Posted in Telecoms

Lawful intercept on VoIP services – Skype in Belgium

Article by Catherine Gysels, DLA Piper Brussels

According to Belgian criminal law, providers of telecommunication services are obliged to cooperate if an investigating judge orders a wiretap measure. In November 2017, Skype was found guilty of failing to give essential information and provide a wiretap on Skype calls as the company was considered as a provider. However, a discussion remains over Skype’s status as a telecom operator as another Belgian court sought guidance to resolve a lawsuit between the company and the national telecom regulator.

Facts

In 2012, a judicial investigation regarding a criminal organization was conducted in Belgium. Authorities established that a certain suspect within the investigation did not communicate by means of a normal telephone line, but only via a so-called Skype account. The magistrate then ordered a registration and tapping measure and demanded Skype to cooperate. In particular, the official warrant claimed that future conversations could be monitored by the investigators. Skype was contacted several times by the police, but reported that Skype users’ data is held by and owned by Skype located in Luxembourg. Skype would also not have any data of conversations between Skype users, which are video and chat messages, as well as exchanged files. Skype only supplied partial information, including email addresses of those concerned and account information, but not the content of communications.

As a result of the (implicit) refusal to cooperate, the police immediately lodged an official report, after which a prosecution investigation was started by the public prosecutor’s office. The Criminal Court would ultimately state Skype committed the crime of refusal to grant technical assistance to an investigation and order Skype to pay an effective fine of € 30,000. Before the court of appeal, Skype stated again that the Belgian judge would have no jurisdiction. In addition, the company claimed that Skype was not an operator of a telecommunication network or provider of a telecommunication service, and at least that there is no question of refusal of cooperation in the judicial investigation.

Territorial link with Belgium

In the first place, Skype pointed out that the offense did not have any territorial link with the Belgian territory, so that the Belgian judge would not have jurisdiction. Skype is, after all, a company incorporated under Luxembourg law and has no separate branch in Belgium. Now that Skype did not own or manage any infrastructure in Belgium, the crime could not have been committed in Belgium as the place where Skype could co-operate would, by definition, be Luxembourg.

The Court refers to the provisions of Article 3 of the Criminal Code, which stipulates that the offense committed in the territory of the Kingdom by Belgians or by foreign nationals must be punished in accordance with the provisions of Belgian law. A crime must be regarded as ‘territorial’ as soon as at least one of its constitutive elements is located in Belgium. As the requested information and the technical cooperation with the researchers was asked and had to be given on Belgian territory, the crime of refusing to disclose the requested information or providing the requested cooperation is committed at the place where this requested information or technical cooperation must be received by the competent investigators, or in Belgian territory. In other words, the Court motivated that the crime did not take place at the place where the legal person is located, but where the requested communication or information or cooperation has to be received. The obligation to cooperate can therefore be located in Belgium, even when those obliged to cooperate are abroad.

A provider of telecommunications/electronic communication services

Secondly, it had to be determined whether or not Skype is a provider of a telecommunications service. In the Belgian Yahoo case-law, these concepts were already defined very broadly by the Court of Cassation. Not only is the Belgian operator within the meaning of the Act of 13 June 2005 concerning electronic communication considered as a provider of a telecommunications services, but also anyone who provides electronic communications services, such as the transmission of communication data. The obligation to cooperate is therefore not limited, but for everyone who offers a service that consists entirely or mainly in the transmission of signals via electronic communication networks.

The Court of Appeal concluded that Skype complies with the concept ‘provider of a telecommunications service’, Skype was providing technical aids to users in Belgium and elsewhere in the world in the form of free software that allowed these users of electronic networks to exchange information with other persons. In order to be considered as a ‘provider of a telecommunications service’ in Belgium, it is therefore sufficient that the offered software is entirely or mainly intended and is used for communication between users via the internet. Moreover, the court expressly pointed to the twofold intervention of Skype in the electronic communication by its users: the users first have to download the Skype software on their device, with each user having to connect at the start of each communication with the Skype server, after which Skype performs a verification and authentication of the login data of the users.

Territorial obligation to comply with the request

After it was determined that Skype complies with the concept of a ‘provider of a telecommunications service’, the Court of Appeal would also express the view that the obligation to cooperate territorially applies to the company.

