HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

The Opinion concludes that a website can’t require consent to collect personal data from a user as a condition for subscribing “[g]iven that the Internet has become an essential tool both for work and for leisure purposes.” Thus, websites that condition entry on personal data are not allowed. Moreover, it opines that consent must be obtained from “all users” in a communication. Query whether and how this would apply to a data-mining free email account, where the subscriber has consented but her correspondent has not. 

The Opinion recognizes that consent to inspect a customer’s traffic or content data may not always be possible, or necessary, for all monitoring functions. But the Opinion is likely to be cited by those seeking to link privacy rights and personal data to the network neutrality cause; in the US, privacy has not been in the forefront of this debate. 

On Nov. 20 neutrality advocates in Europe inched their efforts forward when the Industry, Research and Energy Committee (ITRE) of the European Parliament voted to ask the EC to come up with more guidance on network neutrality. This step, too, marks a backing away from last spring’s “wait-and-see” stance.   Among other things, the resolution calls on the European Commission to ensure that ISPs “do not block, interfere with, discriminate against, impair, or degrade the ability of any person to use a broadband service to access, use, send, post, receive, or offer any lawful content, application, or service made available via the Internet.” This language actually goes farther than the FCC’s neutrality rules, which bars only “unreasonable” discrimination. There appears to be an E.U. carve-out for mobile Internet traffic, similar to the FCC’s reduced treatment for this presumably bandwidth-constricted technology.

 One reason the E.U. has lagged the U.S. in net neutrality regulation is that European telcos have generally been required to unbundle their last mile copper plant. Multiple ISPs, in theory anyway, can serve a residence. With ISP competition possible to every residence, a customer can switch if she doesn’t like the ISP’s terms and conditions. 

In the U.S., telcos were freed from unbundling in 2005, and cable networks were never generally subject to the requirement. Despite extensive head-to-head broadband competition in most of the country, competition is not universal in all 50 states. U.S. Regulatory proponents note this lack of competition in rejecting a market-based solution to issues of ISP conduct.

The Article 29 working party comes at this from the angle of protecting European citizens, and complains that the lack of harmonization creates different levels of protection of personal data between different Member States, defeating the Data Retention Directive’s objective of harmonization. In this particular case, however, the interests of communications providers and EU citizens converge, because different rules on data retention create additional costs for communications providers, as well as different risks for citizens. The directive currently allows Member States to apply data retention periods of between 6 and 24 months. Several of the large EU Member States have chosen a period of 12 months, and the Article 29 working party recommends that the directive be amended to impose a single harmonized period instead of giving Member States a choice. 

The legislation of Member States is fairly consistent regarding the kind of data to be retained for traditional voice communications, but for IP-based communications the practices vary. On this point, the Article 29 working party emphasizes that the only data that Member States can require service providers to retain are those listed in Article 5 of the Directive. In particular, the destination IP address and the URLs of web sites cannot be retained, because those data provide information on the content of the communication, which is prohibited. The working party deplores that many operators do not apply automatic erasure procedures at the end of the legally mandated retention period, and that many operators do not conduct security audits. Finally, the report complains that Member States have different definitions of what a “serious crime” is that would justify the communication of data to law enforcement personnel. The report recommends harmonization on this point too.

Although not specifically mentioned by the working party, the question of whether illegal downloading of copyrighted material is a “serious crime” is obviously a key issue, because several European countries are putting into place graduated response mechanisms that rely on the ISP communicating traffic data to a court or administrative body for the purpose of identifying the alleged infringer. On that front, BT and Talk Talk have lodged a complaint in the UK claiming that the Digital Economy Act, which allows OFCOM to send warning letters to individual infringers, violates fundamental privacy laws http://www.guardian.co.uk/technology/2010/jul/08/bt-talktalk-challenge-digital-economy-act . 

Some courts are also questioning the constitutionality of national data retention laws enacted to transpose the Data Retention Directive. Last March, the German Supreme Court held that the implementation of a German law on data retention violated fundamental privacy rights, and ordered that the application of the law be suspended until such time as the government narrows its scope http://news.cnet.com/8301-13578_3-10462117-38.html .