DLA Piper and Access Partnership recently hosted a webinar on the next generation of Over-the-Top (OTT) regulations. A panel of senior telecommunications lawyers, policy analysts and the former head of a national telecommunications regulator discussed how OTT connectivity providers will be affected by the new European Electronic Communication Code (“Code”), which is to be incorporated into national legislation by 21 December 2020.
Given the level of interest in the topic and the number of questions asked during and after the webinar, Access Partnership drafted this memorandum to highlight the main changes affecting OTT connectivity providers as a result of the Code. We first review the classification of OTT providers prior to the Code, and then study the expected impact of the Code, including which service areas are likely to be affected. We conclude by offering OTT providers guidance on their next steps and how they might limit the potential regulatory burden.
OTT Framework Prior to the Code
The regulatory framework under the electronic communication directives from 2002 did not consider OTT services. It was drafted to regulate the conveyance of signal, leaving OTT connectivity providers sufficient room to argue that their services were not electronic communication services (ECS) as they did not provide transmission of signals.
There was also little regulatory guidance or case law on this subject. The most comprehensive analysis was prepared in 2016 by BEREC and defined OTT services as “content, a service or an application that is provided to the end user over the public Internet,” classifying those services into three categories:
- OTT-0 services, which qualify as ECS, where connectivity is provided to the publicly available telephone service;
- OTT-1 services like voice or instant messaging, which compete with but are not ECS; and
- OTT-2 services such as video or music streaming, which do not qualify as or compete with ECS.
The analysis concluded that there was no harmonised approach to OTT regulation within the EU and that national authorities take divergent approaches when regulating OTT connectivity providers. Where some Member States have remained more liberal, others have been more stringent. For example, regulation in Germany and Belgium required companies providing SkypeOut and Gmail application services to be notified as ECS providers.
The ambiguity around OTT began to change in 2019, when the European Court of Justice (ECJ) found SkypeOut to be an ECS as it allowed connectivity via the public switched telephone network (PSTN). The same court, however, determined that the Gmail application was unlikely to be an ECS as it did not “actively participate in sending and receiving messages.” As is evident from our analysis, the Code reflects the ECJ judgements to an extent.
OTT Services Under the Code
The Code has expanded the definition of an ECS to cover OTT connectivity providers. The new definition includes three categories of electronic communication services:
- Internet access services;
- Services which wholly or mainly consist of conveyance of signals; and
- Interpersonal communication services (ICS).
The last category includes services which enable communication between a finite number of natural persons, determined by the sender of the communication. This category is further divided into number-based and number-independent services. A service is number-based if it connects or enables communication with publicly assigned numbers, covering all types of services which provide connectivity via the PSTN. This corresponds to the OTT-0 category described by BEREC.
A service is number-independent if it does not connect or enable communication with publicly assigned numbers. This definition is likely to cover all voice and instant messaging which occurs outside of the PSTN, corresponding with the OTT-1 category of service under BEREC’s classification. However, it should be emphasised that using numbers as an identifier does not itself qualify a service as a number-based ICS. An entity using publicly assigned numbers as an identifier for connecting its end-users within its own application without connecting to the PSTN is unlikely to be considered as a number-dependent ICS.
Furthermore, if a communication service is provided as a minor ancillary feature to another service, then this would not be considered as an ICS and would not be regulated by the Code. For example, if a video game application allows the occasional communication between players for them to participate in the game, such activity is likely to fall outside of the definition of an ICS.
Finally, the Code does not address the OTT-2 class of services such as video or music streaming platforms as they are not related to communication services and therefore considered to fall outside the scope of the Code.
Number-Based ICS Providers Under the Code
The Code has largely codified the approach of the ECJ, removing the regulatory uncertainty which prevailed before and after the 2019 ECJ decision. Under the Code, number-based OTT connectivity providers are considered ECS provider and it is therefore important to consider what obligations they will be subject to.
A number-based OTT connectivity provider generally needs to notify the national telecommunication regulatory authorities (NRA) in each EU Member State where it intends to provide services prior to offering services. The Code has not abolished the notification requirement across the EU, and it does not provide a pan-European notification scheme which would allow providers to register with one NRA to be entitled to provide services across the entire EU.
The Code has, however, simplified the notification process by providing a list that limits the information that can be requested by NRAs, making notification easier and more straightforward. The Code has also removed any specific requirement to have local representation in a country for notification purposes. From an administrative perspective, this makes it relatively easy for EU based ECS providers to be notified in all EU Member States. However, it should be noted that ECS providers in several Member States would be subject to regulatory fees and recurring reporting requirements.
In addition to notification, number-based providers would need to obtain numbers. This can be achieved in three ways:
- Applying directly to the NRA – this process is likely to be subject to regulatory fees;
- Transferring numbers from one ECS provider to another – this process is usually allowed and strictly regulated by NRAs; and
- Obtaining numbers via “sub-assignment” – this process is reviewed in more detail below.
List of Associated Requirements
Being considered an ECS provider makes an entity subject to several electronic communication conditions. A list of these conditions is provided in Annex 1 of the Code. We describe some of the main requirements that number-based OTT providers may need to fulfil:
- Ensuring personal data and privacy protection as provided in Directive 2002/58/EC, including a notification requirement to the competent national authorities and subscribers or individuals if there is a breach of privacy;
- Enabling lawful interception, including data retention and disclosure to the competent national authorities;
- Providing access to emergency services;
- Allowing number portability;
- Ensuring compliance to end-user and consumer protection requirements that apply under the Code;
- Providing the interoperability of services.
