Published on 13th May 2013.
A guest blog by Emily Turner, Squire Sanders Associate
(Important Note added on 14 July 2014: The EU law in the area of data retention is currently undergoing change and this blog post requires updating to reflect the current circumstances. We will be editing this blogpost with the up to date legal information as soon as possible.)
In a society with a high demand for digital connectivity “on the move”, there is an increasing demand for public WiFi services to be made widely available. Businesses are understandably keen to meet that demand, however, there are a number of key areas of legal compliance which Wi-Fi providers should be aware of before offering such services to the public.
a) Data Retention (EC Directive) Regulations 2009
These Regulations were enacted to implement an EU Directive in the UK which aims to assist the prevention and detection of organised crime and terrorism by compelling communications service providers to retain certain communications data, including internet user data. The Regulations place obligations on “public communications providers” to retain certain user data generated or processed in the UK for 12 months from the date of the communication in question. The definition of “public communications provider” appears to include public Wi-Fi providers, however, the Regulations will only apply to them if a provider receives notice in writing from the Secretary of State. Note that the Secretary of State must serve all providers with such notice unless the data in question is already retained in the UK under these Regulations by another provider.
b) Data Protection Obligations
In addition to the potential data retention obligations under the Regulations, public Wi-Fi providers need to be aware of their obligations under the Data Protection Act 1998 (DPA 1998) which will be triggered whenever they process personal data about individuals. The DPA 1998 governs all use of personal data, including its mere storage and transmission. The DPA 1998 may require a Wi-Fi provider to register with the Information Commissioners Office (the enforcement body) and to comply with a whole host of other obligations, which includes the obligation to take appropriate technical and organisational measures to protect the security of all personal data it processes. This imposes a further layer of obligation (and cost) upon public Wi-Fi providers if they are retaining personal data, such as data about individual users. A serious breach of the DPA 1998 can result in a penalty of up to £500,000.
c) Digital Economy Act 2010 (DEA): Online Copyright Infringement
The DEA, amongst other things, inserts amendments into the Communications Act 2003 which place initial obligations upon “Internet Service Providers” (ISPs) aimed at tackling online copyright infringement. These obligations include notifying users of receiving a copyright infringement report relating to their account and providing anonymous copyright infringement lists to copyright owners. Initially there was concern that public Wi-Fi providers would also be subject to these obligations.
In June 2012, Ofcom published a revised draft code to underpin the initial obligations of ISPs introduced by the DEA. In an interim statement, Ofcom made it clear that Wi-Fi providers would initially be outside the scope of the code, which would only apply to ISPs with over 400,000 subscribers in the UK. The basis for this was that the costs of participation for Wi-Fi providers would be disproportionately high compared to the expected results to be achieved. Ofcom have, however, stated that they will consider extending the coverage of the code if they deem it to be necessary upon reviewing the scope of the code in the future. This is therefore something that public Wi-Fi providers should look out for.
By making their internet connection available to public users, Wi-Fi providers have little or no control over what those users access which exposes them to potential liability if material is illegally downloaded by public users via their connection. To try and minimise such liability, providers are advised to clearly demonstrate that they have taken steps to try to prevent copyright infringement by ensuring that users must register to use their service and by imposing clear terms and conditions of usage on users.
Conclusion: A Way Forward?
Although the Government will be keen not to overload public Wi-Fi providers with regulatory obligations in light of the significant benefit the expansion of these communications services can bring to the economy, this is necessarily balanced by the need to regulate this industry in order to protect data privacy, assist in the fight against organised crime and to reduce the online infringement of intellectual property rights. As the availability of public Wi-Fi increases, so does the threat to these interests, making it likely that regulation will continue to increase.