Government Affairs Blog
May 19, 2017
EXPANDING COMMUNICATIONS SERVICE TO THE EU WHILE COMPLYING WITH MANDATES FOR PRIVACY AND LAW ENFORCEMENT
As American communications service providers expand their networks to the European Union they’ll confront a phalanx of new privacy laws and evolving mandates to assist law enforcement. The following examines the regulatory hurdles.
The Pro-Privacy Trend
The EU recently adopted its General Data Protection Regulation, which expanded and strengthened EU data privacy law, and scheduled it to take effect in May of 2018. Among other things, the GDPR restricts the manner in which the personally identifiable data of EU “data subjects” may be “transferred” outside the EU. The new law also increases the fines for privacy infringements. Accordingly, US communications providers that operate in the EU will soon be required to follow strict new protocols for the handling of EU subscriber data.
Further complicating the EU privacy landscape is Great Britain’s exit from the EU. Will the British apply the GDPR and ePrivacy Proposal or chart their own path to privacy protection? US service providers expanding to Europe may need to comply with one set of rules in Britain and another in the rest of the EU.
The world dominance of US Internet companies, along with disclosures about the vast surveillance capabilities of the US National Security Agency, continue to fuel EU demands for stronger privacy protection. These privacy fears may have been exacerbated by recent allegations regarding US surveillance of Russian diplomats and members of President Trump’s campaign staff. News reports like these can only motivate Europeans to toughen their privacy defenses.
The Pro-Law Enforcement Trend
Countering Europe’s pro-privacy trend are calls to give law enforcement more surveillance power to thwart terrorist attacks. The terrorist threat has continued unabated across the continent.
In response, some EU states have maintained or revised their data retention laws, even though the European Court of Justice struck down the EU-wide data retention mandate in 2014. Germany adopted a data retention law in December of 2016. The new law, which takes effect in July of this year, will require the retention of communications metadata by any communications provider with facilities in Germany.
Great Britain adopted its Investigatory Powers Act in Dec 2016, though it has not yet taken effect. Under this pro-law enforcement statute, the government may serve a “technical capability notice” on a domestic or foreign communication provider with facilities in the country and then compel the provider to upgrade its network with certain surveillance capabilities.
Most alarming to the communications industry, the EU and certain EU member states are considering “data localization” laws. These measures, currently adopted only in countries such as Russia, China and Brazil, would keep a nation’s communications data stored within its borders, thereby facilitating investigations of the data by law enforcement. Network owners loath the prospect of building a separate data center in each country they serve.
Recurring cyber attacks worldwide have stolen mountains of private information and paralyzed communications networks. This threat alone may lead governments in all jurisdictions, including the EU, to intensify law enforcement scrutiny of Internet activity. If so, the authorities will likely expect increased cooperation from network owners.
The Challenge for US Communications Providers
Any US company may face legal challenges when entering foreign markets such as the EU. But for US communications providers such expansion poses uniquely complex risks. American operators in Europe increasingly find themselves squeezed between demands for more privacy and more public safety.
How American competitors will contend with the EU’s regulatory tug-of-war is difficult to predict. In the age of cloud computing and virtualization it is unclear how a service provider will even know where to find a particular suspect’s traffic, let alone protect its privacy or help law enforcement monitor it. Let’s say a provider serves EU member state ABC and receives a court surveillance order from that state, but during the period of the intercept the suspect travels to EU member state XYZ. Must the provider maintain the intercept or wait for a second order from a judge in XYZ? What if the suspect goes to XYZ but his or her traffic remains in ABC?
The US communications industry recognizes the value of spreading its services to the EU. However, to take advantage of these opportunities it will need specialists to navigate the regulatory gyrations of privacy protection and law enforcement support.
April 28, 2017
HOW CALEA SOLUTIONS IMPROVE SECURITY IN COMMUNICATION NETWORKS
Communication service providers in the US are generally required by the federal CALEA statute to equip their networks with hardware/software solutions that facilitate lawful electronic surveillance. CALEA solutions provide the technical capabilities law enforcement agencies need to conduct court-ordered surveillance in criminal and terrorist investigations. For example, a state police department may need to intercept the calls of a criminal suspect using a cell phone. Or the FBI may monitor the broadband signals of a terrorist suspect communicating on the Internet.
December 12, 2016
HOW WILL THE UK’S NEW SURVEILLANCE LAW IMPACT AMERICAN COMMUNICATION SERVICE PROVIDERS?
On November 29th the United Kingdom adopted a surveillance law that raised a novel issue of law enforcement assistance and privacy. How does the new law impact U.S.-based communication service providers?
The UK’s new Investigatory Powers Act
The UK’s existing Data Retention and Investigatory Powers Act of 2014, or “DRIPA,” already requires UK communication service providers to facilitate lawful surveillance and retain data on their subscribers’ past communications. To meet the data retention mandate, a service provider must store records on every subscriber’s past voice communications, emails, and text messages, and disclose them to the government upon lawful request.
November 2, 2016
The Impact of the 2016 Presidential Election on Lawful Surveillance and Customer Records Disclosures
Author: Trevor Gray, Legal Services Manager
With every presidential election comes some uncertainty. How will policy be impacted by a newly elected chief executive? It is vital that industry players be forward thinking to try and anticipate some of the change and be better prepared to take advantage of it. One critical area of discussion during this election cycle has been that of national security and more specifically cybersecurity and privacy. Electronic communication providers will need to be ready to act, so here is a look at how the candidates stand on issues related to lawful surveillance and records collection.
September 6, 2016
IS YOUR LAWFUL INTERCEPT SOLUTION SECURE?
Communication service providers are sometimes served with court orders to implement lawful electronic surveillance – known as lawful intercepts or “LI” — on criminal suspects using their networks. These CSPs typically prepare for the judicial demands by equipping their networks with LI solutions, as required by the CALEA lawful surveillance statute. But are those solutions secure?