Who has jurisidiction to regulate satellite broadcasters?

Professor Lorna Woods

The current regulatory framework for electronic content is broadly divided into two: content and infrastructure.  This bifurcated design, in theory, allows platforms to be regulated in a comparable way rather than be subject to different rules based on the content they carry.  Essential infrastructure (electronic communications) is subject to a market based approach (the so-called ‘communications package’) and content is subject to specific minimum standards regulated in the country of origin (the audiovisual media services directive (AVMSD) and the e-commerce directive).

In both instances the regulatory framework is provided by EU secondary legislation (mainly directives), but it seems that the different measures ascribe regulatory competence as between Member States differently, and allow a regulator different scope of action. Moreover, there is not an exact fit with the underlying treaty free movement provisions.  This horizontal divide based on a service and technology neutral approach is neither as simple nor as complete as policymakers might have hoped, bearing in mind the range of intermediaries operating in the market and the range of services each operator might provide. The result is that there are unclear boundaries as to the applicable law and, as corollary of that, the relevant regulator. The difficulties are exemplified in the recent CJEU judgment in Case C-475/12 UPC v. NMHH.

UPC is essentially a retailer of electronic content: it provides packages of radio and audio-visual broadcast services transmitted via satellite and subject to conditional access technology (ie, a requirement to pay for a subscription).  Following a company restructuring, consumers in Hungary were provided with the service by a UPC subsidiary based in Luxembourg.  Following complaints by Hungarian consumers, the Hungarian communications regulator, NMHH, asked UPC for information which UPC refused to supply on the basis that NMHH was not the competent regulator, either in terms of the substance of the service and regulatory framework, or in terms of geographic jurisdiction.  UPC claimed that the Luxembourg authorities, if any, should regulate and that the Luxembourg authorities had stated that they had regulatory competence. NMHH fined UPC for non-compliance.  UPC appealed and the matter came before the Hungarian courts. The questions referred fell into two groups: on the scope of the communications package (specifically the FrameworkDirective (FD) on telecom regulation); and on its relationship with the underlying Treaty free movement provisions. The questions referred are:

(1)      May Article 2(c) of the Framework Directive be interpreted as meaning that a service by which a service provider supplies, for consideration, conditional access to a package of programmes which contains radio and television broadcast services and is retransmitted by satellite is to be classified as an electronic communications service?

(2)      May the Treaty on the Functioning of the European Union be interpreted as meaning that the principle of the free movement of services is applicable to the service described in the first question, in the case of a service supplied from Luxembourg to Hungary?

(3)      May the Treaty on the Functioning of the European Union be interpreted as meaning that, in the case of the service described in the first question, the country of destination, to which the service is sent, is entitled to limit the supply of that type of services by requiring that the [supplier of the] service has to be registered in that Member State and has to be established as a branch or separate legal entity, and allowing this type of services to be supplied only through the establishment of a branch or separate legal entity?

(4)      May the Treaty on the Functioning of the European Union be interpreted as meaning that administrative proceedings relating to the services described in the first question, regardless of the Member State in which the undertaking supplying that service operates or is registered, will be subject to the administrative authority of the Member State which has jurisdiction on the basis of the place in which the service is supplied?

(5)      May Article 2(c) of the Framework Directive be interpreted as meaning that the service described in the first question must be classified as an electronic communications service, or must such a service be classified as a conditional access service supplied using the conditional access system defined in Article 2(f) of the Framework Directive?

(6)      On the basis of all the foregoing, may the relevant provisions be interpreted as meaning that the service provider described in the first question must be classified as a provider of electronic communications services pursuant to European Community [sic] law?

EU legislation

Although from the perspective of the consumer, UPC looks like a broadcaster, UPC does not take editorial responsibility for the content of the programmes, so it does not fall to be regulated under the AVMSD (which in any event does not cover radio). In ruling so here, the Court follows its previous judgment in Case C-518/11 UPC Netherland.  The definition of ‘electronic communications service’ for the FD encompasses services normally provided for remuneration which consist wholly or mainly in the conveyance of signals on electronic communications networks, including transmission services in networks used for broadcasting, but excludes services providing, or exercising editorial control over, content transmitted using electronic communications networks.  The Court’s phraseology on this point (paras 36-39 of the judgment) is opaque, talking in terms of ‘not excluding’ the communications package. So while that package applies here, the question remains open the extent to which AVMSD or other content based provisions can also apply to content retailers, depending on the nature of the service provided. Of course, were UPC to have been deemed to be responsible for content within the AVMSD, it would probably have been subject to the regulation of the Luxembourg authorities, since that Directive usually confers jurisdiction upon the broadcaster’s country of origin.

