Joint answer given by Mrs Reding on behalf of the Commission
Written questions : E-1884/08 , E-2227/08 , E-2576/08
19.5.2008
The Honourable Member inquires whether the Commission is aware of the activities of the company Phorm in the United Kingdom (UK), concerning the analysis of Internet traffic for advertising purposes, and about the Commission's position and possible actions regarding the agreement between Phorm and major Internet service providers in the UK, in particular with respect to concerns raised about the effects on privacy of these activities.
The Commission recalls that privacy and the protection of personal data are fundamental rights enshrined in Articles 7 and 8 of the EU Charter of Fundamental Rights, and also protected by the European Convention on Human Rights and the related instruments of the Council of Europe, to which all EU Member States are signatories.
General principles for the protection of personal data are defined in Directive 95/46/EC (Data Protection Directive)[1], and complemented and particularised for electronic communications by Directive 2002/58/EC on privacy end electronic communications (ePrivacy Directive)[2].
The Data Protection Directive recognises rights of data subjects and sets out principles that must be applied by data controllers and enforced by national supervisory data protection authorities. For instance, data have to be collected for a specified, explicit and legitimate purpose and not further processed in a way incompatible with those purposes.
Where personal data are processed for further purposes incompatible with the initial ones, the data controller is in breach of the relevant national law transposing the Data Protection Directive and it is up to the national supervisory data protection authority in question to act and exercise its functions.
Furthermore, Article 14 of the Data Protection Directive sets rights of data subjects to object, on request and free of charge, to the processing of their personal data, which the controller anticipates being processed for the purposes of direct marketing. The data subjects have also the right to be informed before personal data are disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing. In cases of such disclosures or uses the data subjects should also be expressly offered the right to object.
The ePrivacy Directive obliges Member States to ensure the confidentiality of communications and related traffic data through national legislation. In particular, they are required to prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than the users without their consent, which must be freely given, specific and informed indication of the user's wishes.
The data referred to in the question i.e. the content of search queries, constitute communication within the meaning of this directive, and the uniform resource locators (URLs) used in the packets constitute traffic data. This data should therefore be protected appropriately.
The responsibility for the enforcement of national legislation transposing EU Directives is with the competent national authorities. The Information Commissioner’s Office (ICO), the UK Data Protection Authority, has issued several statements concerning Phorm. According to these statements, the ICO has been told that the users will be duly informed about the technology and presented with the possibility to become involved, i.e. to provide their consent by positively opting in, and that they will also have the possibility to change their mind at any moment later. The ICO states that it will be in close contact with Phorm and British Telecom (BT) during a trial of the technology involving around 10 000 BT broadband customers who will opt in to the trial. The ICO finds that, according to the explanation provided by Phorm, there does not appear to be any detriment to users in the operation of the Phorm system but it will keep the Phorm products under review as they are rolled out to verify whether the assurances Phorm has provided so far are confirmed in practice.
The Commission services will continue to follow this case and further developments and take appropriate action, should the need arise. The Commission confirms its commitment to the protection of personal data, protection of privacy and security of electronic communications as one of its top priorities. This is why the proposals for the reform of the regulatory framework for electronic communications, which are currently being discussed in Parliament and the Council, put considerable focus on the reinforcement of these aspects.
- [1] Directive 95/46/EC of Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995.
- [2] Directive 2002/58/EC of Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, OJ L 201, 31.7.2002.
OJ C 291, 13/11/2008