New legislation has recently come into effect in the UK to implement amendments to the EU framework for regulating providers of electronic communications networks and services ("EU Framework").
Multinational Japanese companies providing communications and IT-related services (e.g. Cloud Computing and other value added services) in the UK and elsewhere in the EU are potentially subject to the EU Framework and should be aware of the extent to which their business activities may be regulated under it. This is particularly important given the strengthened powers of regulatory authorities to impose fines and other sanctions for breaches.
In this newsletter we look at:
- the EU Framework and its recent changes;
- the new UK legislation and its impact on electronic communications providers; and
- recommendations for Japanese companies.
Overview of the EU Electronic Communications Framework
The original EU Framework was agreed in 2002 with the objective of creating a harmonised set of "future proof" rules appropriate to a convergent, fully liberalised European market place for communications services and networks.
The EU Framework regulates the provision of both electronic communications services ("ECS") and electronic communications networks ("ECN"). The concept of ECS is very wide in scope and will include services which wholly or mainly consist in the conveyance of signals on ECN (but will exclude the provision of content such as television or music which are subject to separate regulation).
The EU Framework is therefore broad enough to apply not only to providers of more conventional communications services (e.g. mobile providers) but potentially also to providers of certain IT-related services where signals are conveyed on ECN (e.g. Cloud Computing-based services such as "Software as a Service").
Changes to the EU Framework
Given the fast pace of technological change, the EU Framework included provisions for its periodic review, including an obligation for the European Commission to review the effectiveness of the framework as a whole by the end of 2006.
Following this effectiveness review, in November 2007 the European Commission published draft legislative proposals and in November 2009 finally adopted the following two new Directives to amend the EU Framework as well as accompanying regulations and recommendations:
- Better Regulation Directive: Directive 2009/140 amending the Framework Directive (2002/21/EC), the Access Directive (2002/19/EC) and the Authorisation Directive (2002/20/EC) (OJ 2009 L337/37); and
- Citizens' Rights Directive: Directive 2009/136 amending the Universal Services
Directive (2002/22/EC), the E-Privacy Directive (2002/58/EC) and Regulation 2006/2004 on consumer protection co-operation (OJ 2009 L337/11). Whilst there may be some minor differences in local interpretation, in general the substantive rules of the EU Framework apply across all 27 Member States of the EU. Accordingly, all of the Member States were under an obligation to have implemented the new measures by the deadline of 25 May 2011.
New UK legislation
In the UK the following legislation came into effect on 26 May 2011 ("New Regulations"):
- The Electronic Communications and Wireless Telegraphy Regulations 2011: amending the Communications Act, the Wireless Telegraphy Act 2006 and other primary and secondary legislation; and
- The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011: amending the Privacy and Electronic Communications (EC Directive) Regulations 2003 with respect to privacy-related aspects of the EU Framework.
Whilst the new Regulations do not substantially alter the landscape in which electronic communications providers operate, certain provisions will require time and careful consideration, particularly in the context of existing data protection regulatory obligations, as set out below.
Impact on Electronic Communications Providers
The key changes for electronic communications providers under the New Regulations include:
- Reporting Security Incidents: an obligation to notify Ofcom (the UK communications regulator) in the event of any security incident having a significant impact on the continuity of their communications network and services. Ofcom will, if appropriate, then notify the regulatory authorities in other Member States and the European Network and Information Security Agency of such incidents. Providers may also need to notify the Information Commissioner (the UK Data Protection regulator) if the incident involves personal data (see bullet below).
- Data Security Breach Notifications: an obligation to: (i) notify the Information Commissioner of any data security breaches resulting in the accidental or unlawful destruction or loss of, or unauthorised access to, personal data and describe any remedial measures proposed or taken; and (ii) if the breach is likely to adversely affect the personal data or privacy of a subscriber or individual, to notify that subscriber or individual of the breach, describe where more information can be obtained and recommend measures to mitigate any possible adverse effects.
- User Consent to Cookies: companies using "cookies" on their websites are now required to obtain users' consent to their use and can no longer rely on allowing users to "opt-out" if they object. As it is unclear from the New Regulations what is required to obtain such consent, the Information Commissioner has published a guidance (click here) and given a one year grace period for companies to "get their house in order".
- Ofcom Powers: Ofcom has been granted new powers to request information from, and to levy fines of up to £2,000,000 on, electronic communications providers.
Recommendations for Japanese companies
Given the broad scope of the EU Framework, Japanese companies providing communications and IT-related services in the UK and elsewhere in the EU should confirm the extent to which they may be regulated under the EU Framework and how to ensure compliance. The increasing frequency, sophistication and severity of cyber attacks also means that regulated service providers should understand, and ensure they can comply with, their notification and reporting requirements in the event of security breaches. This is particularly important given the strengthened powers of the regulatory authorities, such as the Information Commissioner's new power to impose civil monetary penalties of up to £500,000 in relation to security breaches.