Having excluded broadcasting, the question still remained as to whether UPC fell within the Communications Package, a question which turned on the meaning of ‘electronic communications service’ in Art. 2(c)FD.  Here, however, the point at issue was the fact that UPC did not use its own transmission facilities but contracted with a third party for satellite services. The Court, reasoning to ensure the effectiveness of the regime, agreed with the approach suggested by the Advocate General and held that use of third party facilities was irrelevant to the classification of the service. The defining criterion of the electronic communication service is whether the provider is responsible as regards end-users for transmission of the signal to provide the relevant service.

It had also been suggested that if the service were a conditional access system (defined in Article 2(f) FD), the provisions concerning electronic communications services would not be applicable. Both the Advocate-General and the Court dismissed this suggestion, so 'a conditional access system may be attached to an electronic communications service for the broadcasting of radio or television programmes, without that service losing the status of an electronic communications service’.

So, the Communications Package applied, but this still left the issue of whether the Hungarian authorities could regulate (and if so, to what degree). The FD contains no attribution of jurisdiction in the way, for example, the AVMSD does.  The CJEU dealt with this aspect by considering the powers of the national regulatory authorities, in particular as regards authorisation.  It noted that the Authorisation Directive(which forms part of the Communications Package and deals with the granting of licences and other forms of authorisation to provide relevant services) does not oblige the national authority of the jurisdiction in which the services are provided to recognise authorisation decisions taken in the Member State from which they are supplied (judgment, para 86) – here referring to the Luxembourg authorities’ statement that they had regulatory competence in relation to UPC.  As a result, Member States in whose territory the recipients of services reside may impose conditions on the provision of those services, as permitted by the Communications Package.  Under Article 11b Authorisation Directive, these include provisions to the effect that national authorities may request from undertakings information that is proportionate and objectively justified for verification of compliance with conditions relating to consumer protection.  In sum, the supply of electronic services may be monitored by the authorities of the Member State in which the recipients of the service reside.

Treaty rules on free movement of services

The Hungarian court asked whether Article 56 TFEU precluded rules which require undertakings which supply electronic communications services in the territory of a State to register those services, or rules requiring them to establish in that State a branch or a legal entity separate from that located in the Member State of transmission.  Note that where there has been full harmonisation via directive, only those rules in the relevant legislation are permitted; otherwise, some recourse to national law is permitted. The Communications Package also envisages the possibility of further national regulation, in addition to that specified by the package (recital 7 and Article 1(3) Framework Directive), and further provisions allow the regulatory authorities discretion to take action to further general objectives, including protecting the consumer interests.   This means that the area has not been totally harmonised and that any national rules in this area fall to be assessed by reference to the relevant Treaty freedom: here, services (see e.g. Case C‑17/00 De Coster; Case C‑250/06 United Pan-Europe Communications Belgium and Others). 

The normal rules governing the freedom to provide services allocated regulatory responsibility to the Member State of establishment, and that secondary regulation must take into account home state regulation.  There is clear potential for abuse here, and there has been a stream of cases in the broadcasting sector in particular, where companies have established in a Member State with a favourable regime and ‘broadcast back’ to a particular State. The Court has only rarely accepted that this is abuse or, alternatively, that such a company is actually established in the destination state.  These arguments were unsuccessful here, even though UPC does not provide services within Luxembourg; this is very much in line with the Court’s standard approach.

As regards the notification requirement, Article 3 Authorisation Directive contains a legal framework dealing with the conditions which the regulatory authorities of a Member State may impose in order to allow undertakings established in other Member States to supply electronic communications services in the territory of the host State. Provided that the host Member State follows the terms of Article 3, notification requirements are not precluded. Further, given that Article 3 seems to harmonise this aspect exhaustively, requirements going beyond Article 3 are not compatible with EU law – they cannot be judged by reference to the treaty freedoms. So, the Hungarian authorities may impose such notification requirements.