Again, the judgment took over the Yahoo reasoning, on the basis that that Skype participates in economic life in Belgium, whether or not it has a social or administrative seat on Belgian territory. In order for a provider of a telecommunications service in Belgium to be subject to a coercive measure, it is also required that there is ‘sufficient territorial connecting factor’ with the Belgian territory. Such a ‘sufficient territorial connecting factor’ may be that the foreign service provider is present in Belgium through his active participation in economic life in Belgium, even if he does not have a registered seat on Belgian territory. It is not the location of the office or establishment of the service provider that is decisive, but the place where that service provider offers his services.

In this context, the Court of Appeal reasoned that paying services were offered to Belgian users, as well as advertising targeted to Belgian users via the software. The proof that Skype had provided a Dutch version of its website so that Dutch-speaking Belgian users could automatically make use of the services in Dutch, can only be explained by the clear will to actively and commercially target potential users in Belgium. As a conclusion, the court states that Skype was also economically accessible and present for the Belgian consumer, so the company is also legally accessible and present in Belgium.

Legal obligations of a provider of electronic communications services

According to the judgment, Skype is liable under the national telecommunications law, which obliges telecommunications providers to work with legal investigations when required.

The relevant data available to Skype were transferred according to the company. Skype stated that without significant changes to its software and infrastructure it will not have access to the signals that its users send via the internet, and not to the communication data itself. The Court of Appeal understood that Skype could, therefore, actually get access to those signals if they would make (substantial) adjustments. It was precisely by not organizing itself so that Skype could meet its legal obligations that it was held to have committed the offense.

However, nowhere, either in Belgian legislation nor internationally, is the duty is laid down with regard to providers of electronic communication services to make systems interceptable or to limit encryption. This is also in contrast to the (European) data protection right and the freedom of encryption.

Moreover, the position in which Skype found itself in respect of Luxembourg law was not taken into account in any way. The court denies that Skype would violate Luxembourg law, since the obligation to cooperate would relate to communications in Belgium, providing information to the Belgian researchers and technical assistance with an interception measure on Belgian territory. However, the judgment disregards the fact that Skype, as a Luxembourg company, would commit a crime under Luxembourg law if it complied with the Belgian obligation to cooperate, which is in any case a situation of force majeure. In view of this international context, the entire problem could therefore have been avoided by the intervention of the Luxembourg judicial authorities through a request for legal assistance.

It is therefore questionable whether the reasoning of the Court of Appeal will stand in the proceedings before the Court of Cassation.

Telecom operators in EU law

In the meantime, another Belgian court of appeal sought guidance from the EU’s Court of Justice to clarify the criteria used to label companies as telecom operators, as laid down in the Directive of 7 March 2002 on a common regulatory framework for electronic communications networks and services (the Framework Directive).

Skype had been fined €223,454 by the Belgian Institute for Postal Services and Telecommunications, or BIPT, for failing to comply with Belgium’s telecoms law. In this dispute, BIPT focused on Skype as a provider of electronic communications in relation to the “SkypeOut” service, which allows calls over the internet to anyone with a fixed line or mobile phone.

SkypeOut requires the user to buy call credit, while calls are charged at local rates. The person being called is however not required to be a Skype subscriber. According to the BIPT, Skype should have registered the SkypeOut service as required by the telecoms law because it is a service provided against payment, which consists completely or mainly of signal transmissions and is carried over electronic communication networks. The regulator stated that not doing so “constitutes a serious offence which could damage the interests of users and competitors”.

Skype however argued that it is not providing a telecommunications service. A conversation with SkypeOut works on the one hand via the official telecom operators and on the other hand via internet providers. These two parties take care of the transmission of the signal and are therefore subject to regulation. In other words, Skype delivers the interface and prepares the VoIP data packets for sending, but only telecom companies and internet providers transport those packages. To motivate its argument, Skype refers to the legal definition of an electronic communication service. It states that such a service is entirely or mainly concerned with sending signals. Skype does work with such companies, but does not have digital pipelines to forward these signals.

EU judges will now have to decide on the criteria to classify companies as telecom operators / electronic communications service providers, which may impact Skype’s and other providers statuses as electronic communications providers in both EU and Belgian laws.

Posted in Telecoms

New Electronic Communications Code – now in force!

The new Electronic Communications Code came into force on 28 December 2017.

The intention behind the new Code is to introduce a range of measures to make it easier for telecoms operators to roll-out infrastructure.  The Code therefore gives telecommunications operators statutory rights to enable the installation, maintenance and use of telecoms equipment in order to operate their networks or provide an infrastructure network.  Such rights are known as “code rights” under the new Code.

