Government Affairs Blog

May 19, 2017

EXPANDING COMMUNICATIONS SERVICE TO THE EU WHILE COMPLYING WITH MANDATES FOR PRIVACY AND LAW ENFORCEMENT

As American communications service providers expand their networks to the European Union they’ll confront a phalanx of new privacy laws and evolving mandates to assist law enforcement. The following examines the regulatory hurdles.

The Pro-Privacy Trend

The EU recently adopted its General Data Protection Regulation, which expanded and strengthened EU data privacy law, and scheduled it to take effect in May of 2018. Among other things, the GDPR restricts the manner in which the personally identifiable data of EU “data subjects” may be “transferred” outside the EU. The new law also increases the fines for privacy infringements. Accordingly, US communications providers that operate in the EU will soon be required to follow strict new protocols for the handling of EU subscriber data.

A related EU privacy initiative called the ePrivacy Proposal would update the ePrivacy Directive of 2002. The Proposal essentially aims to protect the privacy of electronic communications data through stringent new rules that control Internet marketing practices and the use of cookies on websites. Enforcement fines will be steep. The updated law is slated to take effect simultaneously with the GDRP. Once again, US operators will be saddled with an EU-specific compliance burden.

Further complicating the EU privacy landscape is Great Britain’s exit from the EU. Will the British apply the GDPR and ePrivacy Proposal or chart their own path to privacy protection? US service providers expanding to Europe may need to comply with one set of rules in Britain and another in the rest of the EU.

The world dominance of US Internet companies, along with disclosures about the vast surveillance capabilities of the US National Security Agency, continue to fuel EU demands for stronger privacy protection. These privacy fears may have been exacerbated by recent allegations regarding US surveillance of Russian diplomats and members of President Trump’s campaign staff. News reports like these can only motivate Europeans to toughen their privacy defenses.

The Pro-Law Enforcement Trend

Countering Europe’s pro-privacy trend are calls to give law enforcement more surveillance power to thwart terrorist attacks. The terrorist threat has continued unabated across the continent.

In response, some EU states have maintained or revised their data retention laws, even though the European Court of Justice struck down the EU-wide data retention mandate in 2014. Germany adopted a data retention law in December of 2016. The new law, which takes effect in July of this year, will require the retention of communications metadata by any communications provider with facilities in Germany.

Great Britain adopted its Investigatory Powers Act in Dec 2016, though it has not yet taken effect. Under this pro-law enforcement statute, the government may serve a “technical capability notice” on a domestic or foreign communication provider with facilities in the country and then compel the provider to upgrade its network with certain surveillance capabilities.

Most alarming to the communications industry, the EU and certain EU member states are considering “data localization” laws. These measures, currently adopted only in countries such as Russia, China and Brazil, would keep a nation’s communications data stored within its borders, thereby facilitating investigations of the data by law enforcement. Network owners loath the prospect of building a separate data center in each country they serve.

Recurring cyber attacks worldwide have stolen mountains of private information and paralyzed communications networks. This threat alone may lead governments in all jurisdictions, including the EU, to intensify law enforcement scrutiny of Internet activity. If so, the authorities will likely expect increased cooperation from network owners.

The Challenge for US Communications Providers

Any US company may face legal challenges when entering foreign markets such as the EU. But for US communications providers such expansion poses uniquely complex risks. American operators in Europe increasingly find themselves squeezed between demands for more privacy and more public safety.

How American competitors will contend with the EU’s regulatory tug-of-war is difficult to predict. In the age of cloud computing and virtualization it is unclear how a service provider will even know where to find a particular suspect’s traffic, let alone protect its privacy or help law enforcement monitor it. Let’s say a provider serves EU member state ABC and receives a court surveillance order from that state, but during the period of the intercept the suspect travels to EU member state XYZ. Must the provider maintain the intercept or wait for a second order from a judge in XYZ? What if the suspect goes to XYZ but his or her traffic remains in ABC?

The US communications industry recognizes the value of spreading its services to the EU. However, to take advantage of these opportunities it will need specialists to navigate the regulatory gyrations of privacy protection and law enforcement support.

April 28, 2017

HOW CALEA SOLUTIONS IMPROVE SECURITY IN COMMUNICATION NETWORKS

Communication service providers in the US are generally required by the federal CALEA statute to equip their networks with hardware/software solutions that facilitate lawful electronic surveillance. CALEA solutions provide the technical capabilities law enforcement agencies need to conduct court-ordered surveillance in criminal and terrorist investigations. For example, a state police department may need to intercept the calls of a criminal suspect using a cell phone. Or the FBI may monitor the broadband signals of a terrorist suspect communicating on the Internet.

(more…)

December 12, 2016

HOW WILL THE UK’S NEW SURVEILLANCE LAW IMPACT AMERICAN COMMUNICATION SERVICE PROVIDERS?

On November 29th the United Kingdom adopted a surveillance law that raised a novel issue of law enforcement assistance and privacy. How does the new law impact U.S.-based communication service providers?

The UK’s new Investigatory Powers Act

The UK’s existing Data Retention and Investigatory Powers Act of 2014, or “DRIPA,” already requires UK communication service providers to facilitate lawful surveillance and retain data on their subscribers’ past communications. To meet the data retention mandate, a service provider must store records on every subscriber’s past voice communications, emails, and text messages, and disclose them to the government upon lawful request.

(more…)

November 2, 2016

The Impact of the 2016 Presidential Election on Lawful Surveillance and Customer Records Disclosures

Author: Trevor Gray, Legal Services Manager

With every presidential election comes some uncertainty. How will policy be impacted by a newly elected chief executive? It is vital that industry players be forward thinking to try and anticipate some of the change and be better prepared to take advantage of it. One critical area of discussion during this election cycle has been that of national security and more specifically cybersecurity and privacy. Electronic communication providers will need to be ready to act, so here is a look at how the candidates stand on issues related to lawful surveillance and records collection.

(more…)

September 6, 2016

IS YOUR LAWFUL INTERCEPT SOLUTION SECURE?

Communication service providers are sometimes served with court orders to implement lawful electronic surveillance – known as lawful intercepts or “LI” — on criminal suspects using their networks. These CSPs typically prepare for the judicial demands by equipping their networks with LI solutions, as required by the CALEA lawful surveillance statute. But are those solutions secure?

(more…)