The European Commission has published its review of the regulatory framework for electronic communications. Under consideration for revision are a number of Recommendations and Decisions and especially the principal Directives:
- Framework Directive
- Access Directive
- Authorisation Directive
- Universal Service Directive
- Privacy Directive
The main “big picture” highlights of the review are:
- the Commission rejects the idea of a “regulatory holiday” for network operators investing in Next Generation Networks;
- greater centralised co-ordination of regulatory remedies;
- a European dimension to spectrum management;
- new duties to ensure network integrity, security and customer protection, which will extend to ISPs and mobile operators;
- relaxation of some procedures and the deletion of outdated regulation.
A number of other details will be of particular interest to ISPs. This article provides an overview of some of the main points of interest, but is by no means a complete review of the Review. For more complete information see:
- Communication from the European Commission
- COM Staff Working Document discussing the proposed changes
- Impact assessment
- Recommendation on Relevant Markets
The deadline for responses to the consultation is 27th October 2006, and should be sent following the instructions published by the Commission. A public presentation of the Communication will be held in Brussels on Thursday 13th July 2006; prior registration is required.
Competition and markets
As Commissioner Reding insisted in her speech last week, the Commission firmly rejects the idea of a regulatory holiday to encourage investment in Next Generation Networks. Indeed it proposes to strengthen the effectiveness of remedies across Europe by taking powers to veto National Regulatory Authorities (NRAs) decisions on remedies, although this would not go so far as to have the Commission picking remedies itself. Another means of strengthening remedies will be to lay down legal criteria national courts must apply when deciding whether to suspend a regulatory remedy pending appeal: the Commission hopes that this will reduce the number of “frivolous appeals” which “systematically use the appeals process as a delaying tactic”.
At the same time, the Commission (“COM”) proposes to simplify and streamline certain procedures, especially relating to the conduct of Market Reviews (where a market is analysed by a NRA to determine if any player has “Significant Market Power” and can therefore be made subject to directed pro-competitive ex ante regulation). COM proposes a simplified and reduced procedure for subsequent market reviews where there has been no previous finding of SMP, and a principle that market reviews do not need to be conducted periodically to ensure that they remain valid unless a material change has taken place in market circumstances. This should ease the requirement for reviews that are unlikely to result in any regulatory changes.
The Commission notes the United States’ “four Net freedoms”, namely the rights to access and distribute (lawful) content, to run applications and to connect devices of their choice. COM believes these are applicable in Europe, but are best protected by the totality of the regulatory framework and in particular by pro-competitive regulation supporting access and interconnection: they are, it believes, a guideline for regulators rather than an appropriate regulatory measure in themselves.
COM does draw attention to existing powers that could be employed by NRAs to prevent abuse of network neutrality, especially by those with Significant Market Power. Existing powers on access and interconnection could also be employed generally, if necessary to prevent blocking of information society services or degradation in transmission quality for third party services.
Overall, therefore, the message is that there are adequate existing measures to protect against abusive infringement of network neutrality, although a new power will be given to NRAs to set minimum quality levels for NGNs so as to implement technicalstandards set at a European level.
Access and interconnection
Although ex ante regulation can normally be imposed by NRAs on companies that have been found to hold Significant Market Power, there is a power to impose such rules on other companies in order to ensure access, interconnection and interoperability (Article 5(1) of the Access Directive). The Commission proposes to limit this power by requiring NRAs to obtain its permission first.
The Radio and Telecommunications Terminal Equipment Directive covers terminal equipment. Between this and the Universal Service Directive there is currently a requirement for public network operators to publish specifications for network terminal interfaces, which is designed to facilitate interconnection. The Commission proposes to relax this requirement in order to promote innovation by manufacturers.
The Commission also wants to establish a mechanism whereby a common set of requirements for features or certain forms of interoperability needed to support regulation could be agreed at a European level. This could involve standards for NGNs to handover user location data to the emergency operator and, for example, data retention and interception features. Technical standards for implementing these requirements would remain the purview of European standards bodies like ETSI (there is no reference to global Internet bodies like the IETF).
For services with a pan-European scope or an internal market dimension, it is proposed that authorisation subject to the conditions that apply in one Member State will be deemed valid throughout the EU. This will be particularly relevant to wireless services.
The Commission proposes centralising the management of civil radio spectrum allocations, with a new set of principles co-ordinated at a European level through Decisions to be made by European Committees. This would adopt the model used for standard for radio and terminal equipment manufacturers.
The new principles are to be:
- Technology neutrality, meaning that licensed spectrum users could (subject to restrictions) adopt new techologies for use in their spectrum. This could mean that 3G mobile networks could move to 4G without going through a new licensing process;
- Service neutrality, meaning that licensed spectrum users could offer new services using their spectrum. So a mobile telephone service could start offering TV broadcast;
- Spectrum tradeability, gradually replacing the “administrative management” (or beauty contest) method of spectrum management, usage rights for licensed spectrum would become a fixed asset that could be freely traded between undertakings.