As under the previous Code, operators can acquire Code rights by either entering into an agreement with a landowner or by serving notice on a reluctant landowner and then applying to the court for an order imposing an agreement.  The court will make such an order where it considers that: (1) the prejudice caused to the landowner can be adequately compensated by money; and (2) where the public benefit outweighs the prejudice to the landowner (taking into account “the public interest in access to a choice of high quality electronic communications services”).  However, the court cannot make such an order where the landowner intends to redevelop and would not be able to do so if the order were granted.

We set out below the key changes from the previous Code and key points to note.

  • No contracting out: Any terms in agreements that are contrary to the provisions of the Code are not enforceable;
  • Upgrading and sharing: Operators may upgrade equipment and/or share their sites with other licenced operators without landowners’ consent, if the changes to the equipment have no more than a minimal adverse impact on its appearance and no additional burden is imposed on the landowner;
  • Assignment: Operators may assign their rights without landowners’ consent save that a landowner may require the outgoing operator to guarantee the incoming operator’s obligations;
  • Consideration: The consideration granted to a landowner where a court imposes an agreement is based on the market value of the land on a “no scheme” basis (i.e. ignoring the value of having the telecoms equipment on the site and the Code rights that attach to it).  The current view in the market is that this will lead to lower rents/fees for landowners;
  • Statutory continuation rights: Telecoms leases will be outside of the scope of the Landlord and Tenant Act 1954, but operators continue to have separate statutory continuation rights under the Code.
  • Termination: Agreements between landowners and operators can provide for early termination of an agreement but landowners also need to consider an operator has statutory continuation rights under the Code.  Regaining possession of a site is unlikely to be as simple as serving a contractual break notice.  Instead, landowners will have to follow two separate processes set out in the new Code in order to (i) remove the Code rights and (ii) remove the apparatus itself.  This is likely to take around two years, as the landowner’s notice to remove the operator must give at least 18 months’ notice and can only be served if one of a specified number of grounds for termination applies;
  • Who is bound by agreement: It appears to be the case that an agreement entered into by a tenant will not bind the freeholder (although the freehold owner could find itself the subject of a court-ordered agreement if the operator does not want to leave the site on termination of that agreement);
  • Who can benefit from Code rights: Code rights can now be conferred not only on an operator but also on a person who provides infrastructure services for operators. Under the new Code an operator may apply to the Court for the grant of “interim code rights” for a specific period of time or until the happening of a specified event; and
  • Existing agreements: Agreements entered into when the previous Code was in force now need to be read in conjunction with the transitional provisions in the new Code as these have modified the operation of the some of the provisions of the old Code.

Ben Rogers (Legal Director), Rob Shaw (Senior Associate) and Jane Summerfield (Professional Support Lawyer) – DLA Piper UK LLP

Posted in Telecoms Uncategorized

Roaming and MVNOs – too clever by half

Just a quick note to draw attention to a decision by BIPT, the regulator in Belgium here

Lycamobile has been fined €30,000 for violation of the “roam like at home” requirements of the roaming regulation (contained in the 2012 regulation as amended in 2015). It appears that they were offering add-on bundles (at attractive prices) that did not did allow roaming alongside more expensive plans which did allow roaming (and which in practice would only ever be used when roaming).

The roaming regulation prohibits “roaming providers” from charging any surcharge ontop of the “domestic retail price” for roaming, and goes on to prohibit “any general charge to enable the… service to be used abroad”. The regime also includes wholesale price caps that the visited operator’s network can charge to the roaming provider for roaming services.

This puts MVNOs like Lycamobile in a difficult position because – as an MVNO – they never receive any inbound roaming revenue but yet the regulation now requires them to offer roaming to end users without any additional charge though they will incur an additional incremental fee. Thus each extra Mb or minute when roaming will be loss-making for them. Lycamobile must have designed their offer thinking they had found a way around this problem – but unfortunately for them the BIPT has determined that this violated the roaming regulation’s requirements.

In my opinion* it would always be open to an MVNO to block roaming for its end-users entirely – there is no requirement that roaming be offered, only that *if* it is offered there can be no surcharge. The issue here is that Lycamobile appeared to be allowing roaming but charging for it at a different rate from the rate applicable for domestic bundles.

Finally – and as an aside – i think the roaming regulation is clear that MVNOs *are* entitled to the benefit of the wholesale price caps – though if they are effectively reselling roaming bought from their domestic host MNO (called “wholesale roaming resale access”) then the host is entitled to charge a “fair and reasonable” increment on top of the regulated rate to reflect their extra costs in supplying roaming to the MVNO from the visited operator (see Article 3 of the 2012 Roaming regulation). We have seen some MNOs attempt to charge their MVNOs much more than this, arguing that the roaming regulation does not apply. This would appear to be wrong.

