The European Commission today delivered an ultimatum to internet firms - improve your approach to privacy online, or face a regulatory clampdown from Brussels.
Meglena Kuneva, the consumer affairs Commissioner, told a gathering of ISPs, major websites and advertising firms they are violating "basic consumer rights in terms of transparency, control and risk", through data collection and behavioural targeting.
"I want to send a warning signal today that we cannot afford foot dragging in this area," she said.
"If we fail to see an adequate response to consumers concerns on the issue of data collection and profiling, as a regulator, we will not shy away from our duties nor wait for a cataclysm to wake us up."
Officials are understood to be particularly concerned about ISPs' experiments using Deep Packet Inspection (DPI) technology to intercept and profile their customers' web use. The information society and media Commissioner Viviane Reding's department is still investigating the UK government's apparent failure to enforce European privacy law over BT and Phorm's secret trials of such a system in 2006 and 2007.
Kuneva's initiative will also address behavioural targeting and data collection by websites.
Google launched its own behavioural tracking network earlier this month, requiring consumers who do not want to be tracked to opt out. "We must establish the principles of transparency, clear language, opt-in or opt-out options that are meaningful and easy to use," Kuneva said. "I am talking about the right to have a stable contract and the right to withdraw."
She will tell delegates that to avoid regulation they must agree rules to protect consumers' rights, in line with existing legislation. The UK's Internet Advertising Bureau recently published behavioural advertising guidelines in an attempt to ward off regulation. Privacy activists were not satisfied, however, particularly with the guidelines' onus on consumers to opt out.
Proponents of behavioural targeting point to anonymising measures as a guarantee of privacy. Phorm identifies users only via a random token, but Kuneva will argue such steps do not completely mitigate privacy conerns.
"The current work on privacy has concentrated on eliminating personally identifiable information such as name or IP addresses from the public domain," she said. "Consumer policy needs to go beyond that and address the fact that users have a profile and can be commercially targeted based on that profile, even if no one knows their actual name."
Kuneva's department will also today begin an informal investigation of online privacy and data collection in preparation for potential regulatory action. At a recent Westminster event, British peers said the Information Commissioner's Office, responsible for enforcing EU privacy regulations, had failed in its duty to consumers over behavioural targeting.
In separate news on Monday, Phorm officially announced a trial of its technology by Korea Telecom. ®