Note that  application of the Treaty freedoms might have led to a different result.  In Canal Satellite Digital (Case C-390/99), the Court held that a requirement on the operators of conditional access systems to register before carrying out services, in order for the Spanish authorities to check technical competence, in relation to a service provider established in another Member State, would not be proportionate if it duplicated checks in the home Member State.

Finally, the Court ruled that the requirement for an establishment is not specified by the Communications Package, so it does fall to be assessed by reference to the Treaty freedoms. While requiring an establishment may lead to more effective monitoring of authorisation conditions, such extensive monitoring is not justified.  In any event, an establishment requirement ‘is the very negation of the freedom to provide services and has the result of depriving Article 56 TFEU of all effectiveness’ (judgment, para 104) and cannot therefore be permitted under the Treaty.

The judgment in this case shows the importance (and complexity) of determining whether (and to what extent) a particular field of law is harmonised by EU secondary legislation, and therefore to what extent it remains regulated by the Treaty freedoms; and also the importance of determining which specific secondary legislative regime applies. It is interesting to note that although the EU took what might be termed a 'light touch' approach to telecom regulation in general, basing the system on competition law and policy principles, and assuming a distinction between the public interest and the use of that system, that process is not complete. In particular, the communications package allows space for a range of consumer protection issues and it is this, ironically, which gives more regulatory power to the receiving State than the Treaty freedoms or the audiovisual services legislation does.

Barnard & Peers: chapter 14, chapter 16

Read More

Are national data retention laws within the scope of the Charter?

By Steve Peers

Following the annulment of the EU’s data retention Directive by the CJEU, an obvious important question arises: are national data retention laws subject to the same ruling of the Court? The purpose of this post is to set out the reasons why they are.

The starting point for this analysis is Article 51 of the EU’s Charter of Fundamental Rights, which states that the Charter applies to the EU institutions and other EU bodies, but to the EU’s Member States ‘only’ when they are ‘implementing’ EU law. What does that mean? 

On the narrowest interpretation, Member States ceased to be implementing EU law on data retention from the moment that the data retention Directive became invalid. After all, from that point, there was no EU data retention law to implement. However, it is arguable that Member States can still be regarded as ‘implementing’ EU law where their national legislation was introduced to implement an EU obligation. It’s a novel point, because it’s rare for the CJEU to annul EU laws on substantive grounds. And where the Court has done so, it has more often annulled only a small part of those EU laws (in the Test-Achats judgment, for instance).

But that is merely an alternative argument that the EU Charter continues to apply to national data retention law. The main argument is based on solidly established case law of the CJEU regarding the scope of EU human rights protection where Member States derogate from EU law.

EU human rights rules and national derogations from EU law

As far back as 1991, the CJEU ruled in the ERT case that where Member States derogate from EU internal market rules, they are still subject to EU human rights obligations (which then took the form only of the EU’s ‘general principles of law’, since the Charter was not yet a gleam in anyone’s eye). This was confirmed in the Familiapress judgment, as regards exceptions from the internal market rules which are based on the CJEU’s ‘rule of reason’ case law, rather than the express exceptions in the Treaties.

Does the Charter take the same approach? While many assumed that the word ‘implementing’ in the text of Article 51 suggested a narrower interpretation than under the prior case law, in its judgment in Fransson the CJEU stated that its prior case law regarding the scope of the general principles applied equally to the Charter. While that judgment did not concern derogations from EU law, the CJEU should shortly be ruling on this point in the case of Pfleger (judgment due 30th April), where the Advocate-General’s opinion assumes as much. Pending the possible confirmation in that judgment, it should be assumed for the time being that the Charter does indeed apply to national derogations from EU law, given that the CJEU made no distinction in Fransson as regards the aspects of its prior case law which were still applicable.

In any event, even if the Charter does not apply to national derogations from EU law, the general principles still do, given that they have a continued existence independent from the Charter in Article 6(3) TEU.

