The EECC, the ePD and the GDPR – a complex interplay creating a breach notification nightmare for providers of communications services
What impact will the implementation of the new Directive establishing the European Electronic Communications Code (2018/1972) (EECC) have on the scope and application of the ePrivacy Directive (2002/58/EC) (ePD) for providers of electronic communication services?
The key takeaway
The EECC, which amends the current definition of ‘electronic communications service’, will come into force on (or before) 21 December 2020. Once implemented, it will mean that the ePD shall apply to all over-the-top (OTT) services (ie Google Duo, WhatsApp and Facebook Messenger) catching a far broader range of providers within its scope. The implications are significant, not least the incredibly burdensome notification requirements placed on these providers in breach scenarios under both the ePD and the EECC – including, in the case of the ePD, local language notifications in (potentially) each of 27 EU member states within a 24 hour period.
The EECC, the ePD and the GDPR
The ePD was introduced in 2002 and focuses on protecting the privacy and security of personal data in electronic communications. It requires providers to ensure they take “appropriate technical and organisational measures to safeguard security of its services” (Article 4.1).
In 2009, the ePD was amended by the Citizens’ Rights Directive (2009/136/EC) and introduced several new measures, including the requirement on providers to report personal data breaches and obtain consent (unless necessary for legitimate purposes) from its users to process their web cookies. As a result, the ePD has since been dubbed ‘The Cookie Law’.
Following a public consultation by the European Commission in July 2016, the ePD was due to be replaced by the ePrivacy Regulation (ePR) in May 2018, alongside the General Data Protection Regulation (GDPR). To date, EU member states have been unable to agree on the new ePR and it remains in draft. Estimates vary, but some commentators do not expect the ePR to be agreed until 2023. A transitional period of 24 months would mean that the ePR would not come into effect before 2025. Once introduced, the ePR will essentially carry forward the ePD but with stricter rules for securing electronic communications – ie requiring messages to be erased or anonymized after they have been received.
In the meantime, the EECC has been formally adopted (December 2018) and is due for implementation in each EU member state by 21 December 2020. Its aim is to drive investment in new high-capacity networks (think 5G, new fibre networks etc) and level the playing field between telecommunications companies and OTT providers. The Directive catches both internet access services and interpersonal communications services, sub-dividing these into ‘number-dependent’ (standard telephony) and 'number-independent' services (WhatsApp, Skype etc).
The notification nightmare
One of the practical impacts of the EECC is that all these providers must notify the competent authorities ‘without undue delay’ of a breach of security that has had a significant impact on the operation of the networks or services (eg number of users affected, duration of the breach, geographical area affected by the breach, the extent of disruption and the impact on economic and societal activities) – think issues such as outages, service disruption or unavailability.
This is in addition to notification obligations under the ePD, which provides that all in-scope personal data breaches must be reported within 24 hours to the relevant national regulator(s) for each respective country that the breach has impacted. Unlike in the GDPR, there is no “rights and freedoms” test in the ePD and therefore the obligation to notify within 24 hours is a strict one, applying to all data breaches suffered by a provider.
It is worth bearing in mind that on top of the notifications to the relevant competent authorities, both the ePD and EECC include obligations relating to the notification of impacted individuals.
At the time of writing, there is no pan-European ‘one stop shop’ for notifying data breaches under the EECC or the ePD, meaning an EU-wide breach must be reported to each competent authority of the 27 member states. It is also worth noting that there are substantive differences in the way notifications must be made under each piece of legislation – from the way questions are phrased to the detail required of each response and how that information is received by the relevant national regulator.
To complicate further, it is entirely possible for a breach to fall under the remit of both the ePD and EECC (imagine an incident hitting an OTT service and involving both a leak of personal data and a service outage at the same time) – meaning up to 54 notifications.
And, on top of all this, don’t forget that the provider may also have an obligation to notify under the GDPR where there is a personal data breach which affects not only processing falling within the scope of the ePD (eg the accessing of a user’s terminal data) but also other data processing falling exclusively within the scope of the GDPR (eg the onward processing of that terminal data). In other words, while the ePD is a ‘lex specialis’ (so its specific rules override the more general breach notification principles under the GDPR), there may still be occasions where a separate GDPR notification is also required.
A highly complicated interplay of overlapping regulations which create a breach notification nightmare? Absolutely.
Why is this important?
In the UK, the Information Commissioner’s Office is responsible for the enforcement of the ePD. Providers found to be in breach of the ePD could receive a fine of up to £500,000. Repeated across other member states and the figures would quickly begin to add up. In relation to the EECC, each individual member state is responsible for outlining penalties under its implementing legislation (very few of which have actually been put in place as at the date of writing).
The fact that there is no uniform way of notifying the regulators of data breaches under the ePD and EECC means that providers who offer OTT services across Europe should familiarize themselves with the notification procedures in each of the 27 member states. Preparatory work in setting up a process for meeting the requirements under each notification procedure (which differ between member states) is particularly crucial given the strict ePD obligation to notify within 24 hours.
Any practical tips?
While all eyes have been on the ePR, you would be forgiven for missing the extended application of the ePD by virtue of the EECC. But if you are a provider of OTT services and are about to be brought ‘in scope’, you better get familiar with the ePD – and quickly!
Reporting breaches under the EECC and the ePD, in particular setting up processes for making notifications in potentially 27 different member states within 24 hours with different language requirements, will take some planning – and that 21 December deadline is fast approaching.
If you need help in thinking this all through, including the practicalities of meeting international data breach notifications under tight timelines, RPC’s award-winning 24/7 breach service – ReSecure – is here to help.