*Of course this is not legal advice and specific advice should be sought to confirm in any particular situation.

Posted in International Privacy New Privacy Laws Privacy and Data Security

New guidelines on the application and setting of fines under GDPR

Written by Petr Šebatka and Jan Metelka

Less than 6 months remain for individuals and companies to get ready for the breakthrough regulation in personal data protection envisaged by the Regulation 2016/679 of 27 April 2016[1] (furthermore as “GDPR“).  Since the final version of this Regulation, experts have tried to clarify some remaining “grey” areas to leave as few room for doubts and misinterpretations as possible. The most relevant and valuable inputs came from the Article 29 Data Protection Working Party, which is composed of representatives of the supervisory authorities designed by each EU country, representatives of the authorities established for the EU institutions and bodies and a representative of the European Commission. Also in relation to GDPR, the guidelines and FAQs from the Article 29 Working Party were proven undeniably helpful in clearing some outstanding issues, such as the right to “data portability”[2], role of Data Protection Officers (“DPOs”)[3], role of the Lead Supervisory Authorities[4], or for example, the consequences of automated individual decisions making[5].

 

One of the main reasons for the fuss regarding GDPR and for quick implementation of all required obligations is the issue of fines, further described in the wording of Article 83 of GDPR. A fine may be granted up to a maximum of EUR 10,000,000 (or up to 2% of the total worldwide annual turnover in the case of an enterprise) or up to EUR 20,000,000 (or up to 4% of the total worldwide annual turnover in the case of an enterprise). The breakdown into two groups reflects the importance of breached obligations where the higher rate group has obligations whose breach is expected to increase the level of interference with the right to protection of personal data that GDPR ensures. The lower rate includes, for example, a breach of the provisions on records of processing or privacy impact assessments, while higher rates include, for example, breaches of the principles governing the law and the lawfulness of processing, the conditions for consent to the processing of personal data, the conditions for processing specific categories of personal data and the rights of the data subject.

Article 83 already includes a brief condition for the calculation of the fine: that regard shall be given mostly to the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, any action taken by the controller or processor to mitigate the damage, the degree of responsibility of the controller or processor, any relevant previous infringements, the degree of cooperation with the supervisory authority or the categories of personal data affected by the infringement. That provides a fair overview on how should the potential fine be calculated.

However, in the viewpoint of Article 29 Working Party, this distinction is not clear enough and therefore the Working Party in October 2017 adopted the respective Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679[6] (furthermore as “Guidelines“), being the first and most relevant document for the interpretation of Article 83 of the GDPR and its interplay with Articles 58, 70 and their recitals. The goal is that these Guidelines shall be used by the supervisory authorities to ensure better application and enforcement of the GDPR. Although the Guidelines are not exhaustive and cannot provide the reader with the differences between administrative, civil or criminal law sanctions in various countries in general, they can serve as a template for a common consistent approach among member states.

That is stressed in the first section of Guidelines explaining the main Principles, such as that the level of protection should be equivalent in all Member States (in cross-border cases consistency shall be achieved primarily through the one-stop shop cooperation mechanism) and all imposed measures shall be effective, proportionate and dissuasive in both national cases and in cases involving cross-border processing of personal data. The Guidelines then continue with the important concept of assessing each case individually, which shall mean, that choosing the appropriate measures must include consideration of all of the corrective measures, which would include consideration of the imposition of the appropriate administrative fine, either accompanying a corrective measure under Article 58(2) of GDPR or on its own.

Key part of the Guidelines is dedicated to the various assessment criteria arising from the Article 83 (2) GDPR, which are listed under letters a) – k) and some of them have already been mentioned above in this text. It provides the reader with a further description of what is deemed long duration, intentional/negligent character, various mitigating actions, steps of responsibility of data controllers and processors and many others. In conclusion it is safe to say, that using the Guidelines across the European Union, the degree of coherence would be significantly higher, positively contributing to the legal certainty of all parties and further increasing the quality of contemporary data protection laws in the European Union.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), which could be found online on http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

[2] http://ec.europa.eu/newsroom/document.cfm?doc_id=44099

[3] http://ec.europa.eu/newsroom/document.cfm?doc_id=44100

[4] http://ec.europa.eu/newsroom/document.cfm?doc_id=44102

[5] http://ec.europa.eu/newsroom/just/document.cfm?doc_id=47963

[6] http://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889

LexBlog