European Law Report - Citizens' right to privacy
New technologies must respect citizens' privacy at all costs and the European Commission seems adamant to crack down on any EU member state which does not offer the necessary safeguards. Member states must ensure that EU privacy rules - which provide...
New technologies must respect citizens' privacy at all costs and the European Commission seems adamant to crack down on any EU member state which does not offer the necessary safeguards. Member states must ensure that EU privacy rules - which provide for a European citizen's right to control how personal information is used - are respected in their territory at all costs, the Commission recently asserted.
Current EU laws oblige member states to ensure confidentiality of electronic communications by prohibiting unlawful interception and surveillance unless the users concerned have given their consent. Furthermore, the data protection directive lays down that a person must freely give specific consent and be informed before his personal data is processed. This same directive also obliges member states to establish appropriate sanctions in case of infringements and maintains that independent authorities must be charged with supervising implementation.
The Commission is thus taking a tough stance against those countries that fail to observe these rules. In particular, member states are being requested to ensure that new technologies such as behavioural advertising, RFID "smart chips" and online social networking respect these fundamental rights. Such modern technological trends make it easier to use and misuse personal information.
Indeed, search engines often collect personal data and store these for several months. Companies offering such a service argue that this private information is used to provide a better search service to users and to enhance security. However, simultaneously, the information allows search engines to offer personalised adverts. By using users' detailed histories, which are stored in a database, search engines are able to add relevant commercial information to search result pages. Furthermore, "behavioural ads" based on webpages visited rather than on search history are being provided. Certain search engines also offer personalised adverts using their e-mail service, where users see advertisements next to their inbox. Such a service is made possible by scanning the content of users' emails.
The European Commission's determination to safeguard citizens' privacy has recently culminated in the filing of an infringement procedure against the UK. Such procedures were initiated in response to complaints by internet users in relation to the use of a behavioural advertising technology known as "Phorm" by internet service providers. Such a technology was tested by British Telecom without customers' consent.
Phorm allows internet service providers, such as BT, to track the surfing activities of internet users. The user data collected are used to build profiles, which are then sold to advertisers. In this way, companies have a better idea of customers' interests and can thus improve their marketing strategies. By way of practical example, if a consumer frequently visits pharmaceutical websites, he will receive drug-related advertisements.
BT failed to request users' consent before tracking their movements on the internet. Hence, electronic profiles of thousands of users were created between 2006 and 2007 without their knowledge. Such manoeuvres by BT were nonetheless in conformity line with UK laws on data protection which provide that data can be collected if there are "reasonable grounds for believing" that consent has been given. Such a national interpretation is deemed as a loose interpretation of European rules on data protection, which specify that user consent must be "specific", "informed" and "freely given" before their data can be processed. The Commission is hence requiring the British authorities to modify national legislation in order to offer better protection of personal information.
Indeed, the protection of privacy in accordance with EU rules is high on the Commission's agenda. Recently, it has also struck an agreement between 17 major social networking companies to improve privacy on social networking websites, especially insofar as minors are concerned. In this agreement, the companies recognised their responsibility to ensure child safety and committed themselves to enable and encourage users to employ a safe approach to personal information and privacy.
New challenges to ePrivacy and personal data protection are on the rise. This fact cannot be denied. It is now up to the member states to do their utmost to be in a position to face such challenges and to accept no nonsense from those companies operating on their territory which seek to extract benefits from such technologies to the detriment of the uninformed consumer. Indeed, businesses and consumers alike may stand to gain from such technologies if used in an ethical manner and in accordance with the relevant legislation.
Dr Vella Cardona is a practising lawyer and a freelance consultant in EU, intellectual property, consumer protection and competition law. She is also a visiting lecturer at the University of Malta.
Current EU laws oblige member states to ensure confidentiality of electronic communications by prohibiting unlawful interception and surveillance unless the users concerned have given their consent. Furthermore, the data protection directive lays down that a person must freely give specific consent and be informed before his personal data is processed. This same directive also obliges member states to establish appropriate sanctions in case of infringements and maintains that independent authorities must be charged with supervising implementation.
The Commission is thus taking a tough stance against those countries that fail to observe these rules. In particular, member states are being requested to ensure that new technologies such as behavioural advertising, RFID "smart chips" and online social networking respect these fundamental rights. Such modern technological trends make it easier to use and misuse personal information.
Indeed, search engines often collect personal data and store these for several months. Companies offering such a service argue that this private information is used to provide a better search service to users and to enhance security. However, simultaneously, the information allows search engines to offer personalised adverts. By using users' detailed histories, which are stored in a database, search engines are able to add relevant commercial information to search result pages. Furthermore, "behavioural ads" based on webpages visited rather than on search history are being provided. Certain search engines also offer personalised adverts using their e-mail service, where users see advertisements next to their inbox. Such a service is made possible by scanning the content of users' emails.
The European Commission's determination to safeguard citizens' privacy has recently culminated in the filing of an infringement procedure against the UK. Such procedures were initiated in response to complaints by internet users in relation to the use of a behavioural advertising technology known as "Phorm" by internet service providers. Such a technology was tested by British Telecom without customers' consent.
Phorm allows internet service providers, such as BT, to track the surfing activities of internet users. The user data collected are used to build profiles, which are then sold to advertisers. In this way, companies have a better idea of customers' interests and can thus improve their marketing strategies. By way of practical example, if a consumer frequently visits pharmaceutical websites, he will receive drug-related advertisements.
BT failed to request users' consent before tracking their movements on the internet. Hence, electronic profiles of thousands of users were created between 2006 and 2007 without their knowledge. Such manoeuvres by BT were nonetheless in conformity line with UK laws on data protection which provide that data can be collected if there are "reasonable grounds for believing" that consent has been given. Such a national interpretation is deemed as a loose interpretation of European rules on data protection, which specify that user consent must be "specific", "informed" and "freely given" before their data can be processed. The Commission is hence requiring the British authorities to modify national legislation in order to offer better protection of personal information.
Indeed, the protection of privacy in accordance with EU rules is high on the Commission's agenda. Recently, it has also struck an agreement between 17 major social networking companies to improve privacy on social networking websites, especially insofar as minors are concerned. In this agreement, the companies recognised their responsibility to ensure child safety and committed themselves to enable and encourage users to employ a safe approach to personal information and privacy.
New challenges to ePrivacy and personal data protection are on the rise. This fact cannot be denied. It is now up to the member states to do their utmost to be in a position to face such challenges and to accept no nonsense from those companies operating on their territory which seek to extract benefits from such technologies to the detriment of the uninformed consumer. Indeed, businesses and consumers alike may stand to gain from such technologies if used in an ethical manner and in accordance with the relevant legislation.
Dr Vella Cardona is a practising lawyer and a freelance consultant in EU, intellectual property, consumer protection and competition law. She is also a visiting lecturer at the University of Malta.