Posted in Internet of Things Technology and Commercial Telecoms

Germany: Roaming Regulation and IoT services

By Mike Conradi and Christoph Engelmann on

By Christoph Engelmann, Senior Associate, Hamburg

DLA Piper recently advised a client (Transtael) on a very interesting matter leading to the German telecommunications regulator Bundesnetzagentur (BNetzA) issuing a landmark decision on the applicability of the Roaming Regulation on so-called 901 International Mobile Subscription Identities (IMSI). In this decision BNetzA ruled that the defendant in that case, a German Mobile Network Operator (MNO), has to provide the applicant, Transatel, a French Mobile Virtual Network Enabler/Aggregator (MVNE/A), with a draft contract for wholesale roaming access pursuant to Art. 3 par. 5 sentence 2 of the Roaming Regulation even if the applicant uses non-geographic numbering on its SIM cards (so-called 901 IMSI).

The decision is based on a dispute resolution procedure started by the applicant after the defendant refused to grant wholesale roaming access with regulated charges as set out in the Roaming Regulation. The defendant is of the opinion that the Roaming Regulation does not apply to the applicant’s business model because the applicant uses the shared or non-geographic Mobile Country Code (MCC) 901 awarded by the International Telecommunication Union (ITU) for numbering its SIM cards instead of using geographic MCCs awarded by the regulatory authorities of the individual countries (e.g. MCC 208 for France).

Before making its decision BNetzA requested the Body of European Regulators for Electronic Communications (BEREC) to adopt an opinion with regard to the action to be taken in accordance with the Roaming Regulation. In its opinion BEREC considers that the Roaming Regulation covers roaming services provided by the applicant via 901 IMSI for customers with a home network that is located in an EU Member State. BEREC also refers to its report „Enabling the Internet of Things“ BoR (16) 39 where it pointed out that the MCC 901 could be used for the addressing in Internet of Things (IoT) services.

With its decision BNetzA follows up on BEREC’s opinion ordering the defendant to provide the applicant with a draft contract for wholesale roaming access. The draft contract has to enable the applicant to use IMSI with the MCC 901. BNetzA based its decision on the fact that the Roaming Regulation does not contain any provision concerning numbering with regard to SIM cards or end users. Instead it focuses on the Roaming Regulation’s definitions of “roaming customer” and “home network” that do not exclude the MCC 901. In addition, BNetzA points out that the BEREC’s Wholesale Roaming Guidelines BoR (17) 114 mention that a roaming customer could for example be identified by numbering resources from European Economic Area (EEA) Member States which are in accordance with the E.212 ITU Recommendation and BNetzA notes that the MCC 901 is part of that recommendation.

In order to make sure that the roaming services are provided in accordance with the Roaming Regulation, BNetzA notes that the defendant may include specific measures that the visited network operator may take to prevent permanent roaming or anomalous or abusive use of wholesale roaming access as well as the objective criteria on the basis of which such measures may be taken in its reference offer that is used as the basis for the requested draft contract. However, according to BNetzA this may only be based on information on roaming traffic in an aggregated form but not on specific information relating to individual roaming traffic.

In BNetzA’s official press release Jochen Homann, President of BNetzA, explains that the decision “provides an important boost to competition and innovation on the wholesale markets, particularly in respect of the Internet of Things or communication between machines”. The decision is the first of its kind in Germany and BNetzA invited the three MNOs in Germany to participate in the procedure. The decision enables Mobile Virtual Network Operators (MVNOs) that are operating globally to use the international numbering with MCC 901 for all of their SIM cards instead of applying for a local number in each country while still benefiting from the regulated charges in the Roaming Regulation for the parts of their business that covers roaming customers with a home network in the EEA.

Following this decision, the defendant is obliged to provide a draft contract to the applicant within one month. If the parties are not able to agree on the contract terms, BNetzA may rule on the terms in a separate dispute settlement proceeding. In addition, it is up to the parties to file an action against BNetzA’s decision with the competent administrative court.

Posted in EU Data Protection Privacy and Data Security

Germany: first court decision on GDPR

By DLA Piper on

By Jan Spittka and Kiana Mirzaei

Only five days after the GDPR became applicable, the first German court, the Regional Court (Landgericht) Bonn (in a decision dated 29 May 2018, case number 10 O 171/18 – in German only), issued a ruling on the practical application of the GDPR. This probably makes the court’s ruling the first GDPR court decision worldwide, and the decision addressed the hot-button issue of public availability of ICANN “WHOIS data”.

