EU begins legal action against UK over privacy

The Europeans value privacy; it is a fundamental human right in their eyes. Every country which forms the European Union joined agreeing to several stipulations. One of those surrounds human rights and privacy, and is a very popular topic for a CIPP. The European Union’s Data Protection Directive 95/46/EC constitutes a comprehensive privacy model, promoting an EU citizen’s data privacy regardless of who holds it, for what reasons or uses, or when it was collected. In particular, Article 7 of the Directive asserts:

Member States shall provide that personal data may be processed only if:

  • (a) the data subject has unambiguously given his consent; or
  • (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
  • (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
  • (d) processing is necessary in order to protect the vital interests of the data subject; or
  • (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
  • (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

This treatment of personal information held quite a bit of headache for multi-national companies with sensitive HR data or customer relationship information. These problems were eventually ironed out between the EU and the US Department of Commerce through the passage of the Safe Harbor program in 2000. The Center for Democracy and Technology gives a tidy summary of the Directive and international responses.

Intra-EU privacy was supposed to be quite well understood. Except by the British it appears. The European Commission began legal action against the United Kingdom Tuesday for failure to “ensure, among other things, the confidentiality of communications by prohibiting interception and surveillance without the user’s consent.”  In other words, not following Article 7.  To be fair, the 27 EU Members have had 90 cases of some sort of action brought against them, so the British are not in the minority.

The action, says EU Telecoms Commissioner Viviane Reding, relates to behavioral advertising company Phorm, and Internet Service Providers (ISPs) usage of the technology.  Apparently, British Internet users complained about interception and surveillance of their surfing habits.  The Federal Trade Commission brought similar behavioral US marketing problems to light in February.

“Technologies like Internet behavioural advertising can be useful for businesses and consumers but they must be used in a way that complies with EU rules,” Reding said in a statement. “We have been following the Phorm case for some time and have concluded that there are problems in the way the UK has implemented parts of the EU rules on the confidentiality of communications.”

For the United Kingdom, there has to be some question of sovereignty mixed in with the privacy lapses. EU Member States “cede part of their sovereignty under treaties which empower the EU institutions to adopt laws”. If Britain fails to come in line with the privacy protections from the Directive, Reding has the power to force the country to appear before the EU’s highest court, the European Court of Justice. The Court of Justice can thereby force Britain’s compliance.


Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>