Brand new framework for OTT service providers

The European Electronic Communications Code (EECC) was introduced in 2018 by EU Directive¹. All EU Member States were obliged to implement the EECC by 21 December 2020, however, in practice, in many jurisdictions, the implementation procedures have still not been completed.

Under the EECC, new obligations have been imposed on over-the-top (OTT) service providers, i.e. services offered via the internet, on an application level, bypassing telecom infrastructure. This includes number-independent interpersonal communication services such as instant messaging applications, internet phone calls and personal messaging
provided via social media. In practice, this means that OTT service providers will be covered by a brand-new legal framework that was so far applicable only to traditional telecom operators – which may be very challenging, especially for smaller local players.

What are “electronic communication services” under the EECC?

The EECC provides a new definition of electronic communication services. These are defined as services provided via electronic communications networks, including interpersonal communications services, i.e. services normally provided for remuneration that enable direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s).

Additionally, interpersonal communications services cover both ‘numberbased services’ meaning interpersonal communications services which connect with publicly assigned numbering resources (classic phone calls
on the PSTN network or on-line services allowing connection with classic telephone numbers), as well as ‘number-independent interpersonal communications services’, those being services which do not connect with publicly assigned numbering resources.

The new definitions specified above mean that EECC covers not only traditional telecommunication services like telephone calls, e-mails, SMS services – belonging to the category of interpersonal communication services using numbers, but also OTT services covering internet communications within one application, such as WhatsApp, Messenger, Zoom, etc., as well as semi-online communications like SkypeOut allowing its users, based on an online application, to connect with the PSTN network.

EECC creates new opening for e-Privacy Directive

Apart from the subject matter of the EECC itself, the EECC also impacts the scope initially covered by the e-Privacy Directive, i.e. Directive 2002/58 (“ePD“). This is because definitions used by the ePD are now based on the EECC definitions, which means that electronic services covered by the ePD also refer to interpersonal communications services.
In consequence, OTT service providers will fall not only under the scope of the EECC, but they will also be covered by the ePD, determining a new scope of its application.

Complying with security measures, reporting obligations and information clauses

New obligations imposed on OTT service providers by the EECC include an obligation to take appropriate and proportionate technical and organisational measures to appropriately manage the risks posed to the security of networks and services. In particular, encryption mechanisms shall be applied – to prevent and minimise the impact of security incidents on users and on other networks and services.

Security measures include not only technical solutions and devices, but they also refer to an obligation to carry out systematic risk assessments, which may be challenging in practice (it requires on-going analysis and day-to-day risk verification). Additionally, security measures must be documented, and the service providers must allow public authorities to audit their activities.

Apart from security measures, OTT service providers shall notify without undue delay the competent authorities of a security incident that has had a significant impact on the operation of networks or services. What is more, in the case of a particular and significant threat of a security incident, providers shall inform their users potentially affected by
such a threat of any possible protective measures or remedies which can be taken by the users. Where appropriate, providers shall also inform their users of the threat itself.

Under the EECC, service providers are also obliged to provide the users with specific information about the service itself before concluding the agreement. Such information shall be provided in a clear and comprehensible manner on a durable medium. In practice it means that many service providers will have to change their General Terms of Use –
to adjust their regulations to the new requirements.

Obligation from e-Privacy Directive: confidentiality of correspondence and content

Apart from the obligations imposed by the EECC, OTT service providers will also have to apply specific requirements resulting from the ePD. In this respect, the most important obligation refers to the confidentiality of correspondence and content – OTT service providers shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned. This obligation directly affects OTT service providers and makes, for example, targeted ads even
more complicated from a legal point of view.

Additionally, OTT service providers will face limitations relating to the traffic and location data (i.e. data regarding the time of using the service, as well as data indicating the geographic position of the user). According to the ePD, traffic data must be erased or made anonymous when it is no longer needed for the purpose of the transmission of the communication. Moreover, traffic and location data can be used by the provider for marketing purposes only when providing value added services and only upon users’ consent.

Implementation procedure still open, national transposition will vary

The EECC implementation procedure is still open in EU Member States, even despite the initial deadline for implementation that already expired on 21 December 2020. Additionally, it is important to remember that each
Member State may transpose the EECC in a different way, applying a different approach. Therefore, it is very important to track local implementation proceedings – to properly navigate through the new regulatory obligations.

How can companies deal with the new requirements in practice?

• Firstly, companies should consider whether their operations are
  captured by the new rules.
• Secondly, they should introduce legal and technological
  measures to comply with the new requirements.
• From practice we know that such process is quite complicated
  and rather long, and it sometimes even includes suspension of
  certain functionalities or services.

¹ The European Electronic Communications Code (EECC) was introduced in 2018 by the EU Directive 2018/1972.