The court was called upon to rule in an interim injunction proceeding about the data minimization principle set forth in Art. 5 (1) lit. c) GDPR.  The Parties to the proceeding were the Internet Corporation for Assigned Names and Numbers (ICANN) against the German-based, ICANN-accredited Registrar EPAG Domainservices GmbH. ICANN sought to obligate EPAG to comply with the ICANN “Registrar Accreditation Agreement”, which requires registrars to collect administrative (Admin-C) and technical (Technical-C) contact information for a new domain name registration (“WHOIS data”). The court ruled that ICANN could not show credibly that the collection of Admin-C and Technical-C is necessary pursuant to Art. 5 (1) lit c) GDPR and therefore that EPAG is not obligated to collect such data.

In detail: The court stated, that an obligation to comply with the requirements of the Registrar Accreditation Agreement exists only in so far as the Agreement is in accordance with applicable law. Article 5 (1) lit b) and c) GDPR dictate that personal data may only be collected for specified, explicit and legitimate purposes and shall be adequate, relevant and limited to what is necessary in relation to the purpose. Per the court, ICANN could not show credibly  the necessity to collect the Admin-C and Technical-C. Instead, the collection of the domain name registrant data should suffice to fulfill ICANN’s purposes, especially with regard to criminal activity, infringement or security problems, as the domain name registrant is the main person responsible. According to the court, the fact that a registration is also possible by naming the registrant (and not a third party) as Admin-C and Technical-C underlines this argumentation.

WHOIS directories are valued by rights owners and law enforcement authorities for providing transparency as to who registered a domain and ICANN has been struggling with GDPR compliance regarding WHOIS directories and services.  They therefore entered into a dialogue with the Article 29 Data Protection Working Party (WP29, since 25 May 2018: the European Data Protection Board).  The WP29 stated concerns regarding ICANN’s GDPR compliance, outlined recommendations and announced to monitor ICANN closely (see WP20 letter from 11 December 2017 and  WP29 Letter from 11 April 2018 ). ICANN requested a moratorium on enforcement action by DPAs until a revised WHOIS policy is developed and implemented. This request was denied several days after the GDPR effective date by the European Data Protection Board on the ground that the GDPR does not allow national supervisory authorities nor the European Data Protection Board to create an “enforcement moratorium” for individual data controllers. However, the Board noted that this does not preclude data protection authorities to take into consideration the measures which have already been taken or which are underway when determining the appropriate regulatory response upon receiving complaints (see Statement from 27 May 2018). Click here for more details on processing of WHOIS information.

This article first appeared on DLA Piper’s Privacy Matters blog.

Posted in Health Privacy

Guide for Accessing and Using Medical Records Breaks No New Ground and Instead Doubles Down on Old Processes

By Jim Halpert on

Written by Anna Spencer and Milton Gregory

On April 4, 2018, the US Department of Health and Human Services’ (“HHS”) Office of the National Coordinator for Health Information Technology (“ONC”) released a new web-based resource – the ONC Guide to Getting and Using your Health Records – that promotes individual access to medical records by educating patients on their rights of access and amendment under HIPAA and provides detailed instructions on how patients should request their records. As ONC acknowledges, access to health information can empower patients and enable them to take control of their own health, well-being, and safety.  Although the guidance does not have the force of law, it offers valuable insight into how the Trump administration seeks to further patient rights under HIPAA.

The web-based guide is meant to help individuals, patients, and caregivers better understand how to access, review, and use their electronic (and paper) health information by providing instructions as well as tips, links and quizzes to test the individual user’s knowledge. Among other steps, individuals are told to collect the full names, physical addresses, phone numbers, and fax number or secure email (through any patient portal) for all of the doctors whom an individual wants to send and receive his or her medical record. The resource goes on to state that individuals may be required to complete forms when they request their records. The resource describes a potential form that contains at least twenty three data points.  Clearly, collecting this much information and completing a form for every health care provider will prove too burdensome to many patients.

