UK Privacy Protection Inadequate: EU to Issue Reasoned Opinion

October 29, 2009

The EU Commission has moved to the second phase of an infringement proceeding over the UK to provide its citizens with the full protection of EU rules on privacy and personal data protection when using electronic communications. European laws state that EU countries must ensure the confidentiality of people’s electronic communications like e-mail or internet browsing by prohibiting their unlawful interception and surveillance without the user’s consent. As these rules have not been fully put in place in the national law of the UK, the Commission said on 29 October that it will send the UK a reasoned opinion.
‘People’s privacy and the integrity of their personal data in the digital world is not only an important matter, it is a fundamental right, protected by European law. That is why the Commission is vigilant in ensuring that EU rules and rights are put in place,’ said EU Telecoms Commissioner Viviane Reding. ‘Ensuring digital privacy is a key for building trust in the internet. I therefore call on the UK authorities to change their national laws to ensure that British citizens fully benefit from the safeguards set out in EU law concerning confidentiality of electronic communications.’
The Commission maintains its position that the UK is failing to comply with EU rules protecting the confidentiality of electronic communications like email or surfing the internet, which are provided in the ePrivacy Directive 2002/58/EC and the Data Protection Directive 95/46/EC . This follows a thorough analysis of the UK authorities’ response to the letter of formal notice – the first phase in an infringement proceeding – sent to them by the Commission on 14 April 2009 ( IP/09/570 ). The Commission launched this legal action following its inquiry into the response given by the UK authorities to UK citizens’ complaints about the use of behavioural advertising by internet service providers.
Specifically, the Commission has identified three gaps in the existing UK rules governing the confidentiality of electronic communications:
• There is no independent national authority to supervise interception of communications, although the establishment of such authority is required under the ePrivacy and Data Protection Directives, in particular to hear complaints regarding interception of communications.
• The current UK law – the Regulation of Investigatory Powers Act 2000 (RIPA) – authorises interception of communications not only where the persons concerned have consented to interception but also when the person intercepting the communications has ‘reasonable grounds for believing’ that consent to do so has been given. These UK law provisions do not comply with EU rules defining consent as freely given specific and informed indication of a person’s wishes.
• The RIPA provisions prohibiting and providing sanctions in case of unlawful interception are limited to ‘intentional’ interception only, whereas the EU law requires Members States to prohibit and to ensure sanctions against any unlawful interception regardless of whether committed intentionally or not.
The UK has two months to reply to this second stage of the infringement proceeding. If the Commission receives no reply, or if the response presented by the UK is not satisfactory, the Commission may refer the case to the European Court of Justice.
The EU Directive on privacy and electronic communications requires EU Member States to ensure confidentiality of the communications and related traffic data by prohibiting unlawful interception and surveillance unless the users concerned have consented to this (Article 5(1) of Directive 2002/58/EC ). The EU Data Protection Directive specifies that user consent must be ‘freely given specific and informed’ (Article 2(h) of Directive 95/46/EC ). Moreover, Article 24 of the Data Protection Directive requires Member States to establish appropriate sanctions in case of infringements and Article 28 says that independent authorities must be charged with supervising implementation. These provisions of the Data Protection Directive also apply in the area of confidentiality of communications.
A detailed overview of telecoms infringement proceedings is available at: