Impact of Potential Changes in European Communications Security

Europe is working on a substantial overhaul to the regulatory framework for electronic communications, with changes large and small that will affect the satellite industry. One series of changes, which could be adopted early next year, would toughen the rules for maintaining the security of both networks and services. A related change would require companies to notify regulators or customers of any security breaches that threaten data privacy.

The European Commission proposed changes in late 2007, and the European Parliament adopted numerous amendments to the package in September. The European Council of Ministers also is working on its own set of amendments.

One change that clearly will go forward is a requirement for companies providing public communications networks or services to take appropriate technical and organizational measures to safeguard the security of their networks or services. Presumably, the satellite field should have no big changes in procedures from this requirement, as the industry depends on careful coordination and operations. It is normal practice, for instance, for satellite operators to notify customers immediately of transponder difficulties, and there are industry standard procedures for such matters.

One related change that would be new to satellite providers, however, would require them to file a notice of each breach of security that threatens personal data. This type of rule is not new to operators and service providers in the United States — mandatory data breach notices are in place in 44 states as well as Washington, D.C., and Puerto Rico.

Up to now, European regulations required providers only to take appropriate measures to safeguard security, but providers did not have to notify customers of security breaches, only of security risks. Mandatory data breach notices would create new procedures and costs for each layer of the satellite industry. The changes being discussed would be made in the Electronic Communications Privacy Directive 2002/58/EC — the ePrivacy Directive. Those changes would require public providers to notify both subscribers and national regulators of any breach of security that threatens personal data.

At the service level, any provider that handles personally identifiable data from customers would fall under these obligations. The data breach notices could apply, for example, to conditional access services associated with satellite broadcasting or Internet access. Encryption of signals would have to be vigorously protected against hacking, because any breach could lead to the notice requirement. The notices likely would apply to almost all mobile satellite services, which can be tied to individual users. Location data is protected as well, so security problems in satellite services relating to asset tracking also could fall under the breach notice rules.

The European Parliament generally approved of the concept of mandatory notices but added some twists that could expand greatly the scope of the rules.

First, the Parliament adopted amendments that would extend mandatory data breach notices beyond providers of public networks and services to private networks and services. This change could extend data privacy breach notices, for example, to private VSAT systems. A Parliament committee pointed to the increasing mix of public and private services as the reason for the amendment but did not express any views on the cost or impact of this sweeping application.

A second Parliamentary change is subtle but hugely important. The original Commission version would establish a right for interested parties to take legal action against infringements of the ePrivacy Directive but only under the provision on unsolicited communications, or spam. The Parliament would extend this new cause of action to any infringement of the ePrivacy Directive. If the Parliament’s version goes through, consumers conceivably could sue for infringements of the network integrity requirement on any satellite platform or for mishandling of data breach notifications by any satellite service provider.

The Council of Ministers should strike a balance between the network security and data breach notices. It is likely, for instance, that the Council version will cut back on the private network rules. With both Commission and Parliament supporting the basic outlines of data breach reporting, however, it is reasonable to expect that some version will be adopted — and satellite companies should be preparing for these new obligations.