The European Union has imposed strict security requirements on Facebook and Skype

At the end of 2018, the European Electronic Communications Code was adopted, which expands the definition of electronic communications services to include online communications services in addition to traditional telecommunications. These include instant messaging platforms, e-mail, internet calls, and personal messaging on social media.

The need for a directive stems from the fact that users increasingly substitute traditional voice telephony and text messages conveyance services by functionally equivalent online services such as Voice over IP, messaging services, and web-based e-mail services. 

This change also means that online communications services will be covered by the ePrivacy Directive, which lays down rules on privacy in the electronic communications sector.

What do service providers need to keep in mind now?

Confidentiality – listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data is forbidden without the user’s permission. The obligation affects, for example, webmail services that display personalized or targeted advertisements based on the content of the email.

Communication security – Appropriate technical and organizational measures must be taken to mitigate the risks related to the security of networks and services. The level of security shall be determined to have regard to the state of the art and risk presented. In particular, such measures could include encryption to prevent security incidents from affecting users. Privacy settings by design and by default must also be ensured.

Restrictions on the use of traffic and location data – Traffic data includes inter alia, data referring to the time of a phone call, message, or e-mail, the sender and recipient of the communication, and their location. Traffic data must be deleted or anonymized unless it is necessary for invoicing (in this case only as long as it is possible to object to the invoice).

Traffic data may be processed the purpose of marketing electronic communications services or for the provision of value-added services only if the user has given his or her consent. Value-added services may, for example, consist of advice on least expensive tariff packages, route guidance, traffic information, weather forecasts, and tourist information. Marketing a communications service can also be the provision of targeted advertising related to the service.

The user’s consent must be freely given, specific, informed, and an unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her. In addition, the service provider must be prepared to prove the consent was given and provide the user with the possibility to withdraw the consent at any time.

Communication services, which are a minor and ancillary part of the basic service, are excluded from the scope of the directive. This may include, for example, chat windows used in computer games.

The new directive will enter into force on 21 December 2020, by which time Member States will have to transpose it into national law.

Get the latest about Hedman law firm


Our memberships:
FinanceEstonia, Lexing®,
Estonian Service Industry Association,
Estonian Chamber of Commerce and Industry,
EstVCA, EstBan, FECC,
IBA & IBA European regional Forum