Changes for ‘Over The Top’ communications services following their inclusion within the European Electronic Communications Code
Over the top communication (“OTT”) services were brought within the remit of EU communications regulation in 2018 in the European Electronic Communications Code (“EECC”) established by Directive (EU) 2018/1972.
In so doing, obligations under the ePrivacy Directive that apply to traditional communications services (voice phone calls (fixed and mobile) and text messaging (SMS)) and obligations under the European Accessibility Act now extend to OTT services, such as messaging, web-based email and voice over IP. Additionally, while the provisions transposing the EECC into Irish law only commenced in June 2023, the application of the EECC with regard to these services has already been overtaken, at least in respect of interoperability, by the Digital Markets Act. In this briefing we look at the key obligations for OTT services under the EECC and other key legislation.
Online communications
Under the former EU framework for electronic communications, an electronic communications service (“ECS”) excluded information society services that did not consist wholly or mainly in the conveyance of signals on electronic communications networks. However, OTT services that enable direct interpersonal and interactive exchange of information via electronic communications without connecting to the public telephone network, have become increasingly popular. Of course, as recognised in the EECC, from an end-user’s perspective “it is not relevant whether a provider conveys signals itself or whether the communication is delivered via an internet access service”.
- Interpersonal communications service: To bring OTT end-users within its reach, the EECC created a more expansive definition of an ECS, which includes an internet access service (“IAS”) and an interpersonal communications service (“ICS”). The ICS “enables direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s)…” (Services which “provide, or exercise editorial control over, content transmitted using electronic communications networks and services”, e.g., online newspapers, remain outside the scope of an ECS. Equally, services which “enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service”, e.g., chats in online games, come outside the scope of an ICS.)
- Number independent ICS: The EECC provides for two categories of ICS. A number based and a number-independent ICS. The number independent ICS (“NI ICS”) does not connect with publicly assigned numbering resources and it is this category of ICS that brings OTT providers within scope of the EECC.
Key Provisions for NI ICS providers
Most of the provisions of the EECC are transposed into Irish law in the European Union (Electronic Communications Code) Regulations 2022 (“Regulations”), with the Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023 (“Act”) giving effect to the remaining provisions, to include enforcement.
Together the Act and Regulations impose a wide range of obligations on ECS providers. Because an NI ICS does not benefit from the use of public numbering resources and does not participate in a publicly assured interoperable ecosystem, it is not subject to the general authorisation regime under the EECC, nor is it subject to other obligations that apply to a number-based ICS or to other ECS providers, such as access to emergency services.
Interoperability: End to end connectivity
The EECC does not, in principle, impose interconnectivity requirements on an NI ICS. However, it provides for national regulatory authorities (in Ireland; ComReg) to impose obligations on relevant providers of NI ICS, which reach a significant level of coverage and user uptake, to make their services interoperable in justified cases, “where end-to-end connectivity between end-users is endangered due to a lack of interoperability between interpersonal communications services, and to the extent necessary to ensure end-to-end connectivity between end-users”. Interoperability may only be mandated in certain circumstances, including where the Body of European Regulators for Electronic Communications (“Berec”) has made a finding of an appreciable threat to end-to-end connectivity between end-users throughout the Union or in at least three Member States.
The EECC has been overtaken in this respect by the Digital Markets Act (Regulation (EU) 2022/1925) (“DMA”). Article 7 of the DMA includes interoperability obligations for designated number-independent interpersonal communications services provided by designated gatekeepers. According to Berec, these interoperability obligations, have the objective of unleashing and sharing network effects among several providers and facilitating market contestability, with a focus on ensuring end-to-end connectivity under Article 61(2) of the EECC. Of little surprise to users of these services, in its recent report on Number-Independent Interpersonal Communication Services (NI-ICS) which analyses amongst other aspects, the interplay between the two regulatory frameworks (DMA and EECC), Berec notes, that the use of these NI ICS has drastically increased over the past years and such services have now become a crucial means of communication for a variety of different users throughout Europe. In line with this, on 6 September 2023, the European Commission designated six organisations as gatekeepers under the DMA in respect of a number of core platform services, including two number-independent interpersonal communications services.
