5 Years of GDPR | The Legal Ecosystem of Data Protection and Communication Services
While we were all waiting for the EU ePrivacy Regulation to be enacted, the new Swedish Electronic Communications Act of 2022 flew under the radar and entered into force on 19 May 2022. This new law expands the scope of its predecessor to include interpersonal communication services. In this article we analyse the expanded scope of right to privacy for interpersonal communication and the long-term effects for a sustainable privacy.
Definition of a “interpersonal communication service”
The new Electronic Communications Act of 2022[1] supersedes the old Swedish Electronic Communications Act of 2003[2]. The goal is to transpose the European Electronic Communications Code[3] (know colloquially as the ‘Codex’) into Swedish law. Consequently, the expanding scope of electronic communications law is not unique to Sweden.
Whereas the Electronic Communications Act of 2003 focused on technical parameters (such as the conveyance of signals), the new Electronic Communications Act of 2022 shifts its focus on a more functional approach from the perspective of the end user. Since the Codex applies to all Member States of the European Union, this shift is not limited to Sweden but rather the whole Union.
The new act defines two types of interpersonal communication services
- number-based interpersonal services (such as Skype), and
- number-independent interpersonal services, mainly over-the-top applications or services.
An over-the-top application or service (OTT) is provided over the internet bypassing, traditional distributors such as telecoms and broadcasters. Over-the-top services are generally lower in cost than the traditional method of delivery, and examples include WhatsApp, Facebook Messenger and Microsoft Teams.
For a number-independent interpersonal service there must be at least one natural person involved and the recipients must be taken from a finite number of recipients chosen by the sender.
It is important to differentiate the interpersonal communications service and the content transferred over said communications service. The content of financial services or any other service transferred over a communications service fall outside the scope of the Electronic Communications Act.
A number-independent interpersonal service is defined by three requirements. The first requirement is that the service is provided by means of the internet or, to be specific, an electronic communication network.
Money or data – does the use of data impinge a sustainable privacy?
The first requirement is that the interpersonal communication service is normally provided for remuneration.
The remuneration requirement is not to be interpreted as a requirement for monetary payment. Electronic communications services are often supplied to the end-user not only for money, but increasingly and in particular for the provision of personal data or other data, and also for the purpose of monetization of data. There is legal uncertainty as to whether, or to what extent, social media such as Facebook and Twitter fall within this concept of ‘data monetization’ in the context of the new Electronic Communications Act. This also demands reflection on how solutions using data as remuneration may impinge on the social sustainability concerning interpersonal services and the use of personal data.
This not only a legal question but also an ethical conundrum. It is necessary to have a long-term strategic point of view and not only assess the technical possibilities but also the legal and ethical risks associated
Aron Klingberg, Manager, Financial Services Data Privacy
Part of the same legal ecosystem as GDPR and Data act
The concept of remuneration is therefore intended by the legislature to encompass situations where the provider of a service requests, and the end-user knowingly provides, personal data within the meaning of the General Data Protection Regulation (the ‘GDPR’) or other data directly or indirectly to the provider. In this way, the Electronic Communications Act is drafted to form a part of the same legal ecosystem as the GDPR and upcoming legal acts such as the Data Act[4].
It is also intended to encompass situations where the end-user allows access to information without actively supplying it, such as personal data, including the IP address, or other automatically generated information, such as information collected and transmitted by a cookie. Remuneration also exists within the meaning of the case-law of the EU Court of Justice[5] if the service provider is paid by a third party and not by the service recipient. The legal definition does not state that the renumeration has to be provided by the end-user to the service provider.
An expanded scope of electronic communication services
The second requirement is that the communication service enables interpersonal and interactive exchange of information between a finite number of end-users (natural or legal persons), although at least one natural person must be involved in the exchange.
The key word is that the service enables communication, and said communication is not merely as a minor ancillary feature intrinsically linked to another service. The concept of “minor ancillary feature” is to be interpreted restrictively. The recitals of the Codex even states that it is only in exceptional circumstances this exemption applies. Consequently there is a legal uncertainty if, for example the player chat function in an online gambling site is a “minor ancillary feature” of online gambling. To assess whether a feature is minor and ancillary, the service provider is to assess if the objective utility for an end-user is very limited or where the service is in reality barely used by end-users.
Assessment through the lens of sustainable privacy
Our analysis is that services provided by the financial sector that enables the exchange of information between end-users fall inside the scope of what constitutes an interpersonal communication service and consequently be inside the scope of the Electronic Communications Act of 2022. However, we recommend that any provider of such feature that enables customer communications, perform an analysis to ascertain whether the service falls inside the scope or not.
It is important to note that the changes of the Swedish Electronic Communications Act are due to changes in EU legislation. Since the Codex applies to all Member States of the European Union, this shift is not limited to Sweden but rather the whole Union.
Further, such an assessment should not be too narrow and delimited to a legal assessment only. The use of data – and in particular personal data – should be assessed through the lens of sustainable privacy. The point of view of customers and natural persons should be taken into account on how their data is being used. It is both easier and more affordable to make such an assessment before data collection begins rather than after, when controversy has arisen.
This article is limited to when the Electronic Communications Act applies.
If you have any questions on the more detailed implications, please contact
5 Years of GDPR
May 25th, 2023, marks the five-year anniversary of the enforcement of GDPR. This spring we reflect and review on the first comprehensive privacy regulation in a series of publications and events. Stay tuned for insights and perspectives on expectations vs. realties of a sustainable privacy arena, the legal ecosystem of GDPR, the future role of tech and much more.
[1] Lag (2022:482) om elektronisk kommunikation Svensk författningssamling 2022:2022:482 t.o.m. SFS 2022:1086 – Riksdagen
[2] Lag (2022:482) om elektronisk kommunikation Svensk författningssamling 2022:2022:482 t.o.m. SFS 2022:1086 – Riksdagen
[3] EUR-Lex – 32018L1972 – EN – EUR-Lex (europa.eu)
[4] Data Act: Proposal for a Regulation on harmonised rules on fair access to and use of data | Shaping Europe’s digital future (europa.eu)