The implementation of the new regulatory requirements can justifiably be described as a legal turning-point in the regulation of OTT communications services. In the face of a seemingly innumerable amount of European and national laws, regulations, and administrative publications, it remains difficult to keep an overview. Therefore, below, you will find an outline of the four most important areas to focus on when tackling the challenge of your company’s compliance:
The EECC generally obliges OTT providers to adhere to the same security standards (technical and organizational measures) as traditional telecommunications service providers. The measures must be “appropriate and proportionate”. However, the EECC remains largely silent on the specific types of measures to be implemented, leaving this task to the European Union Agency for Network and Information Security (ENISA) and the respective national regulatory agencies.
In December 2020, the ENISA published its 3rd edition Guideline on Security Measures under the EECC, confirming that the security provisions in the EECC for OTT services “are the same as for the number-based services.” However, it also specifies that “depending on the setting, the type of network or service offered, the assets involved, etc., some of the security measures in this guideline may not be fully applicable.” Supplementary guidance on OTT services is under development and will be published separately.
In principal, OTT service providers must comply with the same obligations regarding their cooperation with public investigating and other public security authorities as traditional telecommunications enterprises. Such obligations particularly pertain to the storage of client data and their transfer to the authorities. While this issue has already been intensely debated in the past, obligations to allow telecommunications surveillance and the need to comply with requests for information will become even more pressing. We estimate that the newly competent national regulatory agencies will exert significant pressure on providers to implement further measures.
OTT service providers now have to comply with complex set of transparency requirements as to themselves and their service as well as contractual information obligations vis-à-vis their customers. For example, providers are obliged:
To ensure compliance, preparation of the necessary new documents, a review and amendment of the existent contract documents as well as a review of the documents’ provision both in general and as part of the service registration process is urgently recommended.
OTT providers will be obliged to comply with the same data protection requirements as traditional telecommunications providers. While this consequence is not directly included in the EECC, it follows from the new qualification of OTT services as electronic communications services within the meaning of the EECC. As a result, OTT providers must now comply with the sector-specific requirements of the Directive on Privacy and Electronic Communications (2002/58/EC). Within their scope of application, these rules replace the ones on the General Data Protection Regulation (GDPR; see its Art. 95).
These data protection requirements have significant impact on service providers’ scope to process and make use of customers’ personal data. In some countries, these rules are accompanied by the obligation to protect the secrecy of telecommunications, which poses further risks in case of non-compliance. E.g., in Germany, violations of this duty are punishable under criminal law with imprisonment of up to five years.
The new data protection rules should not be taken lightly. The new legal framework defines a service-specific data protection regime, to which internal company processes as well as the privacy statements must be adapted.