390 likes | 399 Views
This training course focuses on the requirements of personal data protection in the telecommunications sector, including confidentiality of communications, lawful processing of electronic communications data, consent, and data retention.
E N D
Personal Data Protection Requirements for the Telecommunications Sector EU Twinning Project Expert: Dr. Philip Scholz Project Activity 3.7: Training Courses Date: 27/03/2019 This project is funded by the European Union
Overview • Technical and Economic Development • EU Legal Framework – Today and in the Future • Moldovan Law • Key Requirements on Data Protection in Electronic Communications • Confidentiality of Communications • Lawful Processing of Electronic Communications Data • Consent • Use of Cookies and Similar Techniques • Unsolicited Direct Marketing Communications • Data Retention
Electronic Communications • (traditional) telecom services • voice telephony • text messages (sms) • electronic mail conveyance services require the same level of confidentiality of communications • (new) online communicationservices • Voice over IP • Instant messagingservices (videos, images) • Web-basede-mailservices • so-called OTT orOver-the-Top services(e.g. Viber, WhatsApp, Threema, Signal, Facetime, Skype, Gmail, Yahoo, etc.) have been largely replaced by
Facts & Figures The servicesmostoftenused in EU:1 On a dailyoralmostdailybasis 74%callortext on a mobile phone 81% browse theinternet 72% send & receiveemails On a dailyoralmostdailybasis 50%usetheinternetfor instant mesaging A fewtimes a month 46%makeinternetphoneorvideocalls 1 Source for all surveyresults: Flash Eurobarometer 433 on ePrivacy, December 2016
Facts & Figures Europeanscallforstrongerprivacyprotection online1 92% sayitisimportantthatpersonal informationon theircomputer, smartphoneortabletcanonlybeaccessedwiththeirpermission 92% sayitisimportantthattheconfidentialityoftheire-mailsand online instant messagingisguaranteed 92% sayitisimportantthattools, such asbrowsercookies, whichmonitortheiractivites online, shouldonlybeallowedwiththeirpermission 1 Source for all surveyresults: Flash Eurobarometer 433 on ePrivacy, December 2016
Telecommunications in Moldova • LandlineSubscriptionsand Penetration level(2017) • NumberofLandlineSubscriptions - 1,143,900 • Penetration Level - 32.2% • Market StructurebyNumberofUsers (2017) • Moldtelecom- 89.0% • Other Providers - 11.0% • Mobile Subscriptionsand Penetration level(2017) • Numberof Mobile Subscriptions - 4,460,000 • Penetration Level - 125.6% • Market StructurebyNumberofUsers (2017) • Orange Moldova - 58.3%, Moldcell- 33.3%, Unité- 8.4%
Telecommunications in Moldova • Numberof Broadband Subscriptions(2017) • Wired:[ • Numberof Wired Subscriptions - 584,300 • Penetration level - 16.5% • Mobile: • Numberof Mobile Subscriptions - 2,430,078 • Penetration level - 68,4%
Data Protection Risks InterceptionofCommunications Data Revealing of highly sensitive Personal Information ( social relationships, habits, movements and activities of everyday life, interests, tastes etc.) Tracking and Profiling (analyseor predict the personal preferences, behavior and attitudes, e.g. for marketing purposes) Identity Theft or Data Leakage Data Phishing Lack ofTransparencyand Loss of Control
Current EU Legal Framework - 1 EU Charta of Fundamental Rights – Article 7: Right to respect for private and family life, home and communications Article 8:Right to the protection of personal data • General Data Protection Regulation (GDPR) – • entered into force on 24 May 2016 and fully applies since 25 May 2018 • mostcomprehensive and progressive piece of data protection legislation in the world • regulates the processing by an individual, a company or an organizationof personal datarelating to individualsin the EU • ensure a consistent and high level of protection of natural persons • ensureprotectionirrespectiveofthetechniquesused („technologically neutral“) • → applies – in principle – to data processing in the electronic communications sector
Current EU Legal Framework - 2 • ePrivacyDirective (ePD) – • entered into force on 31 July 2002, last update in 2009 (“cookie directive”) • aims to protect the privacy in the electronic communications sector • contains specific data protection rules for providers of publicly available electronic communications networks and services (mainly: traditional telecom operators) • OTT-Services (e.g. instant messaging services) are notcovered (under prevailing opinion) • islexspecialisto the GDPR (Art. 95 GDPR: “…apply to all matters concerning the processing of personal data which are not subject to specific obligations with the same objective set out in the ePrivacy Directive”) • Key topics: Confidentiality of Communications, Use of Cookies, Processing of Traffic and Location Data, Unsolicited Direct Marketing Communications
Future EU Legal Framework - 1 • ePrivacy Regulation (ePR) – Objectives • was published as a proposal text in January 2017 by the COM • update current rules to take into account technological and market changes • (→ by replacing the current ePrivacy Directive) • reinforce trust and security in the Digital Single Market by enhancing the security and confidentiality of communications • address inconsistent enforcement and fragmentation at nation level • all people and businesses in the EU will enjoy the same level of protection of their electronic communications (→ direct applicable regulation, not a directive) • align the rules for electronic communications with the new standards of the GDPR • (“particulariseandcomplementthe GDPR“ → lexspecialis)
Future EU Legal Framework - 2 • ePrivacy Regulation (ePR) – Scope of Application • will apply to all providers of electronic communications services, including OTT-Services (e.g. instant messaging services, voice over IP) • → same level of confidentiality of communications as traditional telecoms operators • will apply for communications content and metadata, e.g. timing, location and duration of the call (wider the traffic/location data). • will have extraterritorial effect where services (including advertising) are provided to or target end-users located within the EU by providers located outside the EU, regardless of where the processing takes place.
