The European Commission wants providers of electronic communications services to play a more central role in educating their customers about security risks involved in using their services.
The Commission's plans are contained within a proposed new Privacy and Electronic Communications (ePrivacy) Regulation that it published earlier this year and would apply to both traditional telecoms companies, like internet service providers and mobile network operators, as well as 'over-the-top' communication service providers of services such as webmail, internet calls, and internet chat/messaging – even when the communications service is ancillary to a primary activity like gaming or dating. As a Regulation, it would apply directly in all EU member States, including the UK, from 25 May 2018.
However, much like the new 'cookie' law proposals, the plans put forward lack precision and clarity and should be reconsidered.
The new security risk notification obligations
The new security risk notification requirements are set out in Article 17 of the proposed new ePrivacy Regulation:
- "In the case of a particular risk that may compromise the security of networks and electronic communications services, the provider of an electronic communications service shall inform end-users concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, inform end-users of any possible remedies, including an indication of the likely costs involved".
Further detail on the steps the Commission wants electronic communication service providers to take are contained in a recital, which is non-binding but sometimes given weight by regulators and courts, in its proposed text:
- "Service providers who offer electronic communications services should inform end-users of measures they can take to protect the security of their communications for instance by using specific types of software or encryption technologies. The requirement to inform end-users of particular security risks does not discharge a service provider from the obligation to take, at its own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service. The provision of information about security risks to the subscriber should be free of charge. Security is appraised in the light of [the security requirements under the EU's General Data Protection Regulation (GDPR)]".
Under the proposals, each EU member state would be responsible for setting their own rules on penalties for infringements. The penalties regimes would need to be "effective, proportionate and dissuasive".
The problems with the approach
The Commission's Article 17 wording is an extremely unclear expansion of obligations under the current ePrivacy Directive, which the new Regulation would replace.
For example, under the ePrivacy Directive, the obligation is to notify subscribers of security risks "which lie outside the scope" of measures taken by the service provider, i.e. risks which the provider has not been able to mitigate through its own security measures. There is no such qualification in Article 17. However, if a provider has already addressed a particular risk, why should it be made to incur costs to notify the risk to its end-users? Wouldn't such notifications simply cause them to be concerned for no good reason? A similar qualification to that which applies currently should be included in the ePrivacy Regulation.
Furthermore, it is not clear whether the reference to any 'particular' risk relates to a risk that could compromise the notifying provider's own network or service security only, or whether it extends broader than that to other risks, such as the 'Heartbleed' bug, which could compromise many providers' network or service security generally. It would not make sense if providers were required to notify their end-users of all general risks, and not just risks affecting that provider.
It is similarly unclear whether the provisions would apply to security risks that could compromise the security only of an end-user's device or end-user data, such as ransomware, but not the security of the provider's network or service as a whole.
Those uncertainties arise partly because "security" of "networks and electronic communications services" is undefined. This is probably a drafting error, as it is defined in another proposed Directive, some of whose definitions are imported into the proposed ePrivacy Regulation.
Under that proposed Directive, ‘security’ of networks and services is defined as ""the ability of electronic communications networks and services to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those networks or services". In the context of the ePrivacy Regulation, it would have been beneficial for the loose reference to 'networks' to have been clarified as referring to "electronic communications networks".
In addition, the wording 'may compromise' would set a very low threshold for notification of particular risks.
A rethink is necessary
User awareness and education regarding cybersecurity is obviously a very important issue. However, the ePrivacy Regulation's security risks notification provisions, as drafted by the Commission, would place the general responsibility for educating and tutoring end-users about security firmly on to electronic communications service providers.
The proposals, if adopted by the European Parliament and Council of Ministers, could lead to businesses and consumers that use electronic communication services being overloaded with unnecessary information that they may lack the knowledge or expertise and/or resources to be able to apply. This is because of how broad and unclear the proposed new rules are. It could also raise costs for end-users, because those service providers must provide risk notifications to end-users free of charge, and even research and inform end-users, free of charge, of the cost of encryption software etc, so they may raise prices generally to pass the increased costs on.
Some of the problems with the proposed ePrivacy Regulation may well stem directly from unclear drafting. However, the introduction of an expanded risk notification requirement is a much larger issue, and needs a considered policy decision in consultation with all relevant stakeholders as to where this kind of responsibility should lie, what would be the most effective way to implement it in practice to achieve the desired policy objective, and also who should be subject to the corresponding liabilities. A Regulation, directly applicable in all EU member states, ought to be drafted much more clearly than the current ePrivacy Regulation.
A considered debate, though, may be difficult as the Commission has indicated that the new ePrivacy Regulation should be in force from 25 May 2018, the same date that the GDPR comes into effect. It will be up to MEPs and national governments from across the EU to ensure that these new provisions are appropriate in their scope and thresholds, proportionate to achieve their aims, clear, and practicable, rather than increasing the information overload on businesses and consumers without necessarily improving their security posture.
Dr. Kuan Hon is an information law specialist at Pinsent Masons, the law firm behind Out-Law.com.