On January 27, representatives of many ISP providers in the United States filed a petition with the Federal Communications Commission (FCC) requesting a stay of the rules adopted on October 27, 2016 (under Obama administration). The rules the ISPs wanted removed were the FCC privacy, data breach, and data security rules for broadband Internet access service (BIAS) providers. These rules, which had not yet come into effect, had been labelled as unduly restrictive. The House voted this Tuesday on S.J. 34, repealing the FCC BIAS rules. This has prompted a wave of negative comments (e.g. here). Are they justified and are Europeans affected?
The essence of the rules was to require ISPs to obtain individual consent from each individual before collecting and using information for any purpose, including targeted advertising. The harvesting of data is already under control of the Federal Trade Commission (FTC) and this control extends to ISPs. The new rules – a bolt-on to the FTC’s existing control – would have created a new regime only for ISPs, subjecting them to a more stringent control, probably guided by the idea that ISPs have unique insight into users’ browsing habits (almost certainly not correct, since a lot of traffic is encrypted or anonymised). The FTC regime is, in essence, an opt-out regime – users can withdraw their assumed consent. FCC regime would have been an opt-in regime.
As already point out, in spite of an outcry from privacy advocates, the repeal would have little impact. This is because a) the FCC regime that it repeals had not yet come into force at the time of repeal, b) many ISPs have already pledged to protect existing levels of consumer privacy and c) the repeal simply leaves data collection in the state in which it has been up until now. The internet advertising market, which is dominated by Google, remains now open to a degree of competition, although all the criticism which could be levelled at data collection practices in the US prior to FCC attempt from October 2016 (which are now in place again) is still valid. In other words, whereas it is certainly true that EU Internet privacy is not ideal, this is not for the reasons stated in most public comments.
But, what is the situation in the EU and do American rules affect users in the EU?
The second question, concerning the extent to which EU broadband providers in their own right are subject to privacy oversight, is split between regulation affecting the content and carrier layers of the Internet. The carrier layer is subject to telecommunications laws2 and covers wired and wireless infrastructure carrying the signal (rules on setting up operations, access to other providers’ networks, obligations towards consumers, spectrum management, etc.) These rules do not regulate content itself. The latter is subject to a different set of disciplines – electronic commerce laws3 and audio video media services laws.4 These do not affect the carrier layer but do regulate the content (contracts, consumer laws, protection of minors, advertising, copyright, etc.) The division between the content and carrier layers is important because the EU regulates privacy on both and ISPs do operate on both layers . Privacy on the content layer is largely subject to a the 1995 EU Data Protection Directive (soon GDPR). Privacy on the carrier layer is subject to a special directive, the 2002 ePrivacy Directive (which itself is under a proposed change tabled in 2017 and currently under review). An activity in the digital world may be regulated under both regimes if it moves across the content and carrier layers, or it may be regulated under one only.5
An EU ISP provider in its role as a broadband provider is subject to DPD (which covers all situations where private data relating to identified or identifiable customers is gathered with the aid of automation). It will also be subject to ePrivacy Directive in its role as telecommunications provider and in respect of data that consumers demand from third parties through ISPs infrastructure. In other words, if the data moves through ISP provider’s wires only, and it is not ISP itslef that purveys data, the transaction is subject to ePrivacy Directive. Content providers such as Google or Facebook or a local newspaper, are not telecommunications providers and are, as a rule, only subject to DPD and those elements of the ePrivacy Directive which do apply to the content layer (cookies and spam).
Having said all this, what does ePrivacy Directive actually say about ISPs and will that change in the ePrivacy proposal?
The ePrivacy Directive applies to all telecommunications providers.6 Two general obligations imposed on providers7 are the obligation to secure the processing of data8 and to maintain confidentiality.9 A general rule on traffic data, Article 6(1), demands that this data be erased or anonymised “when it is no longer needed for the purpose of the transmission of a communication.” Exceptions exist for billing purposes, marketing and value added services as well as for reasons of national security, defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication systems.10 In Article 15(3), the exception relating to marketing is introduced in the form of explicit opt-in:
For the purpose of marketing electronic communications services or for the provision of value added services, the provider of a publicly available electronic communications service may process the data […] to the extent and for the duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his or her prior consent. Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time. [emphasis added]
This is the level of protection consistent with the one that would have come into place in the US after the now moribund October 2016 intervention. Location data, other than traffic data11, as per Article 9, may only be processed when “made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service.” In such cases, the users are informed of the collection and can withdraw their consent. Furthermore, Article 9(2) also requires that, where consent had been given, users be allowed to temporarily suspend collection in an easy and free-of.charge manner.
The 2017 proposal for an ePrivacy regulation is at this stage only a proposal (unlike GDPR which has been adopted). It is a more complex and more confusing document than its predecessor. New Article 6 proposes to allow the processing telecommunications metadata,12 among others when
the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous.
The wording is different from DPD. Whereas DPD Article 6 allowed collection for marketing purposes or for the provision of value-added services, the new proposal is more permissive in terms of types of services for which collection is possible. This includes all situations where the user gives consent for a purpose which is “specified” and which includes (but is not limited to) the provision of “specific services”. The only limitation comes in the form of a demand that the purpose could not have been achieved through anonymised processing. Content itself (rather than metadata) can only be processed if and only if the provision of a consumer-demanded electronic service could not be achieved without such processing. Although the article no longer specifies that it is “prior” consent, this is clear from Article 9’s reference to GDPR’s conditions for consent.
Overall, the new article is slightly more permissive in terms of purposes for which metadata could be collected but it does not relax the conditions (prior consent, possibility for withdrawal, etc.) for their collection. On the contrary, it underlines that such collection is possible only when anonmymization does not fulfill the purpose and under user’s consent.
In conclusion, the EU opt-in regime (both under the present and proposed ePrivacy) provides a somewhat better (on paper at least) protection than their American opt-out counterpart. Overall, ISP data collection practices are regulated on both sides of the Atlantic and the demise of the October 2016 proposal is likely to be of little consequence. On the other hand, data collection practices on the service and application layer (not ISPs) remain an issue both in the USA and in the EU but are legally and logically not part of this debate. Finally, the fact that EU regime is more robust on paper is not in itslef a testimony to EU users being better protected in real life.
- Officially referred to in EU as electronic communications law. ↩
- See EU E-commerce Directive which is the framework instrument for this area. ↩
- See AVMS Directive and the 2016 proposal for its reform. ↩
- To make things even more complicated, the ePrivacy Directive does regulate certain issues on the content layer such as cookies and spam. ↩
- Articles 1 and 3. ↩
- This is not only ISP but all providers of telecoms services. ↩
- Article 4. This is general security against outside breaches. ↩
- Article 5. This relates to surveillance, tapping, etc. ↩
- See Article 15. ↩
- Traffic data refers to ordinary data about the electronic transaction (e.g. IP address, duration, etc.). Location data only refer to the geographical location. ↩
- Which is information about the type, duration, IP, etc. of a transaction but not the content itself. “Location” in this context means a company with a corporate seat in the United States and subject to US laws, irrespective of where the equipment (i.e. servers) used to collect data is located. ↩