As with NebuAd here in the United States, the Phorm service in Europe is under constant and increasing attack.  The business model for both is basically to team up with Internet service providers, track and collect Internet usage data, and then use that information to serve interest-based ads to the Internet user.  Take a trip to a popular gadget web site, and expect to be served advertisements that offer gadgets for sale.  Visit a travel interest web site, and expect to start noticing advertisements from travel sites in other web pages. 

Announcing that the European Union has "opened an infringement proceeding" to investigate Phorm’s activities, the European Union’s Commissioner for Information Society and Media, Viviane Reding, said in a video message that "European privacy rules are crystal clear: a person’s information can only be used with their prior consent. We cannot give up this basic principle, and have all our exchanges monitored, surveyed and stored in exchange for a promise of ‘more relevant’ advertising! I will not shy away from taking action where an EU country falls short of this duty."

The legal action commenced by the European Union basically consists of an inquiry and warning to Britain, inquiring into Britain’s interpretation of the privacy regulations and rules in place, and an explanation of how operations by Phorm comply with those privacy regulations and rules.  In other words, the European Union wants Britain to explain why it has not commenced any action against Phorm.  Britain has two months to respond, and additional inquiries and warnings may follow before the European Union forces Britain into court.


These recent concerns about Phorm are based on unannounced trials conducted on unsuspecting users in 2006 and 2007.  Although the service claims to have not stored or shared any information that could identify a user, and although further trials involved consent from persons invited by invitation, the European Union seeks investigation on the actions in 2006 and 2007.

In her press release, Commissioner Reding summarizes the applicable European law:

The EU Directive on privacy and electronic communications requires EU Member States to ensure confidentiality of the communications and related traffic data by prohibiting unlawful interception and surveillance unless the users concerned have consented (Article 5(1) of Directive 2002/58/EC).  (The EU Data Protection Directive specifies that user consent must be ‘freely given specific and informed’ (Article 2(h) of Directive 95/46/EC).  Moreover, Article 24 of the Data Protection Directive requires Member States to establish appropriate sanctions in case of infringements and Article 28 says that independent authorities must be charged with supervising implementation. These provisions of the Data Protection Directive also apply in the area of confidentiality of communications.

Commissioner Reding also indicated that social networking sites, like Facebook, MySpace and Friendster, must safeguard and reinforce privacy protection online: "Privacy must in my view be a high priority for social networking providers and their users. I firmly believe that at least the profiles of minors must be private by default and unavailable to internet search engines. The European Commission has already called on social networking sites to deal with minors’ profiles carefully, by means of self-regulation. I am ready to follow this up with new rules if I have to."

Mark McCreary is a partner in Fox Rothschild’s Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or