As part of the EU strategy to create a Digital Single Market, Directive 2018/1972 of the European Parliament and Council establishing the European Electronic Communications Code (the „EECC” or the „Code” and the „EECC Directive”) was published on December 17th, 2018 and entered into force on December 20th, 2018. The EECC should be considered together with EU Regulation 2018/1971 establishing the Body of European Regulators for Electronic Communications („BEREC”).
Although the deadline for transposing the EECC Directive into the national law was December 21st, 2020, the Member States have not rushed to do so, therefore the European Commission („EC”) announced on February 4th, 2021 that it initiated infringement proceedings (formal notices as per art. 258 of TFEU) against 24 Member States, including Romania, for failing to transpose the EECC. At the time when the EC announced the initiation of infringement proceedings, only Greece, Hungary and Finland had notified the Commission that they adopted all necessary measures for transposing the Directive, thus declaring their transposition complete. Currently, pursuant to EC Infringement Cases Database, there still are 24 active infringement cases related to the EECC Directive. Hence, there is no better time than now to recall some of the main features of the EECC in general, and data privacy related matters in particular.
1. What is the transposition stage of the EECC in Romania?
Although intentions for timely action existed a draft law aiming at transposing the EECC Directive was initiated and published by the Romanian Ministry for Transport, Infrastructure and Communications only on October 15th, 2020 and the consultation period expired on November 2nd, 2020 („Draft Law Transposing the EECC”). Since then, no other legislative developments have occurred, except for the announcement of the Government Legislative Agenda for 2021, which provides that the deadline for the responsible ministry to present the Draft Law Transposing the EECC to the Government is April 2021.
The EECC Directive repealed (starting with December 20th, 2018) and consolidated into one package the Access, Authorisation, Framework and Universal Service directives, which represented the framework for telecom services. The current Romanian telecoms regulatory framework is based on the directives identified above, which over time have been implemented under several regulatory acts, some of them being repealed and replaced by others. At present, the main legislative acts are Government Emergency Ordinance no. 111/2011 on electronic communications („GEO 111/2011”) which transposes almost all the provisions contained in the directives identified above, and Law no.159/2016 on the regime of physical infrastructure of electronic communications networks („Law 159/2016”) which transposes certain provisions of the Framework Directive and Directive 2014/61/EU of the European Parliament and of the Council of 15 May 2014 on measures to reduce the cost of deploying high-speed electronic communications networks.
According to the Draft Law Transposing the EECC, the following regulatory acts will be amended in order to transpose the provisions of the EECC into the national law: (i) GEO 111/2011, (ii) Law 159/2016, (iii) Government Emergency Ordinance No 34/2014 on consumers’ rights in the contracts concluded with professionals; (iv) Government Emergency Ordinance No 22/2009 on the establishment of the ANCOM; (v) Government Emergency Ordinance No 34/2008 on the organisation and functioning of the National Unique System for Emergency Calls and (vi) Law No 50/1991 regarding the authorization of construction works. However, it is too early to analise the provisions of the Draft Law Transposing the EECC to find out how the EECC Directive will be transposed, as changes could occur in the legislative process. Therefore, the following information will be strictly limited to the EECC Directive provisions.
2. Who should be aware?
Compared to Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services („Framework Directive”), the EECC has adopted a broad definition of the Electronic Communication Service („ECS”), which now includes the following sub-categories:
- Internet access service, defined as a publicly available electronic communications service that provides access to the internet, and thereby connectivity to virtually all end points of the internet, irrespective of the network technology and terminal equipment used;
- Service consisting wholly or mainly of conveyance of signals, such as transmission services used for the provision of machine-to-machine services and for broadcasting; and
- Interpersonal communication service („ICS”). Insofar as this last service is concerned, we have noted the following:
a) General definition. ICS is defined as a service normally provided for remuneration that enables direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine their recipient(s),and does not include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service (see point (iii) (c) bellow). The key features of the ICS are the following:
Communications between a finite number of individuals. Communications involving legal entities fall within the scope of the ICS definition where individuals act on behalf of those legal entities or are involved at least on one side of the communication;
- Interactive communication means that the service allows the information recipient to respond.
The EECC Directive provides certain examples of ICS: voice calls, all types of emails, messaging services, group chats. However, services which do not meet the requirements listed above, such as linear broadcasting, video on demand, websites, social networks, blogs, or exchange of information between machines, should not be considered ICS.
b) Two types of ICS. The ICS is further sub-divided into number-based („NB-ICS”) and number-independent („NI-ICS”). While the first category refers to standard telephony services which imply publicly assigned numbering resources and are subject to the full regulatory regime, the second category does not connect with numbers in numbering plans and covers the over-the-top services („OTTs”), which will be subject to a milder regulatory regime. The inclusion of the OTTs in the scope of the EECC is one of its key novelties. According to BEREC’s Report on OTT services, an OTT service is a content, a service or an application that is provided to the end user over the public Internet.
