• by Wendy Davis  @wendyndavis, April 15, 2009

European regulators said Tuesday they have commenced legal action regarding controversial behavioral targeting company Phorm, which tested its ad-serving platform in the U.K. without first notifying users and seeking their permission.

"The Commission has concerns that there are structural problems in the way the U.K. has implemented EU rules ensuring the confidentiality of communications," the agency said Tuesday in a statement announcing it had initiated an "infringement proceeding" about Phorm. The company serves ads to users based on information about their Web activity gleaned from Internet service providers using deep packet inspection technology.

In addition, EU Commissioner for Information Society and Media Viviane Reding issued a separate statement reiterating that online behavioral advertising requires users' consent. "European privacy rules are crystal clear: a person's information can only be used with their prior consent," Reding said. "We cannot give up this basic principle, and have all our exchanges monitored, surveyed and stored in exchange for a promise of 'more relevant' advertising."

The European Commission move sets up a potential battle between itself and the U.K. authorities, who continue to endorse Phorm and have so far refused to take any action regarding the tests conducted without notice to users. U.K. Internet service provider BT Group and Phorm conducted the secret trials in 2006 and 2007.

The U.K. now has two months to respond to the European regulators. If the Commission isn't satisfied, the agency's next step would be to issue a "reasoned opinion." "If the UK still fails to fulfill its obligations under EU law after that, the Commission will refer the case to the European Court of Justice," the agency stated Tuesday.

Meanwhile, the U.K. Department for Business, Enterprise and Regulatory Reform reiterated its stance that Phorm is "capable of being operated in a lawful, appropriate and transparent" manner.

Phorm said the news doesn't change its plans to roll out its platform in the U.K. "We do not envisage the Commission's proceedings will have any impact on the company's plans going forwards," the company said in a statement Tuesday.

Privacy advocate Alex Hanff, who runs the site nodpi.org (no deep packet inspection), cheered the commission's move. "It's very good news," he said. "We're very excited about it. They seem to be addressing all of the issues we've been raising."

Phorm's model alarms privacy advocates because broadband providers have access to all Web activity, including users' search queries and visits to non-commercial sites. Older behavioral targeting companies only collect information from a limited number of commercial sites within a network.

Phorm said it doesn't store users' personal data or browsing histories. For its most recent test in the U.K., Phorm sought users' opt-in consent.

Phorm, which has offices in New York, London, Moscow and Seoul, has not yet tested its system in the U.S. NebuAd conducted U.S. tests last year of a system similar to Phorm's, but suspended plans for broader deployment in response to pressure from Congress.