Applying the case law

Two further issues arise. First of all, does EU human rights law apply where Member States are not derogating from EU internal market rules in the Treaty, but from other rules of EU law? In principle it should, given that the Treaties list other EU objectives besides the creation of an internal market. Why should EU human rights rules only apply as regards national derogations from EU rules in one particular area of EU law, but not as regards derogations from EU rules in other areas of law?

Anyway, the CJEU has in effect confirmed that Member States are bound by the Charter and the general principles even where the law in question does not concern the internal market. In EP v Council and the subsequent case of Chakroun, the CJEU ruled that national derogations from the EU’s family reunion Directive had to comply with human rights obligations, without suggesting any distinction in this regard between national derogations from EU internal market rules in the Treaty and national derogations from other EU rules set out in EU legislation.

Secondly, is there an EU law rule that Member States are derogating from when they continue to apply national data retention laws? Indeed, there is: Article 15(1) of the EU’s e-privacy Directive specifies that Member States may restrict the rights in that Directive relating to the confidentiality of communications, location and other traffic data and caller identification:

'when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.'

In fact, the CJEU has ruled repeatedly on the application of the Charter to cases where copyright holders have invoked this clause to justify planned restrictions upon Internet use (see most recently the Telekabel Wien judgment). There is no reason why the CJEU would not also apply the clause to data retention on crime-fighting grounds, given that the second sentence of Article 15(1) refers expressly to data retention and the first sentence refers expressly to criminal law.

Finally, while some forms of data retention might fall outside the scope of the e-privacy Directive, which in principle applies to telecommunications service providers (not, for instance, to social networks or search engines), those other forms of data retention would anyway fall within the scope of the similar Article 13 of the main data protection Directive, given that they would clearly constitute the processing of personal data within the scope of that Directive. Neither the ‘household exception’ to that Directive nor the exception for processing in the field of criminal law would apply – since the data retention would be taking place in the context of a commercial activity (since the judgment on the legal base of the data retention Directive by analogy).


Barnard & Peers: chapter 6, chapter 9

Read More

The EU’s Data Retention Directive: Fighting Back against mass surveillance in the EU’s Court of Justice

Steve Peers

I’m writing this post on ‘The Day We Fight Back’ against mass surveillance. So it seems a suitable day to comment (a bit belatedly) on the Advocate-General’s opinion from last December on the validity of the EU’s data retention Directive (Directive 2006/24; Cases C-293/12 Digital Rights and C-594/12 Seitlinger).

Overall context

These cases, referred from the Irish and Austrian courts, present the Court of Justice of the EU (CJEU) with its best chance yet to deliver an iconic judgment relating to the EU’s Charter of Fundamental Rights. The Test-Achats judgment of 2011, concerning the invalidity of EU rules permitting insurance discrimination between men and women, just didn’t amount to such a judgment, resulting as it did in higher car insurance rates for women drivers without much analysis of the key issues by the CJEU.

This time around, the CJEU is aware that: the constitutional courts of Germany and Romania have criticised the Directive on fundamental rights grounds; the European Court of Human Rights is dubious about mass surveillance (cf the S and Marper judgment); and there is considerable public concern across the EU about mass surveillance, in particular in the current context of revelations about spying by American security agencies.

As for the Directive itself, it requires Member States to compel telecom and Internet access providers to keep records of all phone calls, Internet use and mobile phone location data for at least six months, with no real fixed upper limit, so the police can access those records for the purposes of investigations into serious crime. (There is a nominal two-year upper limit for keeping this data, but Member States can keep in place any higher limits that they already applied, or ask the Commission for the power to set new higher limits in place if they didn’t already apply them). Other EU laws giving Member States an option to require that telecom providers keep such data for other reasons were unaffected. Overall, as I pointed out at the time, ‘Member States could insist on (or at least request) the retention of any type of data for any type of security purpose for any period at all’.

Furthermore, the Directive set no safeguards as regards the use of that data which industry was required to retain. This was because the Directive had to limit itself to regulation of the telecoms industry, due to its ‘internal market’ legal base (upheld by the CJEU in Case C-301/06 Ireland v EP and Council), so it couldn’t regulate what police forces did with the data when they got it.

