Through Deep Packet Inspection (DPI), fixed and mobile telecom providers are able to see at a deep level data packets of users transported over their network. Telecom providers can measure not only data consumption, but also the content of data traffic.
DPI is closely related to the net neutrality principle, which is enshrined in the 2015 Open Internet Regulation (OIV). In 2011, neither the Autoriteit Consument & Markt ACM), the Openbaar Ministerie (OM), nor the Dutch Data Protection Authority (Cbp) saw any conflict with the relevant legislation. Meanwhile, the relevant legislation in the European Union (EU) and thus in the Netherlands, has changed considerably.
The OIV contains a number of conditions that DPI must meet. The Body of European Regulators of Electronic Communications (BEREC) has an eye on DPI. BEREC issued guidelines for the use of DPI in 2016, see BoR (16) 127)). Art. 3(4) OIV goes no further than that Internet access service providers may only measure personal data in data traffic if it is necessary and proportionate to comply with EU or national regulations; to ensure the integrity and security of telecom networks; or to prevent or mitigate network congestion. Decisively, all mobile data must be treated "equally. Price differentiation is currently not generally prohibited. However, it is subject to conditions in Art. 3 of the OIV.
In the Netherlands, DPI resurfaces in a recent ruling by the Rotterdam District Court, brought by Bits of Freedom and others, against some mobile telecom providers(CLI:NL:RBROT:2019:414). That case revolves around the question of whether ACM was justified in rejecting an enforcement request against a telecom provider. It does not concern an assessment from the perspective of the AVG, but a position statement against the telecom provider, because it allegedly violated Article 3 of the OIV with its Data Free Music service, by engaging in price discrimination. This would take the form of not charging for certain data volumes with certain content(zero-rating). However, no violation of the OIV was found.
The European Data Protection Supervisor (EDPS) has yet to comment on DPI. There is still the - languishing - proposal for an e-Privacy Regulation or Directive, which keeps getting stuck in the EU legislative process. The latest version of this proposal is dated March 13, 2019. There is nothing in it about DPI. There seems to be a general trend that controlling and measuring data traffic will soon be classified as processing traffic and/or location data. But there doesn't seem to be much interest in DPI in general in the EU at the moment. Will that change?
Some time ago, some privacy organizations again warned about DPI use by telecom and Internet providers. At issue was the European Digital Rights organization (EDRi). This organization was created by a number of parties to monitor digital civil and fundamental rights in the EU, but not all member states are members. In an EDRi fire letter signed by academics, NGOs and some businesses, the drafters warned the EDPS and BEREC that Internet access service providers are increasingly relying on DPI to control data traffic. The drafters expressed concern about the processing of sensitive personal data by telecom providers. However, the EDRi seems more concerned about the possibility of Internet service providers (ISPs) and other telecom providers using DPI to enable price differentiation of certain services. The letter contains little substantiation for this point, however. Moreover, the drafters also feel that the lack of proper cooperation between BEREC (telecom) and the EDPS (personal data protection) is undesirable....
Current legislation on DPI leaves room for different interpretations. For example, according to BEREC, Internet access offers must be application-agnostic (access independent of application type), but such a high level standard provides room for differences in interpretation.
What about the requested coordination between the EDPS and BEREC? The EDPS website contains - at a global glance - no specific opinions or consultations on DPI. The AVG is clear: the processing of personal data, including data usage traceable to IP addresses, must have a justification. So far, there has been a "case-by-case" approach to undesirable DPI applications. It is not obvious that the regulator will prescribe in detail when there is and is not justification for applying DPI. Either way, right now the diktat lies with the OIV and not the AVG. The more comprehensive regulatory tool for assessing DPI actions comes from the OIV - although coordination may be necessary.
With ever more rapidly advancing, sometimes disruptive technologies, flexibility in the regulatory framework is not a luxury. Market participants and stakeholders here benefit more from retrospective review. Stakeholders do not necessarily benefit from banning DPI or applying the rules more strictly. Especially the discussion about zero-rating (think of the so-called data-free music), sometimes leads to heated debates. Very interesting, of course, is what the rollout of 5G (see the 2018 study 5G and Net Neutrality (1), will mean for the now rather lightly regulated net neutrality. Instead of heavier regulation, it seems more obvious that providers of services that will soon be enabled by new technologies (for example, network slicing: dividing up a network for different uses) could be more lightly regulated. This could encourage standardization of self-driving cars, VR and IoT, for example.
This article can also be found in the e-Privacy and AVG dossier