These new principles aren’t quite as radical as they sound: the laws of physics mean that certain parts of the spectrum are suitable for some types of applications and technologies and not others. They will also be hedged about with restrictions for public policy and the prevention of competitive distortion: don’t expect Air-Traffic Control to be sold off to enable mobile access to Big Brother. This package does however represent a striking move away from national governmental management of civil radio spectrum to deliver tightly defined services to a much more pan-European market-based approach.
Consumers’ commercial rights
The Commission proposes some measures to promote price transparency to consumers, including:
- more powers for NRAs to demand transparency;
- rights for third parties and powers for NRAs to re-use price-lists to sells or make available price-comparison guides.
This would apply to all providers of public electronic communications services, including ISPs.
The principle of number portability is to be extended beyond telephone numbers to include “Personal Directory and Profile information”, but will continue to specifically exclude Internet naming and addressing. That will protect both the DNS and IP addresses from the NRAs’ jurisdiction; however, it raises a question about “user profiles” on application-level Internet communications services such as Instant Messaging platforms. The scope of this would be contained if the final text makes clear that it does not cover “information society services”.
Universal networks, universal service
The Commission does not yet suggest that broadband needs to be a universal service. However, to make it easier to develop universal service concepts in an Internet and NGN world, it is restructuring the Universal Service Directive to take account of the separation of access infrastructure from service providers, with different requirements applied to each.
Some legal definitions will change, including PATS (“publicly available telephone service”, the most intrusively regulated class of service) and NTP (“network termination point”).
Security, integrity and customer protection
Caller location for emergency services
COM asserts that technical feasibility will not be an issue for providing the geographic location of callers to the emergency operator (999/112) “even for a technology like VoIP” by 2010-2015 (the expected life of the Directives as revised under this review). Accordingly:
- network operators will be obliged to provide geolocation to the emergency operator;
- this is to occur on a “push” basis;
- this it to be done at the operator’s expense
There is no recognition in this section of the implications of the separation of service from network, nor of the wide range of technologies and services that might be loosely classed under the term “VoIP”.
Customer privacy and security protection
Article 4 of the Privacy Directive states that
The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security. Having regard to the state of the art and the cost of their implementation, these measures shall ensure a level of security appropriate to the risk presented.
COM notes that while some NRAs specify requirements for implementing this, others do not offer guidance, and proposes to clarify the general position with new requirements to:
- implement and maintain security measures to address security incidents, and to prevent or minimise the impact of such incidents on customers and on other interconnected networks which would include a liability clause for not taking appropriate measures
- respect any guidance issued by regulators in conformity with Community law on the practical implementation of such measures; and
- insert in contract with consumers a specific clause to inform them of specific actions that could be taken in reaction to security/integrity incidents and in prevention of known security threats and vulnerabilities (by modifying Article 20 of the Universal Service Directive)
The first of these represents the first time a legal obligation has been placed on ISPs to maintain security. Making ISPs accept liability for security breaches (and preventing them from contracting out of such liability through their terms of service) means the provision has very serious teeth: arguably, excessively so, given the complexity of causes; there is no suggestion of making the software manufacturers whose software was actually the subject of the vulnerability liable. ISPs will undoubtedly be seeking further clarification of what precisely is intended here.
The second of these provisions makes regulators’ “guidance” tantamount to having direct legal effect.
The third provision simply makes ISPs provide recommendations to consumers through their terms of service, and is likely to be the least controversial of these three proposals.
Business continuity and network integrity
NRAs will be given new powers to
- require information, such as specific security policies including emergency plans of an operator; require audits to be conducted, and sanction companies not complying with these requests, e.g., by fining; and
- issue binding instructions to providers of electronic networks and services in order to implement any relevant Commission recommendations.
COM intends to propose specific technical implementing measures itself, so as to prevent internal market distortion through varying standards of the NRAs, making this a considerably centralising measure over the sensitive area of security. Although COM states that these measures “would not touch upon aspects of national security”, disseminating sensitive information such as detailed emergency plans from operators of critical telecommunications infrastructure is clearly very relevant to national security issues.
The requirement to ensure the continuity of the telephony network at fixed locations, found in Article 23 of the Universal Service Directive, is to be extended to cover mobile and IP networks. Although it is not surprising that IP-based Next Generation Networks be included, extending it to cover all public Internet service is a noteworthy regulatory statement that the Internet has passed from being a useful to an essential service.
Notification of security breaches
“Providers of electronic communications networks and services” are to be made subject to new requirements to:
- notify the NRA of any breach of security that led to the loss of personal data and/or to interruptions in the continuity of service supply. The regulator would have the possibility to inform the public if they considered that it was in the public interest;
- notify their customers of any breach of security leading to the loss, modification or destruction of, or unauthorised access to, personal customer data.
Although the COM Staff Working Document doesn’t say that this is limited to providers of public networks and services, this is likely to be intended; it would be an even more dramatic extension of regulation if it were intended to apply even to private networks.
These provisions represent a significant new obligation. An interesting side-effect is that the NRA would have the power to maintain and publish league-tables of ISP customer downtime.