unit (CARU) was created in order to promote responsible advertising to children. CARU was developed as a component of a strategic alliance amongst the major US advertising trade associations, including the American Association of Advertising Agencies (AAAA), American Advertising Federation (AAF), Association of National Advertisers (ANA) and the Council of Better Business Bureaus (CBBB).

CARU is in charge of children’s advertising issues within the advertising industry’s self-regulation program. It assesses the truthfulness, accuracy and consistency of child-directed advertising and assists advertisers in dealing with child audiences responsibly. CARU does so by advancing compliance with its Self-Regulatory Guidelines for Children’s Advertising, the Children’s Online Privacy Protection Act of 2000 (COPPA) and other relevant laws.

The CARU Safe Harbor Program
As of January 2001, the CARU self-regulatory program was approved as Safe Harbor-compliant, under the Children’s Online Privacy Protection Act (COPPA). It was also the first such program to the FTC-approved. Organizations that comply with CARU Guidelines are also in compliance with the COPPA, thus insulated from FTC enforcement action.

Compliance with CARU’s Safe Harbor Program is dependent on the following elements:
• Adhering to the requirements in the CARU Safe Harbor Compliance Checklist
• Compliance with the CARU Self-Regulatory Guidelines for Children’s Advertising
• Review by CARU staff of the web site’s information practices; completion of Initial Website Review & Seeding form
• Continuous monitoring of web site by CARU staff to ensure compliance with the Safe Harbor framework
• Completion of CARU Self-Assessment Form and Attestation by Safe Harbor participant

CARU Safe Harbor Compliance Checklist
This checklist makes up a critical component of the Safe Harbor compliance, as discussed above. The checklist includes the Safe Harbor principles and is specific to web sites advertising to child audiences. The following elements are on the CARU Safe Harbor Compliance Checklist:
1. Provide notice
2. Obtain verifiable parental consent
3. Limit collection, use and disclosure of personal information collected from children
4. Provide access upon verification of parental identity
5. Maintain reasonable security

The elements of the checklist are explored in greater detail below:

1. Provide Notice
In accordance with the Safe Harbor principles, privacy notices should be clearly written and easily understandable. They should not contain irrelevant, confusing or contradictory statements. There are two different types of notices that are required of CARU Safe Harbor participants: a Notice of Information Practices and a Direct Notice to Parents.

The Notice of Information Practices is also referred to as the “Web Site Notice,” or “Children’s Privacy Policy.” Such a notice requires a prominent link on the site’s home page and in each area where personal information is collected from children. This notice must state all of the following information:
• Name, address, phone number and email of the operators responsible for the collection and maintenance of personal information collected from children through the site.
• Types of personal information that is collected from children.
• Identification of the means of collection of the information (i.e. directly or passively).
• How the personal information is being used, or will be used.
• If the personal information will be disclosed to third parties. If this is being done, then the notice must state the types of businesses in which third parties are engaged; the purpose of such personal information; and if the third parties are committed to maintaining the security and confidentiality of the information collected.
• An option for the parent to agree to the collection and use of the child’s information, that is not dependent on consent for disclosing information to third parties.
• The child cannot be required to disclose more information than reasonable necessary to participate in the web site activities.
• The parent has the right to review the child’s personal information, request that it be deleted, and prevent any further collection or use of the personal information.
• Procedures for the parent to review or delete their child’s personal information and prevent ongoing use or disclosure.

The Direct Notice to Parents must include the following information:
• The same information stated in the Notice of Information Practices (as listed above).
• The web site operator wishes to collect personal information from the child.
• Request for the parent’s consent to collect this personal information. This consent is required for the collection, use and disclosure of personal information.
• Methods for providing parental consent.

2. Obtain Verifiable Parental Consent
Web site operators are obliged to obtain verifiable parental consent before the collection, use or disclosure of children’s personal information. Such consent may be obtained in the following ways:
• When personal information is being collected for internal use only. In this case, email may be used to obtain parental consent. This also requires the additional steps of a follow-up email, letter or phone call to verify the consent. This method was used prior to April 21, 2002.
• When personal information is being made publicly available, such as in a chat room, message board, personal home page, profile, or email account. OR, when personal information is being disclosed to third parties.