The resource also suggests that individuals that follow through with accessing their health information utilize mobile apps to manage the data. It encourages individuals to select secure apps and provides a link to an FTC webpage with instructions on how to protect personal information, but it does not explain the privacy and security issues inherent in mobile health apps.  Individuals should understand that mobile health apps typically are not afforded the protections provided by HIPAA, unless the app is offered by a HIPAA covered entity or business associate.

The 21st Century Cures Act (“Cures Act”) amended federal law to permit business associates, (i.e., vendors of covered health care providers that process Protected Health Information (“PHI”) on behalf of health care providers) to provide access to PHI that they maintain in certain records.  However, ONC’s new resource does not include any guidance on what a business associate’s role is in the expansion of patients’ rights under the Cures Act.  Some business associates, such as health care clearinghouses, have PHI from multiple health care providers and health plans.  As such, they could serve as convenient supplemental sources of health records for individuals in addition to health care providers.

Covered entities and business associates should monitor the implementation of these provisions by the Office for Civil Rights. Covered entities will potentially need to revise their Business Associate Agreements to avoid interfering with business associate obligations and business associates will want to ensure that they comply with regulatory requirements.

 

Posted in Telecoms

Lawful intercept on VoIP services – Skype in Belgium

By Mike Conradi on

Article by Catherine Gysels, DLA Piper Brussels

According to Belgian criminal law, providers of telecommunication services are obliged to cooperate if an investigating judge orders a wiretap measure. In November 2017, Skype was found guilty of failing to give essential information and provide a wiretap on Skype calls as the company was considered as a provider. However, a discussion remains over Skype’s status as a telecom operator as another Belgian court sought guidance to resolve a lawsuit between the company and the national telecom regulator.

Facts

In 2012, a judicial investigation regarding a criminal organization was conducted in Belgium. Authorities established that a certain suspect within the investigation did not communicate by means of a normal telephone line, but only via a so-called Skype account. The magistrate then ordered a registration and tapping measure and demanded Skype to cooperate. In particular, the official warrant claimed that future conversations could be monitored by the investigators. Skype was contacted several times by the police, but reported that Skype users’ data is held by and owned by Skype located in Luxembourg. Skype would also not have any data of conversations between Skype users, which are video and chat messages, as well as exchanged files. Skype only supplied partial information, including email addresses of those concerned and account information, but not the content of communications.

As a result of the (implicit) refusal to cooperate, the police immediately lodged an official report, after which a prosecution investigation was started by the public prosecutor’s office. The Criminal Court would ultimately state Skype committed the crime of refusal to grant technical assistance to an investigation and order Skype to pay an effective fine of € 30,000. Before the court of appeal, Skype stated again that the Belgian judge would have no jurisdiction. In addition, the company claimed that Skype was not an operator of a telecommunication network or provider of a telecommunication service, and at least that there is no question of refusal of cooperation in the judicial investigation.

Territorial link with Belgium

In the first place, Skype pointed out that the offense did not have any territorial link with the Belgian territory, so that the Belgian judge would not have jurisdiction. Skype is, after all, a company incorporated under Luxembourg law and has no separate branch in Belgium. Now that Skype did not own or manage any infrastructure in Belgium, the crime could not have been committed in Belgium as the place where Skype could co-operate would, by definition, be Luxembourg.

The Court refers to the provisions of Article 3 of the Criminal Code, which stipulates that the offense committed in the territory of the Kingdom by Belgians or by foreign nationals must be punished in accordance with the provisions of Belgian law. A crime must be regarded as ‘territorial’ as soon as at least one of its constitutive elements is located in Belgium. As the requested information and the technical cooperation with the researchers was asked and had to be given on Belgian territory, the crime of refusing to disclose the requested information or providing the requested cooperation is committed at the place where this requested information or technical cooperation must be received by the competent investigators, or in Belgian territory. In other words, the Court motivated that the crime did not take place at the place where the legal person is located, but where the requested communication or information or cooperation has to be received. The obligation to cooperate can therefore be located in Belgium, even when those obliged to cooperate are abroad.

A provider of telecommunications/electronic communication services

Secondly, it had to be determined whether or not Skype is a provider of a telecommunications service. In the Belgian Yahoo case-law, these concepts were already defined very broadly by the Court of Cassation. Not only is the Belgian operator within the meaning of the Act of 13 June 2005 concerning electronic communication considered as a provider of a telecommunications services, but also anyone who provides electronic communications services, such as the transmission of communication data. The obligation to cooperate is therefore not limited, but for everyone who offers a service that consists entirely or mainly in the transmission of signals via electronic communication networks.

