Locations
What's the issue?
The ePrivacy Directive (EU Directive 2002/58/EC) establishes (amongst others) specific rules on privacy for the electronic communications sector, such as limiting the use of traffic and location data and prohibiting listening to, or otherwise accessing the contents of, communications. These rules apply to "service providers" (and more specifically, to providers of a publicly available "electronic communications services" ("ECS")).Historically, a "service provider" under the ePrivacy Directive was understood to be limited to traditional telecoms providers and ISPs. Companies that provided "telecoms-like" communication services over the internet were not traditionally seen as being caught by these requirements (or by EU telecoms law requirements generally), unless they facilitated communications using numbering resources.
However, from 21 December 2020, this position will change due to the new European Electronic Communications Code ("EECC"), which is set to be transposed (and therefore take effect) in European Union member states as of this date. The EECC is expected to harmonize the existing legal framework for electronic communications across the EU. Amongst other changes, the EECC will broaden the definition of an ECS. As the related definition of a "service provider" under the ePrivacy Directive will also be updated to align with the new definition of an ECS per the EECC, these changes look poised to bring into the scope of the ePrivacy Directive a wider spectrum of service providers than ever before.
Given that these changes are effective prior to the end of the Brexit transition period on 31 December 2020, they will apply in the UK too, though the UK is not proposing to implement the new regime in full.
To expand: the EECC applies to electronic communications network ("ECN") providers and (as we know) ECS providers. Importantly for privacy professionals, the EECC extends the definition of an ECS to include a number of activities typically carried out by instant messaging applications, email, internet phone calls and personal messaging provided through social media — collectively, over-the-top services ("OTTs"). (As before, an ECS still excludes content services i.e. services providing or exercising control over content transmitted using electronic networks and services (for example, a shopping portal or an electronic newspaper)).
Under the EECC, an ECS will now also include sub-categories of services, including "interpersonal communications services" ("ICS"). An ICS is defined as a service that enables the "direct interpersonal exchange of information via electronic communications networks between a finite number of people", provided that this communication service is "not a minor ancillary feature that is intrinsically linked to another service" (an "Ancillary Feature"). As a result, a number of OTTs that would previously have escaped ECS classification may now be caught.
The Ancillary Feature element of the ICS test is of particular interest for OTTs, given that communications functionality can be inbuilt into different types of services (e.g. as part of a website, application, or other types of software), which might otherwise escape categorisation as an ICS. However, note that this exemption is to be interpreted narrowly and from the perspective of the ultimate end-user. Ultimately, in order to fall within the exemption, the communications aspect of the service must in reality be "barely used" by the end-user; and should be integrated into a wider service such that the communications functionality cannot be used without the underlying service. Further, the application of the Ancillary Feature test must be considered on a case-by-case basis, to determine whether the communications element of the service is truly is ancillary or is in fact integral to the overall end user experience. For example, an in-game video communications feature may be an Ancillary Feature (unless the game is inherently social in nature); and a banking app that enables customer communication with the banking support team is also likely to fall into the Ancillary Feature category.
What's the catch?
If a service is brought under the ePrivacy Directive by virtue of being a publicly available ECS per the EECC, then new obligations will be imposed on that service. For example:
a) Confidentiality of communications: EU Member States must ensure the confidentiality of communications over public networks, in particular by prohibiting the listening into, tapping and storage of communications without the consent of the users concerned. This means that in-scope service providers will no longer be able to use content of communications for their own purposes (e.g. service improvement or machine learning), unless they can satisfy the requirements of local interception laws;
b) Security of networks and services: a provider of a public ECS must take appropriate measures to safeguard the security of its service;
c) Data breach notifications: if a provider of a public ECS suffers a breach of security that leads to personal data being lost or stolen, it has to inform the national authority and, in certain cases, the user. This overlaps with the GDPR requirements but are not identical with them. In the UK, for example, this is a 24 notification deadline (rather than a 72 hour deadline under GDPR); and
d) Traffic and location data: this data must be erased or made anonymous when it is no longer required for communication or billing purposes, and cannot be used for any other purpose, unless the user has provided his consent for another use. This can have the same impact as (a) i.e. additional hurdles if intending to use this information for the service provider's own purposes.
Furthermore, aside from ePrivacy Directive requirements (and depending on the particular type of service being provided), the ECS will also have additional obligations under the EECC itself. These can include requirements concerning what information must be given to consumers, what terms must be included in contracts and what the term of such contracts should be.
However, there is still some uncertainty in relation to how the EECC will take effect (not least, because the transposition of the EECC into local law may introduce a myriad of subtle differences across the EU); as well as in relation to how regulators will respond to broader application of the ePrivacy Directive in their local jurisdiction. Nonetheless, given the severity of the changes, this is something to prepare for (if only to build a case that the service in question remains outside of the arms of the EECC).