In such cases, website operators are obliged to employ a more reliable means of securing parental consent. This may include: (a) A form with a parent’s signature through postal mail or fax; (b) A credit card number in connection with a transaction; (c) A toll-free phone number managed by trained personnel; (d) Email consent in conjunction with a digital signature from a parent; (e) Email consent in conjunction with a PIN or password; (f) Consent through a CARU-approved method. After April 21, 2002, only these methods were acceptable for securing parental consent.

3. Limit Collection, Use and Disclosure of Personal Information Collected from Children
Web site operators are prohibited from conditional a child’s participate on the basis of disclosing more personal information than is reasonably necessary to participate. The collection of personal information from a child ought to be limited to that which is reasonable for participation. For instance, a web site operator cannot offer a prize for greater disclosure of personal information. Parents should also be given the option to consent to the collection and use of their children’s personal information. They should also be permitted to prevent disclosure of such information to third party affiliates.

4. Provide Access upon Verification of Parental Identity
Upon parental request, web site operators are obliged to disclose both the type of information collected from children and the specific information that has been collected. Parents are permitted, at any time, to refuse further use or future collection of personal information from their child. They can also ensure the deletion of their child’s personal information. However, before this happens, operators must verify the identity of the parent in the same methods used for securing parental consent (i.e. those listed in “2. Obtain Verifiable Parental Consent”).

5. Maintain Reasonable Security
Web site operators are obliged to create and implement reasonable mechanisms for protecting the confidentiality, security and integrity of children’s personal information. Examples of such mechanisms include:
• Appropriately destroying unnecessary personal information.
• Limiting employee access to personal information.
• Ensuring physical security of servers.
• Encrypting data during transmission.
• Using firewalls.

Summary
This article looks at the EU-US Safe Harbor framework in light of the CARU Safe Harbor Program, which aims to protect children’s online privacy and meet the requirements of the COPPA (Children’s Online Privacy Protection Act). The CARU program is partially based on the Safe Harbor Compliance Checklist. This checklist is made of the following five elements: (1) Provide Notice; (2) Obtain Verifiable Parental Consent; (3) Limit Collection, Use and Disclosure of Personal Information Collected from Children; (4) Provide Access upon Verification of Parental Identity; and (5) Maintain Reasonable Security.

CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional (CIPP) exam; the Certified Information Privacy Professional/Canada (CIPP/C) exam; the Certification Foundation (Foundations) exam; and the Certified Information Privacy Professional/Government (CIPP/G) exam, a privacy professional should be comfortable with topics related to this post, including:
• E.U. Data Protection Directive (95/46/EC) (Foundations: I.D.a.ii.2.)
• E.U. Data Protection Directive – Safe Harbor Status (CIPP/C; II.A.b.iii.)
• International Data Transfers (CIPP; II.C.e.)
• Multinational Compliance – E.U. Data Protection (CIPP; II.C.f.)
• Regulatory Authorities – U.S. Department of Commerce (CIPP; I.A.c.iii.)
• Children’s Online Privacy Protection Act of 2000; COPPA (CIPP/G; I.B.a.ii.)

A website operator must be concerned with COPPA compliance if:

• The website targets children under the age of 13 through its subject matter, audio/visual content, advertising or use of other child-oriented features.
• The website targets a general audience but has a separate child oriented section.
• The website targets a general audience and children under the age of 13 are known to access the site.
• The website is maintained outside the U.S. but targets children under the age of 13 in the U.S.
• The website is operated by the Federal Government. Under the Office of Management and Budget, the U.S. Federal Government is required to comply with COPPA on all of its websites targeting children

COPPA Compliance

COPPA primarily uses the fair information practice principles of Notice and Consent to protect children’s information.

In order to comply with COPPA, a website operator must:

1.  Provide parents with information about the website’s information collection and privacy practices. A privacy policy must be placed on the home page and on every page where data is collected in order to ensure adequate notice

2.  Obtain verifiable parental consent prior to collecting personal information

3.  Provide parents with a mechanism to access the information on record for their child and the ability to change consent options for future or third party use and disclosure

4.  Participation on the website may not be limited by requiring the collection of information that is not reasonably necessary

A COPPA compliant privacy notice must include:

1. Legitimate contact information for the website operator/data owner
2. The type of information that is collected
3. How the information will be use
4. Notice of any third party disclosure

Verifiable Parental Consent:

Depending on the information that is being collected and its intended use, different levels of parental consent must be obtained.