Therefore, the EECC puts an end to all the debates on whether OTTs are or not ECS. Moreover, such a qualification may have a direct impact on the European Court of Justice („ECJ”) case law, which may need to review its jurisprudence, considering the Gmail Case C-193/18 where ECJ found that the web-based email service which does not itself provide internet access, such as the Gmail service, does not consist wholly or mainly in the conveyance of signals on electronic communications networks and therefore does not constitute an „electronic communications service”.
c) The case of ancillary services. The EECC does not cover those services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service. The terms „minor” and „purely ancillary” should be interpreted narrowly and from an objective end-user’s perspective (e.g., where its objective utility for an end-user is very limited and where it is in reality barely used by end-users). An example of a feature that could be considered to fall outside the scope of the definition of ICS might be, in principle, a communication channel in online games, depending on the features of the communication facility of the service.
3. How EECC impacts other relevant European and Romanian pieces of legislation?
- The E-Privacy Directive and the Romanian E-privacy law
a) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector („The e-Privacy Directive” or „ePD”) which establishes specific privacy rules for the electronic communications sector is the sole directive out of the existing regulatory framework for electronic communications networks and services which was not consolidated and replaced by the EECC Directive. Instead, the e-Privacy Directive will be replaced by the e-Privacy Regulation, the proposal being now under legislative procedure.
However, until the adoption of the e-Privacy Regulation, the ePD will continue to apply, strongly influenced by the EECC in terms of its scope of application. First, Article 2 of the ePD provides that the definitions of the Framework Directive shall apply, meaning that ePD was applicable only to those ECS defined in the Framework Directive. Second, Article 125 of the EECC Directive provides that references made to the repealed directives (including the Framework Directive) shall be construed as references to the EECC Directive. Consequently, considering that EECC has expanded the ECS definition, the scope of the ePD was expanded accordingly and will cover, in addition to traditional telecom providers, the OTTs as well, as explained above at (3), which did not previously fall within the ECS definition.
b) The Draft e-Privacy Regulation provides that while it is not an integral part of the EECC, it partially relies on definitions provided therein, including that of „electronic communications services”. Similar to the EECC, the draft e-Privacy Regulation also brings the OTT providers within its scope in order to reflect the market reality. In addition, the EECC will complement the e-Privacy Regulation by ensuring the security of electronic communications services. Finally, if adopted, the e-Privacy Regulation will repeal the e-Privacy Directive.
c) Romanian e-Privacy Law. The enactment of the Draft Law Transposing the EECC will lead to the extension of the scope of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector („Romanian e-Privacy Law”) considering that article 2 para. (2) of this law sets forth that certain definitions provided under GEO 111/2011 (including, amongst others, the ECS definition) are applicable as well. Also, if the e-Privacy Regulation is adopted, the Romanian e-Privacy Law will probably cease its effects, considering the direct applicability of an EU regulation.
d) EU General Data Protection Regulation 2016/679 („GDPR”)
According to Recital no. 173 and Article 95 of the GDPR, the regulation should be applicable to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data, which is not subject to specific obligations, with the same objective set out in ePD, including the controller’s obligations and the individuals’ rights. At the same time, according to Recital no. 15 of the EECC, the processing of personal data by ECS, whether as remuneration or otherwise, should comply with the GDPR.
Therefore, as long as there are certain aspects specifically covered by the ePD (lex specialis), the ePD will apply with priority to the GDPR and the ECS should perform their activity mainly based on the ePD with respect to those specifically covered matters. For matters not specifically covered by the ePD, the ECS will have to observe the GDPR provisions.
e) E-commerce Directive and Romanian E-commerce Law
According to Recital no. 270 of the EECC, the EECC and the ePD are without prejudice to E-commerce Directive, which, inter alia, contains a ‘mere conduit’ rule for intermediary service providers, as defined therein. As such, the Draft law Transposing the EECC in Romania should not affect Law no. 365/2002 on electronic commerce („Romanian E-commerce Law”).
4. How does the EECC impact your company?
- The regulatory regime levels
a) NI-ICS benefit from a lighter regulatory regime, as they should be subject to obligations only where public interests require that specific regulatory obligations apply to all types of interpersonal ICS.
b) Other ECS are subject to the full regulatory regime. NB-ICS are treated on the same level as the traditional telecom services they participate in, and hence they also benefit from a publicly assured interoperable ecosystem.
