Feyo Sickinghe of Bird & Bird explains the new EU telecoms package and its impact on net neutrality, unsolicited communication, cookies, data usuage and the competition law relating to regulatory communications within Europe.
On 5 June 2012 the revised EU Telecoms package was transposed in the Dutch Telecommunications Act (TA). Fierce discussions with regard to net neutrality, spam and cookies have led to national legislation on top of the Brussels directives. Recently the industry successfully concluded codes of conduct for internet speeds and increased transparency for mobile data usage. On 1 January 2013, the Dutch Competition Authority, OPTA and the Consumer Authority will merge into the Consumers and Markets Authority (ACM), a new super-NRA with unprecedented extensive powers.
According to the new net neutrality provision which enters into force on 1 January 2013, providers of internet access services are prohibited from blocking or delaying applications on the internet, unless the measures by which applications are blocked or delayed are necessary to reduce the effects of congestion, where equal forms of traffic are treated equally, for the integrity and safety of the network, to reduce the transmission of unsolicited communications (such as spam) or to execute a legal requirement or a court order. Providers of internet access services are prohibited from making their rates dependent on the applications and services which are offered or used via their own internet access services.
What are the consequences for the sector? The rules apply to internet access only. Managed services such as VoIP or IP-TV do not fall within the scope of the provision. Restricted internet access offerings with access to certain websites only are no longer allowed. Blocking or delaying internet access by way of traffic management in order to reduce congestion is allowed on a non-discriminatory basis. Individual pricing of applications or services is prohibited as a means to restrict or hinder access to these applications or services. Other forms of price differentiation based on capacity, usage, overbooking and service levels are allowed.
This legislative regime is stricter than the European provisions. It is based on the assumption that the European rules do not suffice to safeguard net neutrality, which remains untested. The strict prevention of price discrimination between certain types of internet users for gaming, VoIP, video or music may drive up the overall price level for consumers.
SPAM AND BLOCKING INTERNET ACCESS
The net neutrality provision also prohibits blocking of unsolicited communication such as spam, viruses or malware without prior consent of the end user. The rationale is that the end user should stay in control of the communication over the internet. As a consequence, ISPs may be prohibited from general blocking of spam, viruses and malware at network level. It is uncertain whether blocking is allowed as a means to ensure the integrity and safety of the network and services without end user consent. More than 90 per cent of e-mail traffic is spam and is by default filtered by the ISPs at network level. ISPs may need to build new systems to manage the customer’s prior consent at services level, which is considered a costly and highly ineffective exercise. The Dutch parliament added an additional provision which prohibits ISPs from terminating the customer’s internet access services for reasons other than default payment, legal compliance or a court order, an act of God or treason. The ISP’s means to counteract cybercrime and to ensure cybersecurity are severely hindered by the new provisions, which is of great concern for the industry. Therefore future amendment of the net neutrality provision seems inevitable.
The new TA stipulates that without prejudice to the Data Protection Act everyone who wishes to obtain access through electronic communication networks to data stored in peripheral equipment of a user or wishes to store data in peripheral equipment of a user must have obtained consent from the user for the act in question. An act that is intended to collect, combine or analyse data on the use of various information society services by the user or subscriber for commercial, charitable or idealistic purposes, is presumed to be processing of personal data as referred to in the Data Protection Act. Although not immediately apparent from the wording of the legal provision, the intention is to require unambiguous consent for cookies – including all tracking cookies. According to OPTA the use of implied consent is not permitted. This may not be in accordance with ‘consent’ as set out in the Data Protection Act which also applies to the cookie provision. Implied consent may be allowed as long as the data subject is properly informed and understands that not taking specific action equals providing consent to the placing and processing of analytic cookies. The provision introduces a presumption that placing cookies intended to collect, combine or analyse (for commercial, charitable or idealistic purposes) data on the use of various information services by the user or subscriber (in practice: tracking cookies) constitutes the processing of personal data. This implies that not only does the consent requirement in the Telecommunications Act apply, but that consent requirements as set out in the Data Protection Act also apply. This would include the requirement for unambiguous consent included in the Dutch implementation of article 7(a) of the European Data Protection Directive (95/46/EC). Serious doubts can be raised as to whether tracking cookies constitute the processing of personal data as set out in the Data Protection Act. Personal data are all data regarding an identifiable or identified individual person. Tracking cookies do not automatically identify the individual person that generates the data. In most households computers are used by various people. Cookies are collected anonymously and without registration of the IP address involved. Furthermore, cookies are processed and analysed by computers instead of people.
The general default acceptance of cookies in browser settings is considered to be insufficient to comply with the cookie provision. The internet Advertising Bureau (IAB) and the Dutch Direct Marketing Association (DDMA) are in the process of the development of practical solutions with OPTA.
The debate on the consequences of the cookie provision may well be fuelled by the telecoms regulator OPTA which, contrary to the Dutch Data Protection Authority, has the power to impose significant penalties for breaches of the Telecommunications Act. Whether this will change remains to be seen. The consequences of the new Dutch cookie regime for the industry are still uncertain.
CONSUMER AND MARKETS AUTHORITY (ACM)
As set out above the Dutch Competition Authority, OPTA and the Consumer Authority will merge into the Consumers and Markets Authority (ACM), a new super-NRA with unprecedented extensive powers per January 1st 2013. However, the ACM incorporation Act is not yet adopted by parliament. The ACM will be granted with powers to request information from companies and to process the information for all its powers. For example, information obtained in the context of merger control may be used to verify compliance with consumer protection legislation. Information may be exchanged with other national and international authorities without any right to be informed or to object for the company involved. The draft proposal for the ACM Coordination Act aims to extend the ACM powers “naming and shaming” of an individual company through the right of the ACM to issue a binding order beyond the scope of violation of specific provisions by the individual company. Moreover, the ACM will be granted powers to levy fines up to 10 per cent of the annual worldwide turnover of the company. Critically, through lacking a official separate status from the Ministry of Economic Affairs the ACM is said not to be an independent regulatory body, as required on the basis of the Framework Directive. Fierce discussions in parliament may end up in subsequent amendments of the ACM Incorporation Act and the ACM Coordination Act in 2013.
These regulatory developments will be confronting electronic communications providers in the Netherlands with specific add-on compliance issues on net neutrality, spam and cookies, and a proactive supervisory authority with extensive powers to request information and to levy substantial fines.
INTERNET SPEEDS AND MOBILE DATA USAGE: INDUSTRY CO-OPERATION IS EFFECTIVE
In the Netherlands there is no official representative organisation for the telecoms sector. Nonetheless, though informal ad hoc working groups the industry has been successful in concluding codes of conduct for internet speeds and increased transparency on mobile data usage, thus avoiding regulatory intervention. Bird & Bird has been closely involved in the drafting and the negotiation process.