Thursday, 5 November 2009

EU telecoms package approved - internet access; privacy, data breach notification, cookies; net neutrality

The EU telecoms reform package, including the previously mentioned hotly debated provision on internet access rights, was unanimously approved late last night by a conciliation committee with representatives from the 27 Member States and an equal number of representatives from the European Parliament.

Here's the timetable going forward, from the EU press release of 5 November 2009 Agreement on EU Telecoms Reform paves way for stronger consumer rights, an open internet, a single European telecoms market and high-speed internet connections for all citizens (or see the PDF version with diagrams in full):

  • Vote of the new internet freedom provision agreed between Parliament and Council in a plenary session of the European Parliament and in the Council of Ministers within the next 6 weeks (expected for end November);
  • Entry into force of the whole telecoms reform package with its publication in the EU's Official Journal (by early 2010);
  • Establishment of the European Body of Telecoms Regulators BEREC (spring 2010);
  • Transposition of the telecoms reform package into national legislation in the 27 EU Member States (by May 2011).

1. Internet access & internet freedom

The "internet freedom" provision, article 1(3)(a) of the proposed new Framework Directive, now reads as follows - the bold/underlined text reflects what's shown in the EU press release:

“Measures taken by Member States regarding end-users’ access to or use of services and applications through electronic communications networks shall respect the fundamental rights and freedoms of natural persons, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms and general principles of Community law.

Any of these measures regarding end-users’ access to or use of services and applications through electronic communications networks liable to restrict those fundamental rights or freedoms may only be imposed if they are appropriate, proportionate and necessary within a democratic society, and their implementation shall be subject to adequate procedural safeguards in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms and general principles of Community law, including effective judicial review and due process. Accordingly, these measures may only be taken with due respect for the principle of presumption of innocence and the right to privacy. A prior fair and impartial procedure shall be guaranteed, including the right to be heard of the person or persons concerned, subject to the need for appropriate conditions and procedural arrangements in duly substantiated cases of urgency in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms . The right to an effective and timely judicial review shall be guaranteed.

It could be worse for citizens, but it could be better. As you can see from the emboldened text, though "adequate procedural safeguards" don't require the involvement of a court, at least they require any "three strikes" or similar measures to be adequate, proportionate and necessary in a democracy, with the presumption of innocence, the right to privacy, the right to due process involving a fair and impartial procedure with the right to be heard, and the right to effective and timely judicial review.

But it still means a user could be cut off without a court order after allegations of copyright breaches e.g. illegal music downloads or filesharing, and then left to challenge it in the courts, which costs money. It will therefore be vital to know exactly the details of whatever "prior fair and impartial procedure" is set up by the individual EU country to allow the user to put forward their position before having their Net connection suspended or cut off. Who manages this "procedure"? Note that "impartial" doesn't mean "independent"!

Arguably if it's in practice too difficult and expensive for consumers to fight the suspension, this goes against the right to an "effective and timely" judicial review?

And how the UK government will implement their proposed UK 3 strikes legislation so as to not breach the new internet freedom provision is of course yet another matter.

For those interested in the text of the draft Directive and the legislative history, see Pre-Lex or the legislative procedure file e.g. the draft Directive (in each case not yet incorporating last night's agreed amendment).

2. Privacy - data breaches, cookies

No change from May, as expected - so there will be new rules on mandatory notifications for personal data breaches. Article 4 of the Directive 2002/58/EC (Directive on privacy and electronic communications) will be amended to insert new provisions.

I wonder though about data breach notification not having to be given if "appropriate technological protection measures" were "applied to the data concerned by the security breach. Such technological protection measures shall render the data unintelligible to any person who is not authorized to access the data." How securely must the data have been encrypted, for example, to render the data unintelligible to authorised persons? Or is any encryption good enough? There's no requirement that the protective measures must be "adequately secure", only that they are "appropriate".

On cookies, again no change:

"the rules concerning privacy and data protection are strengthened, e.g. on the use of “cookies” and similar devices. Internet users will be better informed about cookies and about what happens to their personal data, and they will find it easier to exercise control over their personal information in practice. Furthermore, internet service providers will also gain the right to protect their business and their customers through legal action against spammers."

This means the provisions on requiring prior consent to cookies and the like, which so alarmed lawyers such as Out-Law in relation to their practicability for web advertising, will be coming into force as is. The new Article 5(3) of Directive 2002/58/EC (Directive on privacy and electronic communications) will thus read:

"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his/her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

3. Net neutrality

The only development, from the press release, seems to be:

"The Commission also made a commitment last night to keep the neutrality of the internet under close scrutiny and to use its existing powers as well as new instruments available under the reform package to report regularly on the state of play in net neutrality to the European Parliament and the Council of Ministers."

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.