Future EU Legal Framework - 3 • ePrivacy Regulation (ePR) – Key Topics • Confidentiality of users’ online behavior and devices has to be guaranteed: users need to agree to websites using cookies, but browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers; no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history, or for filling in online forms). • Processing of communications content and metadata is conditioned to consent: metadata need to be deleted or made anonymous if users did not give their consent • Spam and direct marketing communications require prior consent. GDPR-level of consent will also apply under ePR.
Moldovan Law - 1 Constitution of the Republic of Moldova – Article 30. Privacy of Correspondence: The State shall ensure the privacy of letters, telegrams, other postal dispatches, telephone conversations and other legal means of communication. • Draft Law on Personal Data Protection (LPDP) – • adopted by the Parliament in the 1st reading on 29 November 2018 • regulates the processing by an individual, a company or an organizationof personal data relating to individualswithin the territory of the Republic of Moldova • ensures the same level of protection as the GDPR • applies – in general - also to the data processing in the electronic communications sector
Moldovan Law - 2 • Electronic Communications Act of 15 November 2007 (eComAct) – • Chapter IX lays down specificprivacy rules for the field of electronic communications • based closely on the provisions of the EU ePrivacy Directive of 2002 (“de facto implementation”) • applies to the processing of personal data in connection with the provision of publicly available electronic communication networks and services • aim of the law argues for a broad scope of application • → not only traditional telecom services, but also OTT-Services should be covered • does not include information society services (e.g. electronic commerce services and online content services such as on-demand music services)
Moldovan Law - 3 • Law on Electronic Communications of 15 November 2007 (eComAct) – • Relationship with the LPDP: • lexspecialisto the LPDP (but Art. 70 (3) eComAct is unclear: “in conjunction with the provisions of the legislation on the processing of personal data”) • → legal grounds for processing in Art. 5 of the LPDP cannot be used for legitimate the processing of communications data (traffic/location data) by the provider • → IMPORTANT: eComAct does notprovide a legitimate interests ground • LPDP remains applicable to all matters, which are not specifically and conclusively addressed in the eComAct (e.g. principles relating to the processing of data, rights of the data subject, conditions for consent, obligations of the controller, sanctions, etc.)
Moldovan Law - 4 • Law on Electronic Communications of 15 November 2007 (eComAct) – • Table of Contents: • Art. 70 – Aim and Scope • Art. 71 – Data Security Measures / Security Breach Notification • Art. 72 – Confidentialityof Communications / Cookies and Similar Techniques • Art. 73 – Processing of Traffic Data • Art. 74 – ItemisedBilling • Art. 75 – Presentation and Restriction of Calling and Connected Line Identification • Art. 76 – Processing of Location Data other than Traffic Data • Art. 77 – Exemptions (Calling Line Identification)
Moldovan Law - 5 • Law on Electronic Communications of 15 November 2007 (eComAct) – • Table of Contents: • Art. 78 – AutomaticCall Forwarding • Art. 79 – DirectoriesofSubscribers • Art. 80 – UnsolicitedDirect Marketing Communications • Art. 81 – Restrictions
ePrivacyDirective Law on Personal Data Protection Law on Electronic Communications GDPR Current Legal Framework „implementation“ „implementation“ „implementation“ „implementation“
ePrivacyRegulation (2019 ??) Law on Personal Data Protection Updated Law on Electronic Communications ?? GDPR Future Legal Framework „implementation“ „implementation“
Key Requirements on Data Protection in Electronic Communications
Confidentialityof Communications • Electroniccommunications, including both the contents and any data related to such communications, shall be confidential. • Listening, tapping, storing, scanning or other kinds of interception or surveillance of electronic communications isprohibited, • withouttheconsentoftheusersconcerned, • exceptwhenlegallyauthorisedin Law. = principleoflawfullness • Restrictions (laid down in national law) areallowed, when such restriction constitutes a necessary, appropriate and proportionate measuretosafeguardoneormoregeneralpublicinterestsspecified in Art. 81 eComAct such astosafeguard national security.
