Deployment of the 'Phorm' technology

The following is the text of a letter received by ORG on Thursday 5 February.

EUROPEAN COMMISSION - Cabinet of Viviane Reding, Head of Cabinet

Brussels, 27 January 209 RS/MS/fm D(09)126/A(08)5250

Subject: Deployment of the 'Phorm' Technology

Dear Ms Hogge,

I refer to your letter of 19 December 008 to Commissioner Viviane Reding concerning the deployment of the Phorm technology by Internet Service Providers (ISPs) in the United Kingdom (UK). Mrs Reding has asked me to respond on her behalf.

I would like to start by taking you for providing us with the detailed legal analysis, attached to your letter, concerning the use of the Phorm technology, which the Commission services have studied carefully.

During 2008, the Commission services have written on two occasions to the UK authorities requesting information on their position regarding various issues raised by the deployment of this technology, including their handling of user complaints about its past trials in 2006-2007. In this context I would like to assure you that the implementation of EU law provisions on confidentiality of the communications, i.e. of Article 5(1) of Directive 2002/58/EC [1] (the Directive on privacy and electronic communications, also mentioned in the legal analysis attached to your letter), has been at the very centre of the Commission concerns regarding the Phorm case.

Article 5(1) reads as follows: '1. Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communications without prejudice to the principle of confidentiality.'

A key concern for the Commission as regards the application of this EU law provision in this context is the legal protection of the customers of the relevant ISPs - web browsers - whose communications might be intercepted without their freely given specific and informed consent as required under Directive 95/49/EC [2] (the Data Protection Directive, also mentioned in the legal analysis attached to your letter). Moreover, the requirement under Article 5(1) of the Directive on privacy and electronic communications to obtain the consent of 'users concerned', which are defined in the Directive as natural persons, could include the obligations for interceptors of communications to obtain also the consent of website owners in certain circumstances, although not in all cases. It would appear that the legal analysis attached to your letter argues that the relevant UK legislation, the Regulation of Investigatory Powers Act 2000 (RIPA), requires consent of website owners in all cases.

The application of this EU law provision in the Phorm case is the task of the competent UK authorities, as is the determination of the relevant facts of the case, i.e. whether the deployment of this technology by ISPs constitutes interception of communications within the meaning of this EU law provision. According to the information provided by the UK authorities, the responsibility for enforcement of RIPA, which transposes Article 5(1) of the Directive on privacy and electronic communications, lies with the UK police. You may therefore wish to take up the issue concerning the consent of website owners with the UK police.

Secondly, as regards the response given by the UK authorities to BT's trials of the Phorm technology in 2006-2007, I would like to indicate that we are aware of the position taken by the Information Commissioner's Office (the ICO) and the reports about the decision of the City of London Police on this issue. In this respect, I wish to underline that the purpose of our inquiries with the UK authorities has been to assess how they have applied the relevant EU law in reaching their decisions. It remains within the competence of these authorities to decide on the appropriate liability and sanctions. The implications of their decisions for the UK's implementation of the Directive on privacy and electronic communications are of significant interest for the Commission, which is continuing to monitor the situation.

In this respect, the Commission appreciates the efforts of UK citizens and organisations such as yours providing it with information on new developments concerning the Phorm case. Therefore, I would like to thank you for your contributions.

Yours sincerely,

Rudolf Strohmeier.

[1] OJ L 201 of 31.7.2002, p.37

[2] OJ L 281 of 23.11.1995, p.31