Prior parental consent is not required to collect a child’s name and email address only if:

• The information is obtained in order to provide notice to the parent or obtain parental consent
• The information is collected to respond once to a specific inquiry by the child and not used for further communications
• The information is used to ensure the safety of a child and is not used for any other purposes
• The information is used to protect the security of the website, protect against liability, participate in a law enforcement investigation or any other matters relating to public safety

In all cases, parental consent should be obtained shortly after the information is collected. If parental consent cannot be obtained, the information may not be used for purposes other than those outlined above and the information must be deleted (with exceptions for ensuring the safety of the child)

Parental Consent for Public Disclosure

If the website publicly links a child’s name or email address with their screen name in chat rooms, message boards, personal home pages, pen pal services or other similar social networking features they must obtain verifiable parental consent of public disclosure. This also applies to site which may disclose personal information to third parties for secondary uses and marketing purposes.

Consent options include:

• A printable form that can be signed then mailed or faxed back to the website operator
• Obtain a parent’s credit card information in connection with a transaction which may include subscription fees, purchases or a credit card processing fee.
• Provide a toll free line staffed by professionals to which parents may call and provide verbal consent
• Obtain consent through an email that contains a digital signature that uses a public key that has been verified by one of the above methods.

Parental Consent for Internal Use

If the website does not publicly disclose the child’s information either through disclosure to third parties or through the posting of information to chat rooms, message boards or similar features then the information will only be used within the site to contact the child.

Consent options include:

• Any of the methods used for public disclosure
• The Email Plus option in which:
  • An initial email is sent containing the privacy notice and asking the parent to respond with a phone, fax or mailing address to confirm consent through one of those methods; or
  • After a reasonable length of time has passed, a second email is sent asking for the parent to confirm consent. The privacy notice should again be included. This email informs the parent that their consent is implicit through their lack of response. The email should provide the the parent with information on how to revoke their consent.

Enforcement of COPPA

COPPA is enforced by the Federal Trade Commission and through the a state’s Attorney General’s Office under SEC. 1305. COPPA allows for the creation of Safe Harbor programs which encourages industry self regulations.

There are several online assurance programs that offer a COPPA compliant Safe Harbor Program including:

• TRUSTe
• The Children’s Advertising Review Unit
• The Entertainment Software Rating Board

Unlike other information privacy laws, the FTC has been diligent in enforcing COPPA. It has a history of investigating privacy complaints and taking action against website and companies violating the rule.

Summary

COPPA protects the privacy of personal information for children. It does not prevent children from accessing mature content. COPPA uses parental notice and consent to prevent the wrongful collection and misuse of children’t personal information. Any website that may be frequented by children under the age of 13, must comply with the COPPA ruling if personal information is collected.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• U.S. Public and Private Sector General Laws including COPPA (I.B.a.ii.)

What is Safe Harbor?

In 1995, the E.U. implemented a comprehensive law, the Data Protection Directive, which created strong standards and principles governing the use and protection of data. Any data transferred within the E.U. or the European Economic Area would be protected under the law. However, personal data transferred to other countries would not be guaranteed the same protection. The Data Protection Directive restricts the transfer of data with other countries unless they meet a comparable level of data protection.

Data protection in the United States, which is more commonly known as information privacy, is governed by a number of sectoral laws that protect data within specific industries, ie: HIPAA protects personal health information, FACTA protects personal information in the financial sector. The U.S. has no central or comprehensive data protection regime and therefore, the E.U. finds data protection in the U.S. to be inadequate.

To facilitate unrestricted, data transfer between the United States and the European Union, the Safe Harbor agreement was created to allow U.S. companies the opportunity to raise their level of data protection and achieve “adequate” status, thus meeting the restriction rules for onward transfer to third parties under the E.U. Data Directive.

