EC may sue Great Britain to stop a sweeping data interception law
"Do you want the Internet to turn into a jungle?" asked European Commissioner for the Information Society and Media Viviane Reding, to open her weekly English-language address this morning. "This could happen, you know, if we can't control the use of our personal information online."
Comm. Reding's message accompanied an announcement that the EC has launched the first stage in what could be a long, drawn-out series of proceedings against one of its own member nations, the United Kingdom. At issue is the UK's handling of online privacy laws, under the nearly two-year-old administration of Prime Minister Gordon Brown. The surface issue is what made news in the UK, at least in the general press: The EC has been concerned that the behavioral advertising service Phorm, a service built in association with leading UK carrier BT, may be enabling data collection policies that go beyond the limits mandated by EC directives.
But if the EC's problem was with Phorm, it could have made its complaint to BT, which hasn't been even partly state-owned since the early 1990s. No, the EC's complaint against Britain itself runs somewhat deeper than that, although this morning Comm. Reding was only willing to show the proverbial knife with the blade withdrawn. A paragraph deep down in this morning's announcement from the Brussels government shows how even the EC can bury the lede:
"Under UK law, which is enforced by the UK police, it is an offence to unlawfully intercept communications. However, the scope of this offence is limited to 'intentional' interception only," reads the EC statement. "Moreover, according to this law, interception is also considered to be lawful when the interceptor has 'reasonable grounds for believing' that consent to interception has been given. The Commission is also concerned that the UK does not have an independent national supervisory authority dealing with such interceptions."
Although the EC's concern may have been triggered by an investigation into the Phorm matter, as the announcement suggests, nothing about Phorm's behavioral advertising scheme has anything to do with government interception of private messages. British subjects will readily point out that the "interception" language more likely points to a sweeping new extension to existing law proposed last March 16 by Security and Counter-terrorism Minister Vernon Coaker, in a presentation to a key parliamentary committee. That extension is part of what was introduced last year as the Intercept Modernization Programme.
Under the UK's interpretation of the IMP, the new law would force ISPs in the UK to submit communications data regarding its users to a central database maintained by the government. As MP Coaker explains it, the IMP is necessary in order to carry out the EC's directives, which mandate that communications data regarding who speaks with whom, be kept on file for as much as two years. Coaker calls the creation of the IMP a "transposition" of EU law to the UK, as well as an extension of existing UK law regarding telephone traffic to Internet traffic.
The purpose of a centralized database, MP Coaker explained to committee, would be to cut through all the red tape: "To minimize the bureaucratic burden on businesses, particularly small businesses, we want to avoid four or five different communications service providers retaining the same data. So, in discussions with the communications service providers, we will look at who has the various data sets and we will specify through the notice who is required to retain what."
In his speech, MP Coaker suggested that the UK would only need to retain communications data for as little as 12 months. ISPs would only need to retain data in instances where they were specifically requested by government to do so, he said, although it seems impossible for a business to be able to present any data to authorities over a period of time if it had not been retaining that data to begin with.
What some ministers are concerned about is whether the law would extend to communications traffic over social networks, like MySpace or Facebook. Coaker stated that might step beyond the boundaries of the "transposition," though in this particular case, he left the door open, saying he'd welcome working with other ministers in perhaps extending the transposition in that direction.
Comm. Reding addressed one aspect of the social networking data problem in her address this morning: "Social networking has a strong potential for a new form of communication and for bringing people together, no matter where they are. But is every social networker really aware that technically, all pictures and information uploaded on social networking profiles can be accessed and used by anyone on the Web? Do we not cross the border of the acceptable when, for example, the pictures of the Winnenden school shooting victims in Germany are used by commercial publications just to increase sales? Privacy must in my view be a high priority for social networking providers and for their users."
But this morning's statement from the EC bolsters Reding's comments with some principles that could be used in a pre-emptive proceeding against the UK. Specifically, it alludes to the possibility that if the centralized database created through the IMP revealed something about a person "unintentionally," perhaps by tying together that person's contacts across different media, that information may be justified by law enforcement officials the same way "plain sight" information in the US is deemed admissible in court without a warrant. And if the data behind such a revelation was compiled by someone or something outside of law enforcement entirely...say, a behavioral advertising service, then authorities could give themselves plausible deniability.
"European privacy rules are crystal clear: A person's information can only be used with their prior consent," stated Comm. Reding. "We cannot give up this basic principle, and have all our exchanges monitored, surveyed and stored in exchange for a promise of 'more relevant' advertising! I will not shy away from taking action where an EU country falls short of this duty."
Today's action against the UK marks the first stage of infringement proceedings. The government has two months to respond, after which the EC may issue a formal opinion. If that opinion is challenged or let stand, a formal court case may begin in the European Court of Justice.