The European Data Protection Supervisor (EDPS) said that internet users' privacy rights would be at risk if proposals drawn up by the European Commission were introduced.
It warned that the Commission's telecoms market reform plans would give ISPs the opportunity to engage in "wide-scale, preventive monitoring of communications content" and said that such surveillance would "not only go contrary to the right to confidentiality of communications, as well as privacy and personal data protection" but could also "seriously undermine consumer confidence in electronic communications services across the Union".
"The proposal provides a number of grounds for traffic management measures that scan and discriminate among various types of content," the EDPS said in a new opinion (11-page / 116KB PDF) it has issued on the Commission's proposals. "Such measures significantly limit net neutrality and interfere with end-users' rights to privacy and the protection of personal data, as laid down in the [EU's] Charter and [the Data Protection Directive}, as well as the confidentiality of communications under [the Privacy and Electronic Communications Directive]."
Net neutrality is the principle that an ISP will deliver all content requested by a customer equally, not allowing content producers to have preferential access to subscribers. The Commission has outlined plans to introduce this concept into EU law, alongside a number of exceptions that enable ISPs to tailor the service they deliver for traffic management purposes. ISPs engage in traffic shaping, or traffic management, to ensure that one user's heavy use of a network for downloading material does not prevent another user of that network from being able to perform basic tasks such as sending or receiving email or looking at web pages.
Under the Commission's proposals specifically, ISPs would be obliged to deliver "the continued availability of non-discriminatory internet access services at levels of quality that reflect advances in technology and that are not impaired by specialised services".
The rules provide freedom for ISPs to agree on the precise data volumes and speeds of service they will provide to consumers but they prohibit ISPs from "blocking, slowing down, degrading or discriminating against specific content, applications or services, or specific classes thereof" unless it is "necessary to apply reasonable traffic management measures".
'Reasonable traffic management measures', such as the blocking or throttling of communications, can be implemented by ISPs as part of their efforts to combat serious crimes, such as the distribution of child pornography. The term also covers cases where ISPs are seeking to "preserve the integrity and security" of their network or services they deliver over the network, as well as to "prevent the transmission of unsolicited communications" where customers have consented to the ISPs taking such action.
In addition, traffic management techniques can be deployed so as to "minimise the effects of temporary or exceptional network congestion provided that equivalent types of traffic are treated equally". ISPs' traffic management must be "transparent, non-discriminatory, proportionate and necessary" in each case, according to the draft plans.
The EDPS expressed concerns about the use of 'deep packet inspection' techniques that ISPs use when engaging in traffic management. It said the new rules should force ISPs to use less intrusive "communications inspection techniques" whenever those measures are sufficient to achieve the aims of the traffic management rules.
The watchdog warned, however, that some of the provisions themselves that permit traffic management to be engaged in were too broadly worded and could result in ISPs acting in a way that would disproportionately affect internet users' privacy rights.
"Using traffic management for the purposes of implementing a legislative provision or preventing and impeding serious crimes may entail a wide-scale, preventive and systematic monitoring of communications content which would be contrary to ... the EU Charter of Fundamental Rights, as well as [the Privacy and Electronic Communications Directive and Data Protection Directive]," the EDPS said. "Reference to these grounds should be removed from [the plans]."
The watchdog also called for the new rules to require greater openness from ISPs in their consumer contracts about the traffic management they could engage in to protect the security of their network and recommended that national data protection authorities be given a role in overseeing the new regime, alongside telecoms regulators that would otherwise monitor for compliance.