Annex 1 of the Code does not include all the requirements that ECS providers would be subject to under the Code. In addition to the above conditions, number-based OTT providers are likely to be required to implement Know Your Customer rules in order to have sufficient information about their customers and to ensure that customers use numbers in accordance with the National Numbering Plan. For example, geographic numbers must not be used outside their use area. ECS providers also need to take the necessary measures to ensure the security of their services and to inform the NRAs, and in some cases their end-users, of any significant security incidents.
Sub-Assignment of Numbers
Since they are classified as ECS providers, number-based providers will be subject to several requirements. Depending on the size and scope of their services, these requirements may become very burdensome and create a barrier to market entry. However, the sub-assignment of numbers could mitigate this regulatory burden. The process allows an ECS provider to give (sub-assign) the use of a number to another provider while “keeping” the number in its own name. It is a highly controversial process that is prohibited in some jurisdictions but permitted in others. For many countries, however, national frameworks either do not address this issue at all or provide very ambiguous guidance.
This creates legal uncertainty for providers. A more harmonised framework for sub-assignment would provide clarity on several obligations relating to emergency service carriage and number portability, as well as consumer protection and Know Your Customer rules. The Electronic Communications Committee recently published a report in which it reviewed various obligations associated with sub-assignment. While the report addresses some concerns about the practice, the regional European body highlights several benefits of sub-assignment, including lowering market entry costs.
The Code does not address sub-assignment, leaving it to Member States to determine how they want to regulate the process. Considering the number of requirements associated with the use of numbers, Member States may decide to allow sub-assignment between providers when in the process of incorporating the provisions of the Code into their frameworks.
Number-based OTT providers planning to obtain numbers by sub-assignment may therefore need to review the relevant rules in each of the EU Member States to determine whether it is allowed, under what conditions and with what associated requirements. It would be advisable to confirm these requirements prior to entering into commercial agreements. If sub-assignment is not allowed or is subject to certain requirements that are not fulfilled, the assignment and use of numbers may be illegal.
OTT connectivity providers whose services include connecting end-users via the PSTN would need to be notified in all EU Member States in which they provide services and must comply with the relevant requirements for providing those services. The requirements can be burdensome, especially for entities seeking to enter the market. We emphasise that Member States may set higher regulatory standards than those provided in the Code, and it is the responsibility of service providers to ensure their services are offered in accordance with national requirements.
The sub-assignment of numbers could be a solution to simplify market entry; however, neither the Code nor many Member States provide much guidance on the process. It is unlikely, but not impossible, that some Member States will decide to add sub-assignment rules into their national legislation while incorporating the provisions of the Code. This would be a welcome step that would provide more legal certainty and reduce the regulatory burden and cost of providing services.
Number-Independent ICS Providers Under the Code
Number-independent ICS providers are also regulated by the Code, and their services are classified as ECS. However, unlike for number-based ICS providers, the Code does not require number-independent providers to be notified to NRAs and has exempted them from most of the requirements that apply to other ECS providers. The Code has therefore effectively reversed the ECJ Gmail decision, allowing Gmail services to be classified as ECS but, at the same time, exempting its provider from most ECS requirements.
List of Associated Requirements
The “soft” approach to number-independent ICS providers does not mean that they are exempt from all obligations under the Code. For example, like number-based ICS providers, they would have to take the necessary measures to ensure the security of their services, including encrypting communication where required.
Number-independent ICS providers are also obliged to guarantee certain end-user rights. For example, they may need to ensure that end-users have free-of-charge access to at least one independent comparison tool that enables them to compare and evaluate publicly available number-independent interpersonal communications services, regarding prices and the quality of services.
Furthermore, the Code’s expansion of the definition of ECS to include number-independent ICS means the scope of the Directive 2002/58/EC is equally expanded to also cover number-independent ICSs. These will be subject to provisions on personal data and privacy protection, including the obligation to report any data breach to the competent national authorities and, if required, to subscribers and individuals.
National legislators implement the provisions of the Code into their legislation and states may choose to enact laws that create a more burdensome regime than provided in the Code. For example, the current Spanish draft law to implement the Code will require number-independent providers to be registered as ECS providers. This means they will likely to be subject to several requirements from which they would have been exempt under the Code. It remains to be seen whether this will become a trend throughout Europe, where number-independent ICS providers will be regulated similarly to other ECS providers. The Code itself states that it is not appropriate to subject number-independent ICS providers to a more burdensome regime as they do not benefit from the use of public numbering resources and do not participate in a publicly assured interoperable ecosystem.
This dynamic may change as the Code opens the door for mandated interoperability (i.e. requiring users of communication services to be able to use the service to communicate with users on other communication platforms) between number-independent ICS providers in the future. If this requirement is to be implemented by Member States, it could significantly impact number-independent ICS. It should be noted, however, that the Code provides very strict requirements for this scenario, and it is unlikely that such interoperability will be mandated anytime soon. However, the European Commission will continually review the need for interoperability between services, and this could empower national authorities to require interoperability between number-independent ICS platforms.
According to the Code, number-independent ICS providers would not require notification and would be exempt from most of the requirements in the Code. Nevertheless, some Member States may decide to set more stringent requirements, including the notification of services with NRAs.
It is unlikely that all Member States will implement the provisions of the Code into their national laws before the 21 December 2020 deadline. As national regulators are inviting industry to give feedback on draft bills, the OTT industry has the time and opportunity to influence the execution of the Code. At the same time, OTT connectivity providers need to understand the extent to which they will be affected in each EU Member State and ensure their regulatory compliance.
 For more information on data privacy under Directive 2002/58/EC and security of services under the Code please see Access Partnership’s report “Impact of Cybersecurity Regulations on ICT Companies in the European Union”.