The Benefits of Safe Harbor Compliance

In 2000, when the Safe Harbor agreement was developed between the E.U. and the U.S., data transfers accounted for over $ 300 Billion dollars in trade. Safe Harbor allows such exportation and importation of data to continue while still protecting the personal data of European citizens. Though the Safe Harbor agreement requires stricter privacy standards for U.S. companies, than is required by U.S. law it is really to the benefit of both sides that such an agreement exists.

Participating U.S. companies enjoy the privilege of the Safe Harbor Agreement which demands that all E.U. member states allow unrestricted data transfers with any and all Safe Harbor certified participants. This means that certified companies may not be denied transfers by individual data controllers or Data Protection Authorities according to their own agendas.

Furthermore, complaints brought against a U.S. entity by European citizens regarding the protection of their personal data are heard in U.S. courts and the Safe Harbor program is under U.S. enforcement.

Safe Harbor also eliminates the need, or grants automatic approval for, data transfers creating a more cost and time efficient system. Companies may choose not to join the Safe Harbor agreement and make individual agreements or model contracts with a Data Protection Authority, but this may increase the time and energy needed to allow for the unrestricted transfer of data.

How Does a Company Become Safe Harbor Compliant?

The Safe Harbor program is voluntary. In order to participate, an entity must complete a self certification process annually with the Department of Commerce. To do this a company may join a self regulatory privacy program such as the BBB online, which audits companies to review their privacy policies and business operations to provide certificates of compliance with Safe Harbor. Or an entity may choose to create their own self-regulatory privacy policy which adheres to all Safe Harbor principles. Furthermore, the entity must publicly state in their privacy notice that they are Safe Harbor compliant.

The Safe Harbor Principles

The following principles must be included in a Safe Harbor compliant privacy policy.

Notice

• The data subject must be notified about the purposes for which personal information is collected and used.
• The data subject must be notified about contact methods to file inquiries and complaints.
• The data subject must be notified about the types of third parties to whom personal information may be disclosed.
• The data subject must be provided with their choices and means of limiting disclosure of their personal data.
• Notice should be provided at the time when information is first collected or shortly thereafter and must be provided before data is processed or disclosed.

Choice

• The data subject must be able to opt-out of third party disclosures.
• The data subject must be able to opt-out of secondary usage of information.
• The data subject must give affirmative consent (opt-in) for the disclosure or use of sensitive information.

Onward Transfer

• All third parties to whom data may be transferred must follow the Safe Harbor principles or Data Directive compliant. The same level of protection must be guaranteed no matter how many times data is transferred.

Security

• Entities that process data in any stage of its life cycle (collection, use, analysis, storage) must take reasonable measures to protect against data loss, destruction, misuse and unauthorized access.

Data Integrity

• Data may only be processed or used as it is related and proportional to the purposes for which it was originally collected.
• An entity should take reasonable steps to ensure data is accurate, timely and complete.

Access

• Data subjects must be able to view the information an organization holds about them.
• Data subjects must be able to correct, add to, or delete inaccurate information.

Enforcement

• A recourse mechanism must be in place for data subjects to file complaints, have disputes investigated, and resolved.
• An entity must have a mechanism to verify that the stated privacy policy and business operations are compliant with the Safe Harbor agreement. Audits should be completed annually.
• It is the obligation and responsibility of the entity to remedy any problems with compliance in a timely fashion.

Enforcing Safe Harbor

U.S. compliance with Safe Harbor is largely self regulated. Entities may choose to complete self verification of compliance and investigate complaints internally. Companies also have the option of using private, third party dispute resolution mechanisms, that have gained a reputation of trustworthiness to verify their compliance and investigate disputes.

Some well known, third party dispute resolution service providers include:

• The Better Business Bureau Online
• The Direct Marketing Association
• The Entertainment Software Rating Board

Third party dispute resolution providers are self regulated and not certified by the Department of Commerce or the FTC. Therefore, it is the legal responsibility of the entity to choose a program that is Safe Harbor compliant.

Though, Safe Harbor has not been strictly enforced in the past, there are regulations within the privacy and trade law to punish violators. Misuse of the Safe Harbor agreement can qualify as “unfair or deceptive trade practices” under Section 5 of the Federal Trade Commission Act. The FTC may take action against offenders including conducting formal hearings, and issuing cease and desist or temporary restraining orders. Failing to comply with an FTC order may carry a penalty of up to $11,000 for every day of continued violation and any entity that knowingly violates an FTC rule may be subject to the same penalty.

