Skip to Content

European Policy, Privacy & Data

Does Phorm Fit?

Last week, the European Commission issued an answer to several queries regarding Phorm, a U.K. company that uses Internet traffic data to serve targeted advertisements. Phorm has proposed partnerships with some of the United Kingdom’s largest ISPs that allow Phorm to use deep packet inspection (DPI) to create profiles of individual consumers’ Web habits. Several members of the European Parliament asked the European Commission whether Phorm’s actions constitute an invasion of privacy contrary to European Union privacy protections. In its response to these questions, the European Commission explained how the Phorm system intersects with the EU ePrivacy Directive.

The Commission declared that, under the directive, the Web traffic information collected by Phorm is “traffic data” and the content of search queries intercepted by Phorm constitutes “communication,” both of which are protected from interception or surveillance without consumer consent. The Commission noted that the U.K. Information Commissioner’s Office (ICO) – which enforces U.K. data privacy laws – is responsible for monitoring Phorm’s actions. In a review of Phorm’s DPI plans, the ICO said that Phorm’s system “does not appear to be” harming consumers.Last week, the European Commission issued an answer to several queries regarding Phorm, a U.K. company that uses Internet traffic data to serve targeted advertisements.

Phorm has proposed partnerships with some of the United Kingdom’s largest ISPs that allow Phorm to use deep packet inspection (DPI) to create profiles of individual consumers’ Web habits. Several members of the European Parliament asked the European Commission whether Phorm’s actions constitute an invasion of privacy contrary to European Union privacy protections. In its response to these questions, the European Commission explained how the Phorm system intersects with the EU ePrivacy Directive. The Commission declared that, under the directive, the Web traffic information collected by Phorm is “traffic data” and the content of search queries intercepted by Phorm constitutes “communication,” both of which are protected from interception or surveillance without consumer consent. The Commission noted that the U.K. Information Commissioner’s Office (ICO) – which enforces U.K. data privacy laws – is responsible for monitoring Phorm’s actions. In a review of Phorm’s DPI plans, the ICO said that Phorm’s system “does not appear to be” harming consumers. The ICO will be scrutinizing Phorm’s actions, however, to ensure that the company delivers on its promises to not violate consumer privacy rights. The Commission itself is also taking ICO’s wait-and-see attitude, promising to remain vigilant in continuing to observe the situation and to “take appropriate action, should the need arise.”

The European Commission’s comments come on the heels of recent inquiries in Canada and the United States into ISPs using DPI for network monitoring and targeted advertising. The Canadian Internet Policy and Public Interest Clinic (CIPPIC) filed a complaint with Canada’s Privacy Commissioner in early May regarding broadband provider Bell Canada’s alleged use of DPI to monitor network traffic. And as we discussed in a recent blog post, two members of the United States Congress have sent a letter to broadband provider Charter Communications’ CEO about the legality of its proposed business relationship with NebuAd, an advertising company similar to Phorm. As ISPs continue to negotiate with DPI-based targeted advertising companies, such government oversight may intensify given the privacy and legal concerns with intercepting customers’ Internet traffic.