What's the situation?
The European Commission appears poised to impose new privacy obligations on "over-the-top" (OTT) messaging and call providers. Earlier this year the European Commission opened a public consultation on the European Union's (EU) ePrivacy Directive in order to gain feedback on potential reforms to the framework, including whether OTT service providers (i.e. those providing instant messaging, voice over IP and email applications) should be subject to the same data privacy obligations as traditional telecommunications carriers. The objective of the Commission is to provide protection to consumers within the EU while ensuring that there is no distortion of competition as a result of disparate regulation. As it stands, the current ePrivacy Directive requires traditional telecoms carriers to protect users' security and prevents them from storing customer location and traffic data. Such restrictions are not extended to OTT providers.
What can we expect?
The public consultation closed on 5 July and a summary report on initial findings was published at the beginning of this month. The Commission's preliminary remarks have led to speculation that OTT services should expect to operate in a more restrictive environment when the Commission makes its recommendations known in the final report, due out in the autumn. Only then will legislative proposals start to appear and bring the path ahead into any real focus.
Is anyone happy?
Traditional telecoms carriers based in the EU have long maintained that OTT services have an unfair commercial advantage from the collection and exploitation of customer activity and location data, which is not possible for the more regulated traditional companies.
In contrast, OTT providers have voiced a concern that increased regulation could threaten their data driven business model, suggesting that they should continue to be free to utilise data, provided they maintain the privacy of their customer base. In addition, OTT providers claim that the right of the national governments under the present rules to restrict confidentiality for national security purposes would inhibit their ability to guarantee security and confidentiality of their services through encryption.
It seems that EU law-makers should prepare themselves for some fairly stiff lobbying from both sides.
How about US based OTT providers?
US-based OTT providers operating in the EU should certainly take note. But even if not operating in the EU, the proposed actions could influence US policy. For example, the potential action in the EU is similar to, but reaches further than, proposed new privacy rules that the Federal Communications Commission (FCC) announced earlier this year. The FCC proposes to extend (and expand) telecom privacy requirements to internet service providers (ISPs). The FCC is expected to act before the end of this year. The FCC Chairman, Tom Wheeler, has stated the agency will not extend these new privacy obligations to OTT or content providers but spill-over effects seem inevitable. In other areas, the FCC has begun to extend some telecom regulations to OTT messaging services that interconnect with the public telephone network, but as yet has refrained from regulating OTT messaging services that serve a closed community of users that must download the app.
Whether US or UK based however, all OTT providers should brace themselves for increased regulation when operating within the EU and prepare for the diversified business model that may be required as a result.