European Electronic Communications Package moves closer to UK transposition

The UK government is preparing to transpose Directive 2002/21/EC on a common regulatory framework for electronic communications networks and services (the Framework) into UK law. The Framework is a new regulatory package that will affect how service providers supply email, telecommunications and internet access services, but it seems to have received very little attention.

The Framework consists of five related Directives:

  • the “Framework” Directive (2002/21/EC);
  • the “Access” Directive (2002/19/EC);
  • the “Authorisation” Directive (2002/20/EC);
  • the “Universal Service” Directive (2002/22/EC); and
  • the “E-Privacy” Directive (2002/58/EC).

Several provisions from the Framework are worth noting briefly. (Further detail can be found in a recent discussion paper of the Department for Business Innovation & Skills, entitled Implementing the Revised EU Electronic Communications Framework.)

Security and integrity of computer networks

First, the Access Directive includes a number of provisions which impose new obligations on service providers to meet security and availability standards, and to notify certain network breaches to competent authorities. Article 13a provides as follows:

Article 13a Security and integrity

  1. Member States shall ensure that undertakings providing public communications networks or publicly available electronic communications services take appropriate technical and organisational measures to appropriately manage the risks posed to security of networks and services. Having regard to the state of the art, these measures shall ensure a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of security incidents on users and interconnected networks.
  2. Member States shall ensure that undertakings providing public communications networks take all appropriate steps to guarantee the integrity of their networks, and thus ensure the continuity of supply of services provided over those networks.
  3. Member States shall ensure that undertakings providing public communications networks or publicly available electronic communications services notify the competent national regulatory authority of a breach of security or loss of integrity that has had a significant impact on the operation of networks or services.

These requirements have the potential to be significant new anti-cybercrime measures. On their face, they require various network intermediaries (from backbone operators to hosts and ISPs) to adopt new security measures, meet uptime/continuity guarantees and publicly notify security breaches. Importantly, however, they apply only to ‘publicly available electronic communications services’, rather than private networks. Of course, the distinction between ‘public’ and ‘private’ networks is likely to prove the subject of argument.

Cookies and privacy

The E-Privacy Directive contains a number of measures designed to increase user privacy on the internet. Unfortunately, they are expressed in rather vague language, which the UK government proposes simply to transpose without clarification. For example, article 5 of the Directive deals with client-side data storage (usually in the form of cookies):

5.3    Member States shall ensure that the storing of information or the gaining of access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the
purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of
carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the
service.

Although this provision is primarily concerned with cookies, it is drafted broadly. It could potentially include other forms of client-side information storage, like temporary files, spyware or viruses. The biggest problem with this provision is its uncertainty: just what is a ‘strictly necessary’ form of storage or access remains undefined, and is likely to change frequently. Is the use of third-party tracking cookies by website advertisers to measure campaign performance and identify audience composition a ‘necessary’ use? It’s certainly a universal one — and a practice that would be made difficult, if not impossible, were the Directive to be applied literally.

The Register has a good article criticising the proposed approach to the new cookie rules here.

The government has until 25 May 2011 to implement the Framework’s components.