While it is possible that this mass surveillance may assist in the prosecution of crime or the prevention of terrorism, that does not automatically excuse it. No doubt there is less crime in totalitarian states, but democratic states need to strike a balance between liberty and security. According to the long-standing case law of the European Court of Human Rights, targeted surveillance is only acceptable if the law in question is very precise and sets out detailed safeguards for the persons concerned. This must surely apply a fortiori to laws such as this Directive, which provide for mass surveillance – if indeed such surveillance can ever be justified at all.

The Advocate-General’s opinion

The opinion takes as its starting point (correctly) that the data retention Directive interferes with the rights to privacy and data protection (Articles 7 and 8 of the Charter). So the focus of the case is whether such interference can be justified. Article 52(1) of the Charter allows restriction of Charter rights where those restrictions are provided for by law, respect the essence of the rights, and are proportionate to protecting a public interest recognised by EU law or the rights of others. Here there is clearly a public interest, so the Advocate-General examines the other facets of the test.

He concludes that the EU Directive is not ‘prescribed by law’, within the meaning of that phrase set out in the jurisprudence of the European Court of Human Rights. The crucial problem here is the quality of the law set out in the Directive. In particular, it is not sufficiently precise as regards the limitation on Charter rights, and it does not set out guarantees for use of the data.

This raises an issue specific to the nature of the relationship between the EU and its Member States. Since Directives must be applied by Member States in their national law, it could potentially be left to the Member States to provide for such precise details concerning the interference with Charter rights when they transpose the Directive. It would be possible for the CJEU to clarify further what such rules must address, as it has in a line of case law concerning interference with privacy rights justified by the protection of intellectual property (ie downloads of music, et al, in breach of copyright).

The Advocate-General rejects that possibility here – and quite rightly. The difference is that the data retention Directive requires the Member States to interfere with Charter rights, whereas the legislation at issue in the other cases merely permits them to do so. In such a case the EU must surely bear a significant part of the responsibility – if not the whole responsibility – for satisfying the ‘quality of law’ test. This would be consistent with the case law of the European Court of Human Rights in the Bosphorus Airways v Ireland case, and the draft EU accession agreement for the ECHR, which both distinguish between cases where the EU requires its Member States to act, and where it simply permits them to do so.

Yet on this point, there is another complication arising from the nature of EU law. Before the entry into force of the Treaty of Lisbon, the legal order of the Union was divided into three so-called ‘pillars’. While the internal market was part of the first pillar (Community law), police cooperation was part of the third pillar (policing and criminal law). So a Directive based on the internal market could not address issues relating to police cooperation, and this Directive does not. That was precisely why the CJEU rejected the Irish government’s challenge to the Directive in 2009.

To address this problem, the Advocate-General suggests that the EU should at least have agreed some guarantees informally. But this would not be good enough, as non-binding guarantees would not satisfy the ‘quality of law’ test. The EU could, however, have adopted a third pillar ‘Framework Decision’ setting out such guarantees before the Treaty of Lisbon; and now it can set them out in the form of a Directive.

Finally, the Advocate-General concludes that the Directive is also disproportionate, since there is not a good enough reason for the possibly unlimited period of retaining personal data. Yet it must be pointed out that Member States’ power to retain existing national laws allowing for longer periods of data retention is built into the internal market rules of the Treaty. To disable the application of those provisions, the Court of Justice would have to rule that the Charter took priority over the Treaty (ie, other EU primary law).

Conclusions

These cases give the opportunity to the CJEU to add a lot of flesh to the bones of the rules concerning interference with Charter rights – in particular the application of the ‘quality of law’ test, which the CJEU has not referred to at all before. The difficulties created by the previous division of EU law into pillars, and the particular rules set out in the internal market provisions of the Treaties, must also be addressed. Yet in light of the overall context of these cases, the established jurisprudence of the European Court of Human Rights, and the strong opinion of the Advocate-General, it would simply be shocking if the Court of Justice did not either rule the Directive invalid, or at the very least lay down detailed rules which Member States have to follow when applying it.


Barnard & Peers: chapter 9

Read More