Gmail is not telecommunications, rules ECJ

To the relief of Europe’s tech community, European Court of Justice rules that Gmail is not electronic communications service and does not fall under the EU regulatory framework for telecommunications.

European regulatory Framework on electronic communications (or telecommunications) imposes a number of public law rights and obligations on the providers of services that consist ‘wholly or mainly’ in the conveyance of signals on electronic communications networks. According to German regulator BNetzA, whose decision was upheld by the Administrative Court in Cologne, Gmail satisfied this definition.
Whereas Google operates its own internet-connected network infrastructure in Germany, in particular several high-speed links between metropolitan areas, that was according to the Administrative Court not decisive: “The fact that the conveyance of signals occurs essentially over the open internet and thus that it is the internet access providers (‘IAPs’) which convey those signals and not Google itself does not preclude the classification of Gmail as a telecommunications service.” The signal conveyance service may be attributed to Google based on its ‘appropriation’ of “the signal conveyance service for its own purposes and, in particular, on the ground that it makes an essential contribution to the functioning of the telecommunications process with its electronic processing services.”
What does the ECJ say about Gmail?
According to the ECJ, however, Article 2(c) of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive), as amended by Directive 2009/140/EC, “must be interpreted as meaning that a web-based email service which does not itself provide internet access, such as the Gmail service provided by Google LLC, does not consist wholly or mainly in the conveyance of signals on electronic communications networks and therefore does not constitute an ‘electronic communications service’ within the meaning of that provision.”
According to the ECJ, the fact that Google “actively participates in the sending and receipt of messages, whether by assigning to the email addresses the IP addresses of the corresponding terminal devices or by splitting those messages into data packets and uploading them to, or receiving them from, the open internet for the purposes of transmitting them to their recipients,” does not appear to be sufficient to meet the ‘wholly or mainly’ criterion.
What is next for OTT communications?
Whereas the decision can be seen as a relief and is in line with the views of BEREC, the top body of European telecoms regulators, it is not future-proof. Notably, the new definition of ‘interpersonal communications services’ of the European Electronic Communications Code (EECC) can still be seen as potential future game-changer, aiming for so-called ‘level-playing field’ between traditional telecoms and OTTs. In addition, Gmail decision needs to be read in conjunction with the recent Skype Out decision, whereby a software service allowing calls to traditional telephones is deemed an electronic communications service.

Are you worried about the impact Gmail and Skype Out decisions might have on your OTT business? Aphaia provides regulatory policy advice to some of the world’s top OTT providers.

EU cyber-attacks framework

The Council has established a framework (Council Regulation (EU) 2019/796)which allows the EU to impose sanctions in relation to cyber-attacks which constitute an external threat to the EU or its Member States.

It also includes cyber-attacks against third States or international organisations where restricted measures are considered necessary to achieve the objectives of the Common Foreign and Security Policy.

The Regulation is not aimed at any particular country, but is intended to catch all external cyber threats. To be clear, the regulation does not target specific third countries but specific malicious actors.

Cyber-attacks constituting an external threat include those which:

  • originate, or are carried out, from outside the Union;
  • use infrastructure outside the Union;
  • are carried out by any natural or legal person, entity or body established or operating outside the Union; or
  • are carried out with the support, at the direction or under the control of any natural or legal person, entity or body operating outside the Union.

Cyber-attacks are actions involving:

  • access to information systems;
  • information system interference;
  • data interference; or
  • data interception,

The restrictions include a ban on persons travelling to the EU, and an asset freeze on persons and entities. In addition, EU persons and entities are forbidden from making funds available to those listed.

This Regulation applies :

  • within the territory of the Union, including its airspace;
  • on board any aircraft or vessel under the jurisdiction of a Member State;
  • to any natural person inside or outside the territory of the Union who is a national of a Member State;
  • to any legal person, entity or body, inside or outside the territory of the Union, which is incorporated or constituted under the law of a Member State;
  • to any legal person, entity or body in respect of any business done in whole or in part within the Union.

The European Union and its Member States are concerned by the rise in malicious behaviour in cyberspace that aim at undermining the EU’s integrity, security and economic competitiveness. Those partaking in such activities have been urged to stop, and there’s been calls for all partners to strengthen international cooperation to promote security and stability in cyberspace.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

Practical guidance on how to process mixed datasets

The European Commission has published guidance on the interaction between the Regulation on the free flow of non-personal data and the GDPR.