The Court of Appeal concluded that Skype complies with the concept ‘provider of a telecommunications service’, Skype was providing technical aids to users in Belgium and elsewhere in the world in the form of free software that allowed these users of electronic networks to exchange information with other persons. In order to be considered as a ‘provider of a telecommunications service’ in Belgium, it is therefore sufficient that the offered software is entirely or mainly intended and is used for communication between users via the internet. Moreover, the court expressly pointed to the twofold intervention of Skype in the electronic communication by its users: the users first have to download the Skype software on their device, with each user having to connect at the start of each communication with the Skype server, after which Skype performs a verification and authentication of the login data of the users.

Territorial obligation to comply with the request

After it was determined that Skype complies with the concept of a ‘provider of a telecommunications service’, the Court of Appeal would also express the view that the obligation to cooperate territorially applies to the company.

Again, the judgment took over the Yahoo reasoning, on the basis that that Skype participates in economic life in Belgium, whether or not it has a social or administrative seat on Belgian territory. In order for a provider of a telecommunications service in Belgium to be subject to a coercive measure, it is also required that there is ‘sufficient territorial connecting factor’ with the Belgian territory. Such a ‘sufficient territorial connecting factor’ may be that the foreign service provider is present in Belgium through his active participation in economic life in Belgium, even if he does not have a registered seat on Belgian territory. It is not the location of the office or establishment of the service provider that is decisive, but the place where that service provider offers his services.

In this context, the Court of Appeal reasoned that paying services were offered to Belgian users, as well as advertising targeted to Belgian users via the software. The proof that Skype had provided a Dutch version of its website so that Dutch-speaking Belgian users could automatically make use of the services in Dutch, can only be explained by the clear will to actively and commercially target potential users in Belgium. As a conclusion, the court states that Skype was also economically accessible and present for the Belgian consumer, so the company is also legally accessible and present in Belgium.

Legal obligations of a provider of electronic communications services

According to the judgment, Skype is liable under the national telecommunications law, which obliges telecommunications providers to work with legal investigations when required.

The relevant data available to Skype were transferred according to the company. Skype stated that without significant changes to its software and infrastructure it will not have access to the signals that its users send via the internet, and not to the communication data itself. The Court of Appeal understood that Skype could, therefore, actually get access to those signals if they would make (substantial) adjustments. It was precisely by not organizing itself so that Skype could meet its legal obligations that it was held to have committed the offense.

However, nowhere, either in Belgian legislation nor internationally, is the duty is laid down with regard to providers of electronic communication services to make systems interceptable or to limit encryption. This is also in contrast to the (European) data protection right and the freedom of encryption.

Moreover, the position in which Skype found itself in respect of Luxembourg law was not taken into account in any way. The court denies that Skype would violate Luxembourg law, since the obligation to cooperate would relate to communications in Belgium, providing information to the Belgian researchers and technical assistance with an interception measure on Belgian territory. However, the judgment disregards the fact that Skype, as a Luxembourg company, would commit a crime under Luxembourg law if it complied with the Belgian obligation to cooperate, which is in any case a situation of force majeure. In view of this international context, the entire problem could therefore have been avoided by the intervention of the Luxembourg judicial authorities through a request for legal assistance.

It is therefore questionable whether the reasoning of the Court of Appeal will stand in the proceedings before the Court of Cassation.

Telecom operators in EU law

In the meantime, another Belgian court of appeal sought guidance from the EU’s Court of Justice to clarify the criteria used to label companies as telecom operators, as laid down in the Directive of 7 March 2002 on a common regulatory framework for electronic communications networks and services (the Framework Directive).

Skype had been fined €223,454 by the Belgian Institute for Postal Services and Telecommunications, or BIPT, for failing to comply with Belgium’s telecoms law. In this dispute, BIPT focused on Skype as a provider of electronic communications in relation to the “SkypeOut” service, which allows calls over the internet to anyone with a fixed line or mobile phone.