Lawful Processing of Traffic Data Traffic Data: any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof • Processing of traffic data is permitted, if necessary • for the transmission of the communication • for billing and calculating interconnection of payments • to handle customer enquiries or complaints • to maintain or restore the security of electronic commnications networks/services • to detect technical errors in the transmission of electronic communications • to detect or stop fraudulent or abusive use of electronic communications services • to meet mandatory quality of service requirements = partoftheperformaceofthecontractwithsubscriber
Lawful Processing of Traffic Data • Processing of traffic data is permitted, with prior consent (!) of the subscriber/user • for marketing electronic communication services • for the provision of value-added services / specific services (e.g. producing heatmaps indicating people’s presence) Obligations of the provider: provider must inform the subscriber/user of both the types of traffic data processed and the duration of processing ( = principle of transparency) systems should be designed to limit the amount of personal data necessary to a strict minimum; any activities that go beyond the transmission of a communication and the billing thereof should be based on aggregated traffic data that cannot be related to subscribers/users (= principle of data minimization) traffic data must be erased or made anonymous when they are no longer needed for the above-mentioned purposes(= principle of storage limitation)
Lawful Processing of Location Data • Location Data: • any data which indicates the geographical location of the user's terminal equipment of a publicly available electronic communications service • Processing of location data, other than traffic data, is permitted only when • they are made anonymousor • when the users or subscribers have given their consentto the provision of such a location based service. • provider must inform the subscriber/user of the types of location data processed, the purpose and the duration of processing and potential transmission to third parties ( = principle of transparency)
Consent Consent in the electronic communications context has the same meaning as under the LDPD, i.e. freely given, specific, informed indication of the data subject's wishes by which he or she signifies agreement to the processing of personal data relating to him or her Righttowithdrawconsent: Users or subscribers have the possibility to withdraw consent at any time and without give any reasons. → prevent any further processing on the basis of consent (not ‘retroactive’) • Conditions applicable to child's consent in relation to information society services • direct offer to a child • under the age of 16: consent is granted by the holder of parental responsibility • Age and authorization verification mechanisms (reasonable efforts – taking into account available techniques)
Cookies andsimilartechnologies • Principle: Use of Cookies and similar technologies requires consent of user/subscriber. • Exemptions: Consentis not required if the cookie is • used for the sole purpose of carrying out the transmission of a communication or • strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service. • (include: user‑inputcookies (session-id), authenticationcookies, user‑interfacecustomisationcookies)
Cookies andsimilartechnologies • Consent to the use of cookies: • specificinformation (clear and comprehensive): type of cookie, purpose, period of validity, third parties involved, how to accept or decline cookies • should be obtained before cookies are set (prior consent) • user‘s active behaviour (clicking on a link or ticking a box) • ability to choose freely (accept or decline some or all cookies – no ‚take it or leave it‘ • Consentcan also bederivedfromtheprivacy-settingsof an internetbrowser, if • theabove-mentioned conditions are respected • it was set by default to reject all cookies and the data subject changed the settings
Direct Marketing • Useofautomatedcallingsystemsandelectronic mail fordirectmarketingpurposesrequirespriorconsent (opt-in) • Exemption: where an individual‘scontactdetailshavebeenobtainedin thecontextof a saleandopportunitytoobject must begiven (opt-out) • Foranyother form ofunsolicitedcommunicationsfordirectmarketingpurposes (regardlessofthetechnologyused) consentisneeded(e.g. voice-to-voice-calls, instant message, sms)
Data Retention - 1 • Privacy Risks • communications data is as revealing as content • makes profiling possible • data liable to allow very precise conclusions to be drawn on private lives, feeling that under constant surveillance • ePrivacy Directive • according to Art. 15(1) ePDMember States may adopt legislative measures providing for the retention of data for a limited period • Moldovan Law • data retention obligation for providers of electronic communication services/networks in Art. 20(3) eComAct • retention period: telephony data – one year; internet data – six month
Data Retention - 2 • CJEU (Tele2 and Watson case 2016) • data retention • only serious crime can justify interference • precludes national legislation which provides for general and indiscriminate retention of data • access • national legislation precluded where: • objective not limited to fighting serious crime • access not subject to prior review by court or independent administrative authority • no requirement to retain data in the EU and destroy it at end of retention period
Thankyouforyourattention! Personal Data Protection Requirements for the Telecommunications Sector