Breach Reporting, Security and ePrivacy
As we’ve previously described in our briefing ‘ePrivacy: EU Regulation Introduced to Allow Companies to Tackle Online Child Sexual Abuse’ (available here), the provisions of the ePrivacy Directive (2002/58/EC) (“ePD”) also extend to NI ICS providers because of their inclusion within the definition of an ECS. This creates additional obligations for NI ICS providers as regards security in the processing of personal data, confidentiality of communications and rules on unsolicited communications and cookies.
Careful navigation is required to operationalise the different breach notification requirements under ePD, EECC and GDPR. Helpfully the EDPB has published an opinion on the interplay between the GDPR and ePD providing guidance on breach notifications amongst other things. In terms of the EECC, Part 2 of the Act sets out obligations as regards security, requiring ECS providers to take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and services (including the use of encryption, where appropriate, to prevent and minimise the impact of any security incidents). Providers must notify ComReg without undue delay of any security incident that occurs that has had or is having a significant impact on the operation of the provider’s services. In the case of a particular and significant threat of a security incident, users potentially affected by such a threat must be informed of any possible protective measures or remedies which can be taken by the users, and where appropriate, informed of the threat itself.
Informed choices and the completeness of contractual information
In bringing OTT services within scope, the EECC is seeking to ensure that consumers benefit from many of the protections available to them when using traditional communications services and to improve the trust of end-users in these services. To this end an IAS and publicly available ICS providers must comply with a number of obligations set out in the Regulations, including a requirement to:
- Provide the consumer with certain prescribed pre-contract information in long form and in a concise and easily readable contract summary format. This information becomes an integral part of the contract and must not be altered unless the contracting parties expressly agree otherwise.
- Offer consumers the facility to monitor and control the usage of their service, where the service is billed on the basis of either time or volume consumption.
- Publish such of the information referred to in Schedule 8 as is pertinent to the provider (if it makes the provision of its service subject to terms and conditions).
End users will also have access to comparison tools to enable them to compare and evaluate different ECS services, including where applicable publicly available NI ICS. Berec expects this tool to be of particular benefit for end users along with the requirement for providers to provide a contract summary.
Parts 4 and 5 of the Act, which commenced on 9 June 2023, provide for further transparency and end user benefits. Part 5 contains detailed provisions for resolving customer complaints and disputes, while Part 4 gives ComReg power: to require an IAS and publicly available ICS provider to publish user-friendly and up-to-date information in relation to the quality of their services; to specify minimum quality-of-service standards that the IAS and publicly available ICS provider must meet when providing these services to their end users; and to require the publication and maintenance of a publicly available customer charter.
Accessibility requirements for end users with disabilities
Tied-in to many of the end user rights in both the Regulations and the Act and consistent with the aims of the EECC, are obligations as regards accessibility for end users with disabilities. For example, the contract summary referred to above must include information on the extent to which the products and services are designed for end-users with disabilities. The prescribed pre-contract information in long form must, upon request, be provided in an accessible format for end-users with disabilities. The information set out in Schedule 8 to ensure that all end-users can make informed choices, includes details of products and services specifically designed for end-users with disabilities, in accordance with European Union law harmonising accessibility requirements for products and services.
Crucially, the accessibility provisions in the EECC are “complemented” in the European Accessibility Act (Directive (EU) 2019/882), (“EAA”) which provides for accessibility requirements for a wide range of products and services to include, consumer banking services and e-commerce services, and consumer computers, operating systems and certain terminal equipment. With respect to the EECC, the EAA harmonises accessibility requirements for electronic communications services and related products. It adopts the definition of an ECS from the EECC and its provisions will apply to an ECS provided to consumers after 28 June 2025.
Given the increase in popularity of NI ICS services we expect that this will be an area of continued focus for the EU in developing its digital strategy into the future.