Gmail is not telecommunications, rules ECJ

To the relief of Europe’s tech community, European Court of Justice rules that Gmail is not electronic communications service and does not fall under the EU regulatory framework for telecommunications.

European regulatory Framework on electronic communications (or telecommunications) imposes a number of public law rights and obligations on the providers of services that consist ‘wholly or mainly’ in the conveyance of signals on electronic communications networks. According to German regulator BNetzA, whose decision was upheld by the Administrative Court in Cologne, Gmail satisfied this definition.
Whereas Google operates its own internet-connected network infrastructure in Germany, in particular several high-speed links between metropolitan areas, that was according to the Administrative Court not decisive: “The fact that the conveyance of signals occurs essentially over the open internet and thus that it is the internet access providers (‘IAPs’) which convey those signals and not Google itself does not preclude the classification of Gmail as a telecommunications service.” The signal conveyance service may be attributed to Google based on its ‘appropriation’ of “the signal conveyance service for its own purposes and, in particular, on the ground that it makes an essential contribution to the functioning of the telecommunications process with its electronic processing services.”
What does the ECJ say about Gmail?
According to the ECJ, however, Article 2(c) of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive), as amended by Directive 2009/140/EC, “must be interpreted as meaning that a web-based email service which does not itself provide internet access, such as the Gmail service provided by Google LLC, does not consist wholly or mainly in the conveyance of signals on electronic communications networks and therefore does not constitute an ‘electronic communications service’ within the meaning of that provision.”
According to the ECJ, the fact that Google “actively participates in the sending and receipt of messages, whether by assigning to the email addresses the IP addresses of the corresponding terminal devices or by splitting those messages into data packets and uploading them to, or receiving them from, the open internet for the purposes of transmitting them to their recipients,” does not appear to be sufficient to meet the ‘wholly or mainly’ criterion.
What is next for OTT communications?
Whereas the decision can be seen as a relief and is in line with the views of BEREC, the top body of European telecoms regulators, it is not future-proof. Notably, the new definition of ‘interpersonal communications services’ of the European Electronic Communications Code (EECC) can still be seen as potential future game-changer, aiming for so-called ‘level-playing field’ between traditional telecoms and OTTs. In addition, Gmail decision needs to be read in conjunction with the recent Skype Out decision, whereby a software service allowing calls to traditional telephones is deemed an electronic communications service.

Are you worried about the impact Gmail and Skype Out decisions might have on your OTT business? Aphaia provides regulatory policy advice to some of the world’s top OTT providers.

GDPR no deal Brexit practical steps

What should UK business do when it comes to GDPR if no deal Brexit actually takes place?

At first glance, no deal Brexit should not pose a major problem for UK businesses. The UK applies GDPR and will continue to apply it, either directly or based on Data Protection Act 2018. There are no major plans to change the principles or even the rules of GDPR. It could be business as usual. But not quite.

No deal data transfers EU-UK

The transfers of personal data from the EU to the UK will be deemed transfers to a third country. Whereas one could expect the European Commission to issue an adequacy decision for the UK based on the UK’s law being based on EU GDPR, this decision might not be timely. Accordingly, businesses might need to cover such transfers, most likely using Standard Contractual Clauses (SCC). The ICO has decided to help them out with this tool:

The good news is that the UK government has stated that, when the UK exits the EU, transfers to the EEA from the UK will not be restricted. There will be transitional provision for a UK adequacy decision to cover these transfers. This means you will able to continue to send personal data from the UK to the EEA without any additional requirements.

Appointing a data protection representative in the EU

Depending on what you do, you may need to appoint a data protection representative in the EU. This will most likely be the case if you are offering goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the EU, for example via a website. Similarly, this will apply to your online or offline monitoring of people’s behaviour as far as this behaviour takes place within the EU. Where you have a subsidiary in the EU, they can act as your representative, and if you have a branch established in the EU, no representative would be required.

Do you require assistance with GDPR and Data Protection Act 2018 compliance, including support in relation to Brexit? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

5G Privacy Risks addressed by the European Commission

Commission Recommendation on Cybersecurity of 5G networks sets an action plan for the Member States. We explore the main sources of 5G privacy risks.

According to Commission Recommendation on Cybersecurity of 5G networks, EU Member States should by the 30th June 2019 carry out a risk assessment of 5G network infrastructure, including identifying the most sensitive elements where security breaches would have a significant negative impact. By the same date, Member States should also review the security requirements and the risk management methods applicable at national level, to take into account cybersecurity threats that may arise from (i) technical factors, such as the specific technical characteristics of 5G networks, and (ii) other factors such as the legal and policy framework to which suppliers of information and communications technologies equipment may be subject in third countries.

A toolbox will further be agreed at the EU level that will include a risk inventory and a set of possible mitigating measures (e.g. third-party certification for hardware, software or services, formal hardware and software tests or conformity checks, processes to ensure access controls exist and are enforced, identifying products, services or suppliers that are considered potentially not secure, etc.).

5G vs 4G privacy risks

Since we all already use 4G and 3G mobile networks, the key practical question is the comparison between 5G vs 4G privacy risks. Are there fundamental differences? Whereas there might be few qualitative differences, one can think of higher density of 5G cells that enable more precise user location information or the impact of potential network management decentralisation e.g. in relation to locally available 5G services. Mobile location issues are addressed by the EU ePrivacy Directive, soon to become ePrivacy Regulation.

According to Vesna Prodnik Pepevnik, CEO of Vafer and 5G mobile network expert, the main challenges will be linked to vertical applications, from autonomous vehicles and healthcare to energy and monitoring systems with various omnipresent sensors. “The more systems and therefore data are processed by 5G networks, the higher the risk.” In her view, the Commission’s 5G security proposals are currently vague, which might even prove to be an obstacle for certain 5G use cases and therefore the EU’s ambitions in relation to 5G.

It, therefore, remains to be seen to what extent will the proposed measures, including the expected toolbox, provide the necessary safeguards for the industry and trust for the end-users, which are both essential for 5G becoming a major driver for IoT applications.

Aphaia provides Data Protection Impact Assessment, including in relation to ePrivacy, and Telecommunications Policy and Regulation services

ePrivacy regulation amendments under Romanian Presidency

At the beginning of the year, Romania took over the rotating presidency of the Council of the European Union. The EU ePrivacy Regulation was initially set out two years ago, to be implemented at the same time as GDPR.

A set of amendments to the proposed ePrivacy Regulation were released by the Romanian Presidency. These are worth looking at – but you should not expect any spectacular changes!

Which services warrant ePrivacy?

This has been an important matter within the ePrivacy Regulation proposal all along: communications privacy rules were to be expanded to services such as online marketplaces, gaming- or mobile apps messaging features.

The latest Romanian Presidency amendment makes it clear, referring to the definition of the new European Electronic Communications Code (EECC), that ‘interpersonal communications service’ that warrant such privacy protection shall include services that enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service.

In other words, no matter how insignificant the messaging feature may be in relation to the service, it warrants the protection of its privacy as any other interpersonal communication.

Limitations to the security processing exception

According to the amendments, security will be more difficult to use as a blanket exception for data processing. Whereas processing is acceptable if it is necessary to detect or prevent security risks and/or attacks on end-users’ terminal equipment, such processing is only permitted “for the duration necessary for that purpose”.

Other interesting amendments

The amendments include a requirement for supervisory authorities to cooperate with data protection authorities when appropriate, as well as new investigative and corrective powers for those supervisory authorities.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.