SkypeOut requires the user to buy call credit, while calls are charged at local rates. The person being called is however not required to be a Skype subscriber. According to the BIPT, Skype should have registered the SkypeOut service as required by the telecoms law because it is a service provided against payment, which consists completely or mainly of signal transmissions and is carried over electronic communication networks. The regulator stated that not doing so “constitutes a serious offence which could damage the interests of users and competitors”.

Skype however argued that it is not providing a telecommunications service. A conversation with SkypeOut works on the one hand via the official telecom operators and on the other hand via internet providers. These two parties take care of the transmission of the signal and are therefore subject to regulation. In other words, Skype delivers the interface and prepares the VoIP data packets for sending, but only telecom companies and internet providers transport those packages. To motivate its argument, Skype refers to the legal definition of an electronic communication service. It states that such a service is entirely or mainly concerned with sending signals. Skype does work with such companies, but does not have digital pipelines to forward these signals.

EU judges will now have to decide on the criteria to classify companies as telecom operators / electronic communications service providers, which may impact Skype’s and other providers statuses as electronic communications providers in both EU and Belgian laws.

Posted in Telecoms

New Electronic Communications Code – now in force!

By Robert Shaw on

The new Electronic Communications Code came into force on 28 December 2017.

The intention behind the new Code is to introduce a range of measures to make it easier for telecoms operators to roll-out infrastructure.  The Code therefore gives telecommunications operators statutory rights to enable the installation, maintenance and use of telecoms equipment in order to operate their networks or provide an infrastructure network.  Such rights are known as “code rights” under the new Code.

As under the previous Code, operators can acquire Code rights by either entering into an agreement with a landowner or by serving notice on a reluctant landowner and then applying to the court for an order imposing an agreement.  The court will make such an order where it considers that: (1) the prejudice caused to the landowner can be adequately compensated by money; and (2) where the public benefit outweighs the prejudice to the landowner (taking into account “the public interest in access to a choice of high quality electronic communications services”).  However, the court cannot make such an order where the landowner intends to redevelop and would not be able to do so if the order were granted.

We set out below the key changes from the previous Code and key points to note.

  • No contracting out: Any terms in agreements that are contrary to the provisions of the Code are not enforceable;
  • Upgrading and sharing: Operators may upgrade equipment and/or share their sites with other licenced operators without landowners’ consent, if the changes to the equipment have no more than a minimal adverse impact on its appearance and no additional burden is imposed on the landowner;
  • Assignment: Operators may assign their rights without landowners’ consent save that a landowner may require the outgoing operator to guarantee the incoming operator’s obligations;
  • Consideration: The consideration granted to a landowner where a court imposes an agreement is based on the market value of the land on a “no scheme” basis (i.e. ignoring the value of having the telecoms equipment on the site and the Code rights that attach to it).  The current view in the market is that this will lead to lower rents/fees for landowners;
  • Statutory continuation rights: Telecoms leases will be outside of the scope of the Landlord and Tenant Act 1954, but operators continue to have separate statutory continuation rights under the Code.
  • Termination: Agreements between landowners and operators can provide for early termination of an agreement but landowners also need to consider an operator has statutory continuation rights under the Code.  Regaining possession of a site is unlikely to be as simple as serving a contractual break notice.  Instead, landowners will have to follow two separate processes set out in the new Code in order to (i) remove the Code rights and (ii) remove the apparatus itself.  This is likely to take around two years, as the landowner’s notice to remove the operator must give at least 18 months’ notice and can only be served if one of a specified number of grounds for termination applies;
  • Who is bound by agreement: It appears to be the case that an agreement entered into by a tenant will not bind the freeholder (although the freehold owner could find itself the subject of a court-ordered agreement if the operator does not want to leave the site on termination of that agreement);
  • Who can benefit from Code rights: Code rights can now be conferred not only on an operator but also on a person who provides infrastructure services for operators. Under the new Code an operator may apply to the Court for the grant of “interim code rights” for a specific period of time or until the happening of a specified event; and
  • Existing agreements: Agreements entered into when the previous Code was in force now need to be read in conjunction with the transitional provisions in the new Code as these have modified the operation of the some of the provisions of the old Code.

Ben Rogers (Legal Director), Rob Shaw (Senior Associate) and Jane Summerfield (Professional Support Lawyer) – DLA Piper UK LLP

LexBlog