More Obligations for Electronic Communication Providers by Implementation of New European Framework in Telecommunications Act
Prologue: Cookie Rules Too Strict?
Early November of this year, the bill to amend the
Dutch Telecommunications Act ("TA") was sent to the Lower
House of Parliament (TK 2010-2011, no. 32549). This bill aims to
implement the amended European regulatory framework (Directive
2009/140/EC and Directive 2009/136/EC).
This summer, the bill already caused a stir when it was presented
in draft form for consultation via the Internet. The bill provided
for an opt-in for cookies, which means that before placing and
reading each separate cookie, users would have to give their
explicit and unambiguous consent. The response from the market was
that this provision went beyond the Directive and the
implementation in other Member States. The bill was called
user-unfriendly, and would cause more personal data to be stored.
Thus, the bill would overreach itself, while its aim is to improve
protection of personal data and privacy. The protests from the
market have caused the ‘cookie regulations’ in this bill to be
adapted. In this article, we will discuss the new cookie
regulations and several other important changes in the bill. In our
July newsletter we already discussed the
opinion (dated 22 June 2010) of the Article 29 Data Protection
Working Party 2010 on this topic.
Security
Pursuant to Section 11.3 of the TA, providers shall take
appropriate technical and organizational measures to ensure the
safety and protection of the networks and services they provide.
The existing obligation to inform subscribers of special risks of
breach of the security, and what measures will be taken in that
case, continues to apply. The proposal to add a paragraph j to
Section 7.1 (1) of the TA is new. In this paragraph it is stated
that the provider must specify in the contract with the subscriber
what measures he will take in the event of security breaches and
vulnerabilities. The provider may specify, for example, what
measures he will take in case of hacking. Furthermore, a new second
paragraph will be added to Section 11.3 of the TA which will
obligate the provider to develop a security policy as part of the
technical and organizational measures.
The bill also contains a twofold duty for providers to report
any breaches of security measures. Providers have to notify OPTA of
a breach if it has adverse effects on the protection of personal
data. If the breach is likely to have negative effects on the
protection of the privacy of the subscriber(s) whose personal data
it concerns, the provider must also notify this subscriber of the
security breach (Article 11.3a of the bill). Currently, no such
duties to report ‘security breaches’ exist yet in the Netherlands.
The duty is limited to providers of public electronic communication
services; it does not include, for example, providers of
information services.
Access
If a restriction to the access to certain services
(specifically: the Internet) or to the use of certain (internet)
services applies, the bill compels providers to report this to
consumers, so that consumers may consider switching providers.
Should the access to specific services be compromised at any time,
this bill allows the Minister to set requirements on the providers
in order to ensure access. This way the bill makes it possible to
lay down rules for the purpose of net neutrality (Article 7.4a of
the bill). Should the legislator wish to use this option, it will
have to report this long in advance to the European Commission and
the new body for electronic communication, BEREC, to ensure that
the envisaged requirements do not adversely affect the functioning
of the internal market.
Cookies
The rules for gaining access to information stored at the
peripherals and for placing information (such as cookies) on the
peripherals will be tightened. In practice this means that the user
will have to give prior consent for the placing of cookies etc.,
and that the user must be given clear and comprehensive information
about the purpose of the access or storage by means of the cookies.
If it concerns personal data, then the information obligation of
article 33 and 34 of the Dutch Data Protection Act must be
respected. If no personal data are involved, then in any case the
purposes of the access or storage must be notified. Incidentally,
the bill does not seem to stipulate that this information must
always be provided in advance, as was feared; the duty to notify
can also be complied with simultaneously while the cookie is read
or placed. No “unambiguous” consent of the user will be required
either, as had been announced earlier.
Users with
Physical Disabilities
The bill aims to realize equal access to users with a handicap.
Supplementary services will have to be created for these users,
allowing them access to universal services in a way equivalent to
that of other users (this is an adaptation of Section 9.1 of the
TA). Furthermore, by changing Section 7.8 the bill provides the
option of introducing rules to further the availability to people
with physical disabilities of public electronic communication
services not included in universal service-providing, which are
bought by the majority of users. At the moment, there are no
concrete plans to lay down rules of the latter
kind.
Conclusion
If this bill is adopted, providers will have to perform a number
of new obligations, including several obligations to report. The
most striking of these is the obligation to report security
breaches, which will probably demand the greatest effort on the
part of providers. When this bill is adopted, providers will have
to examine the sufficiency of their personal data security to
prevent negative publicity and possible claims for damages from
users after reporting a security breach. The bill also provides
that more openness should be given to subscribers about security,
which may possibly result in contract amendments.
But first the Lower House of Parliament will have to examine
this bill. In the debate, the new cookies regulations will
certainly be discussed too. The new framework should officially be
implemented by 25 May 2011. Time will tell if that date will be
respected.