The Regulatory framework and VoIP. Merijn Schik, DG INFOSOC

Transcription

1 The Regulatory framework and VoIP Merijn Schik, DG INFOSOC

2 Disclaimer This presentation is personal to its author and does not necessarily reflect the official position of the Commission No inferences should be drawn from this presentation as to the precise form or content of future measures to be submitted by the Commission. The Commission accepts no responsibility or liability whatsoever with regard to any information or data referred to in this document 2

3 Introduction VoIP increasingly popular both with consumers and businesses Cost efficient alternative for traditional telephony services Traditional telco s and new players compete for end user preferences VoIP creates certain (regulatory) challenges re. privacy and security 3

4 VoIP services VoIP services may include: - peer to peer communication (voice/im) - PSTN-IP transfer of calls (e.g. Skype in/out) - streaming video - voic services - directory look up - provision of software/equipment 4

5 VoIP threats VoIP = voice over the internet protocol hence subjected to attacks relating to both elements e.g: - eavesdropping - modification - misrepresentation - spam - denial of service - loss of electrical power 5

6 General safeguards Privacy and security relies on: End users: risk awareness, use of firewalls, antivirus/spyware software; regular updates of application software; common sense Commercial incentives: security/privacy safeguards as a competitive edge throughout the supply chain Enforcement efforts by competent authorities (DPA s, police, regulators) Legal obligations: security of electronic communication networks/services, data protection, (general rules on criminal activities and tort) 6

7 EU Legal Framework Under the General Data Protection Directive (95/46/EC), all undertakings that process personal data are obliged to take measures to protect such data against loss, alteration, and unauthorized disclosure or access in particular where the processing involves the transmission of data over a network (..). The e-privacy Directive (2002/58/EC) complements the GDP; it specifically applies to processing of personal data in connection with the provision of publicly available electronic communication services in public communication networks in the Community. 7

8 Applicability to VoIP The e-privacy Directive applies where services that imply the processing of personal data qualify as electronic communication services (ECS) being "normally provided for remuneration consisting wholly or mainly in the conveyance of signals on electronic communication networks" (art. 2 FD) Where no ECS is provided the General Data Protection Directive applies to the processing of personal data 8

9 Provisions on privacy 1) E-Privacy Directive (artt. 5-12) Specific rules for electronic communications - security - confidentiality of communications - traffic data - location data - non itemised billing - calling line identification - directory services 9

10 Provisions on privacy 2) General Data Protection Directive e.g. Harmonized rules on data protection to ensure free flow of personal data across the EU - purpose limitation - fair processing - information - right to object 10

11 Provisions on privacy 3) VoIP providers have to take appropriate technological and organisational measures to safeguard security of their services (art 4 EPD, 17 GPD). Examples of security measures - encryption - authentication - access control - user information - security audits 11

12 Review proposals 1) Network operators and service provider to i. notify the NRA of any breach of security that led to the loss of personal data and/or to interruptions in the continuity of service supply. ii. notify their customers of any breach of security leading to the loss, modification, access or destruction of personal customer data 2) NRAs to have the power to ensure operators implement adequate security policies or emergency plans, based on Recommendation agreed at EU level. Sanction non compliant companies. 3) Future proof network integrity requirements beyond PSTN 12

13 Summary End user awareness, business solutions and enforcement efforts are key for successful overall VoIP deployment VoIP providers are subject to applicable data protection provisions depending on the service VoIP providers are required to take technological and organisational measures to ensure security of their networks and services. EC proposes to reinforce requirements relating to privacy, security and network integrity (subject to public consultation until 27 October) 13