One year after the GDPR started to apply, most controllers are (or at least they should) well aware of the security and privacy requirements that should govern the datasets which contain personal data. However, what happens when those datasets include not only personal data but also non-personal information?

There is a new Regulation(Regulation 2018/1807 on a framework for the free flow of non-personal data in the European Union), applicable as of 28 May 2019, that sets up the conditions for the processing and transfer of non-personal data in the European Union and aims at removing obstacles to the free movement of non-personal data across Member States and IT systems in Europe. Accordingly, when it comes to mixed datasets, one should consider not only the GDPR, but also this new one.

The European Commission has published guidancein order to clarify the interaction between the Free Flow of Non-Personal Data regulation and the GDPR.

For the purposes of the Free Flow of Non-Personal Data Regulation, non-personal data means:

  • data which originally did not relate to an identified or identifiable natural person, such as data on weather conditions generated by sensors.
  • data which were initially personal data but were later made anonymous.

It is defined just as the opposite of the personal data concept of the GDPR.

The Free Flow of Non-Personal Data Regulation has three notable features:

  • It prohibits, as a rule, Member States imposing requirements on where data should be localised.
  • It establishes a cooperation mechanism to make sure that competent authorities continue to be able to exercise any rights they have to access data that are being processed in another Member State.
  • It provides incentives for industry, with the support of the Commission, to develop self-regulatory codes of conduct on the switching of service providers and the porting of data. ´

Datasets containing the names and contact details of legal persons are in principle non-personal data, except for some cases, as for when the name of the legal person is the same as that of a natural person who owns it or if the information relates to an identified or identifiable natural person.

In the case of a dataset composed of both personal and non-personal data:

  • The Free Flow of Non-Personal Data Regulation applies to the non-personal data part of the dataset;
  • The GDPR free flow provision applies to the personal data part of the dataset; and
  • If the non-personal data part and the personal data parts are ‘inextricably linked’, the data protection rights and obligations stemming from the GDPR fully apply to the whole mixed dataset, also when personal data represent only a small part of the dataset.

What does ‘inextricably linked’ mean?

The concept of ‘inextricably linked’ is not defined by either of the two Regulations. For practical purposes, it can refer to a situation whereby a dataset contains personal data as well as non-personal data and separating the two would either be impossible or considered by the controller to be economically inefficient or not technically feasible. For example, when buying CRM and sales reporting systems, the company would have to duplicate its cost on software by purchasing separate software for CRM (personal data) and sales reporting systems (aggregated/non-personal data) based on the CRM data. Separating the dataset is also likely to decrease the value of the dataset significantly. In addition, the changing nature of data makes it more difficult to clearly differentiate and thus separate between different categories of data.

What is the conclusion then?

Whenever personal data is involved, GDPR applies. However, the Free Flow of Non-Personal Data Regulation provides the controllers with a chance of managing personal and non-personal data different where they are suitable separated.

This new Regulation, combined with the GDPR, provides the EU with the most stable legal framework for the free movement of all data within the European Union.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

What data should a controller disclose under a data subject access request?

A recent decision from the Cologne Regional Court addresses whether individuals are entitled to receive emails and personal notes as part of a DSAR.

“I want access to all personal data you handle about me”. What should you do as the controller if you receive an email like this? According to GDPR, individuals have the right to obtain:

  • confirmation that you are processing their personal data;
  • a copy of their personal data; and
  • other supplementary information, which largely corresponds to the information that you should provide in the privacy policy.

What does “personal data” means in terms of a DSAR? Even though this concept is clear for some data categories like contact data, for some others it may be tricky, especially when it comes to information that might affect other people’s rights and freedoms.

GDPR states that the right of access “should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software”. However, expert opinions vary as to the data that should be actually considered to affect third-parties. The Data Protection Act 2018 settle this criterion on the likelihood that another individual could be identified from the information disclosed. On a related note, Cologne Regional Court has recently reached a decision where they assert that the right of access does not include all internal processes, such as notes. Moreover, they claim that the data subject is not entitled to receive all exchanged correspondence. Legal evaluations or analyses are also not considered personal data in these terms. This means that information as ratings and private notes about employees’ performance or appraisals should not necessarily be disclosed under a DSAR.

We think this is an accurate criterion that properly solves the data subject access request plus protects the controller’s interests. However, although this is a binding decision from the Cologne Regional Court, it does not generally apply to other countries that are subject to the GDPR, so it remains to be seen if this rule becomes a standard.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.