- Authorisation regime
a) NI-ICS are not subject to the general authorisation regime, nor are they subject to the notification regime. The main rationale of this exception is that NI-ICS do not benefit from the use of public numbering resources and do not participate in a publicly assured interoperable ecosystem.
b) Other ECS (including NB-ICS)
- General authorisation regime is maintained, implying that no explicit market entry decision or administrative act can legitimately be required. This regime is designed as a legal framework of reference created in the form of a set of obligations that are listed in Annex 1 of the EECC Directive, which providers must abide by in order to legitimately provide their services, and compliance with which shall be verified ex post.
- Declaratory notification may be envisaged. Such a notification shall not entail more than a declaration by a natural or legal person to the NRA or other CA of their intention to start the provision of electronic communications networks or services, supplemented by relevant minimal information, exhaustively indicated in the EECC (e.g., name of the provider, legal status, description of network and services, contract person, Member States concerned). Also, these providers shall not be required to obtain an explicit decision or any other administrative act from such authority or from any other authority before exercising the rights derived from the general authorisation.
- Data privacy requirements
a) Conditions attached to the general authorisation. Among these conditions are personal data and privacy protection specific to the electronic communications sector in line with the ePD and enabling legal interception by competent authorities as per the GDPR and ePD.
b) Requirements provided under ePD. All the ECS, as defined in the EECC, should consider the privacy obligations set forth under the ePD, such as:
- Confidentiality of communications, which prohibits listening, tapping, storage or other kinds of interception or surveillance of communications and of related traffic data;
- Restrictions related to traffic data, according to which the traffic data must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication;
- Restrictions related to location data, according to which such data may only be processed when it is made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value-added service.
- Security of networks.
c) Requirements under the GDPR
- Processing of personal data by ECS, whether as remuneration or otherwise, should comply with the GDPR which shall apply, amongst others, to the aspects related to security of networks and services, personal data provided before the performance of the service or collected in the context of the provision of the service etc.
- „Remuneration” in this context has a broad meaning, including such situations in which the service is provided in exchange for providing personal data, situations in which the end-user is exposed to advertisements as a condition for gaining access to the service, or situations in which the service provider monetises personal data it has collected.
a) General information request (including NI-ICS). National Regulatory Authorities („NRA”), competent authorities („CA”) and BEREC may request in a proportionate and reasoned manner, information (including financial) from ECS to ensure compliance with the EECC. Where the information gathered is insufficient, the NRA/CA may request information from other relevant undertakings in closely related sectors.
b) Particular information request (excluding NI-ICS). NRAs, CAs, and BEREC may request information to ensure compliance with GA conditions, the rights of use or the specific obligations.
- End-user rights
a) Microenterprises NI-ICS. Except for the non-discrimination and fundamental rights safeguards, the EECC provisions on end-user rights shall not apply to microenterprises providing NI-ICS unless they also provide other electronic communications services.
b) Other ECS (including NI-ICS different from those mentioned above)). The EECC sets forth detailed requirements related to contractual information; contract duration and termination; transparency, comparison of offers and publication of information; quality of service related to internet access services and publicly available interpersonal communications services etc.
- Interoperability requirements
- NI-ICS. EECC allows, subject to certain conditions, for the imposition of interoperability requirements on NI-ICS in justified cases, where end-to-end connectivity between end-users is endangered due to a lack of interoperability between interpersonal communications services.
- Other ECS are required to be interoperable, and the NRA or CA may impose the obligation to interconnect their networks, to make their services interoperable etc.
- Security requirements. The ECS providers shall take appropriate and proportionate technical and organisational measures to appropriately manage the risks posed to the security of networks and services. The EECC regulates the nature of such measures, security incidents and assessment of their significance, information requirements, implementation and enforcement etc.
The EECC represents the new framework for connectivity aimed at ensuring an integrated approach for traditional telecom operators and the new wave of online market players and at increasing consumers protection irrespective of their service provider.
As far as Romania is concerned, it remains to be seen what the final form of the Law Transposing the EECC will look like once it is adopted, and how the directive will be concretely transposed. From a practical perspective, one of the challenges of the EECC will be for the OTT service providers to assess whether they fall within the scope of the EECC or not and further take all measures to comply with the provisions of the ePD and the EECC or adapt them as needed. Nevertheless, this is applicable to all the new market players covered by the EECC.
By Monica Iancu, Partner, and Vasile Soltan, Associate, Bondoc si Asociatii