The European Union is planning to extend telecom rules covering security and confidentiality of communications to web services such as Microsoft’s Skype and Facebook’s WhatsApp which could restrict how they use encryption. The rules currently only apply to telecoms providers such as Vodafone and Orange.
According to an internal European Commission document seen by Reuters, the EU executive wants to extend some of the rules to web companies offering calls and messages over the Internet. Telecoms companies have long complained that web groups such as Alphabet Inc’s Google, Microsoft and Facebook are more lightly regulated despite offering similar services and have called for the EU’s telecoms-specific rules to be repealed.
They have also said that companies such as Google and Facebook can make money from the use of customer data. “Unlike telcos, OTT (web-based) are global players that are allowed to commercially exploit the traffic data and the location data they collect,” telecoms group Orange said in a response to the EU’s public consultation on the reform proposals.
Under the existing “ePrivacy Directive”, telecoms operators have to protect users’ communications and ensure the security of their networks and may not keep customers’ location and traffic data.
The EU rules also allow national governments to restrict the right to confidentiality for national security and law enforcement purposes.
Many tech companies such as Facebook and Google already offer end-to-end encryption on their messaging and email services. They argue there is no need to extend the telecoms rules to web services and that the EU should not dictate how they protect their users’ communications.
Facebook, which uses full-scale encryption on WhatsApp, said in its response to the Commission’s public consultation that extending the rules to online messaging services would mean they could in effect “no longer be able to guarantee the security and confidentiality of the communication through encryption” because governments would have the option of restricting the confidentiality right for national security purposes.
“Therefore, any expansion of the current ePD (ePrivacy Directive) should not have the undesired consequence of undermining the very privacy it is seeking to protect,” the company said.
Tech companies have been at loggerheads with national governments and police agencies over the use of encryption. Advocates of strong encryption argue the technology is vital for protecting the privacy of consumers and businesses.
The EU document said that the exact confidentiality obligations for web firms would still have to be defined. The Commission could also force the companies to allow their users to take a copy of their content, for example emails, with them when they switch providers, according to the document.
The EU executive will propose a reform of the ePrivacy rules later this year, while a broader overhaul of the EU’s telecoms rules will come in September. The Commission was not immediately available to comment.