Safe Harbor in the News

Historically, the FTC has done very little to enforce Safe Harbor compliance. However, that has begun to change. In August 2009, the FTC publicly announced a suit against a California based company, Balls of Kryptonite, which purposely misled UK consumers to believe it was an E.U. company by using a .co.uk domain address. Furthermore, the company stated in its privacy policy that it was Safe Harbor compliant though no certification had ever been filed.

Then, in October 2009, the FTC filed settlement complaints against six multinational companies that had lapsed in their compliance but failed to alter their privacy policies to notify data subjects of the change. The recent enforcement has sent the message to business owners that the FTC may no longer rely on private, self-regulation to provide adequate enforcement. Since Safe Harbor compliance requires a public statement in privacy notices stating participation in the program, the FTC needs only to compare their current list of Safe Harbor participants with the privacy notice of an entity to gain evidence of unfair or deceptive trade practices. There is also speculation that the audits may be conducted in the future for companies with current certifications, to verify full compliance with all Safe Harbor regulations.

Data protection, especially with regard to onward transfer, continues to remain a significant issue in International politics. In the first week of November 2009, the United States and European Union, recognizing the weaknesses in current regulation, joined together to create a common set of principles to govern the transfer of personal data. That same week, privacy representatives from around the world met in Madrid for the International Data Protection and Privacy to create a universal standard of privacy and data protection, in the hopes of eventually creating a universal data protection law.

In Conclusion:

Companies wishing to conduct legal and successful business on a multinational level must be concerned with the protection of data both when it is transferred to and from the United States. Agreements, like Safe Harbor, allow the United States and the European Union to continue a mutually beneficial trade relationship, however, the agreement alone does not guarantee data protection. Participating U.S. companies need to ensure Safe Harbor compliance to build trust in their organization, as well as in the program to allow such agreements to continue in the future, despite the differing approaches the U.S. and the E.U. take regarding data protection.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• The Collective View of Privacy Principles (Foundations I.E) including Notice, Consent, Access, Security, and Quality
• Privacy and Data Protection Regulation (Foundations: I.F) including Onward Transfer, Safe Harbor, and the E.U. Data Protection Directive

Member States shall provide that personal data may be processed only if:

• (a) the data subject has unambiguously given his consent; or
• (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
• (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
• (d) processing is necessary in order to protect the vital interests of the data subject; or
• (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
• (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

This treatment of personal information held quite a bit of headache for multi-national companies with sensitive HR data or customer relationship information. These problems were eventually ironed out between the EU and the US Department of Commerce through the passage of the Safe Harbor program in 2000. The Center for Democracy and Technology gives a tidy summary of the Directive and international responses.

Intra-EU privacy was supposed to be quite well understood. Except by the British it appears. The European Commission began legal action against the United Kingdom Tuesday for failure to “ensure, among other things, the confidentiality of communications by prohibiting interception and surveillance without the user’s consent.”  In other words, not following Article 7.  To be fair, the 27 EU Members have had 90 cases of some sort of action brought against them, so the British are not in the minority.

The action, says EU Telecoms Commissioner Viviane Reding, relates to behavioral advertising company Phorm, and Internet Service Providers (ISPs) usage of the technology.  Apparently, British Internet users complained about interception and surveillance of their surfing habits.  The Federal Trade Commission brought similar behavioral US marketing problems to light in February.

“Technologies like Internet behavioural advertising can be useful for businesses and consumers but they must be used in a way that complies with EU rules,” Reding said in a statement. “We have been following the Phorm case for some time and have concluded that there are problems in the way the UK has implemented parts of the EU rules on the confidentiality of communications.”

For the United Kingdom, there has to be some question of sovereignty mixed in with the privacy lapses. EU Member States “cede part of their sovereignty under treaties which empower the EU institutions to adopt laws”. If Britain fails to come in line with the privacy protections from the Directive, Reding has the power to force the country to appear before the EU’s highest court, the European Court of Justice. The Court of Justice can thereby force Britain’s compliance.