Network Neutrality - a Privacy Issue

The European Data Protection Supervisor (EDPS) has published an Opinion on the current Network Neutrality discussions, making the interesting point that blocking, filtering and traffic management activities may affect privacy as well as their more obvious impact on access to services. Although the Commission seem inclined to rely on market pressures to discourage providers imposing extreme restrictions on access, the EDPS warns that this may not be sufficient to prevent significant privacy invasions, particularly if ISPs all adopt the same practices, thus leaving concerned customers nowhere else to take their business.

In fact the discussion is not just relevant to future network neutrality discussions, but has a useful summary  (para 39 and following) of the different legal requirements and permissions under which networks are already allowed to process personal data contained in the traffic they carry:

• Delivering the Service: "processing of traffic data for the purposes of conveyance of a communication" is permitted. Good!
• Safeguarding the Security of the Service: since the ePrivacy Directive requires ISPs to take appropriate measures to protect the security of the service, the EDPS concludes that "inspection techniques based on IP headers and content that aim strictly to achieve such purpose" must therefore be permitted. The Article 29 Working Party has previously looked at e-mail inspection to reduce viruses and spam, but the EDPS does not limit himself to these - "within the limits set by the proportionality principle ... ISPs may engage in monitoring and filtering of communications data to fight viruses and overall ensure the security of the network". Given the concerns that have been expressed about reconciling incident response work and privacy law, this supportive comment is very welcome.
• Minimising Congestion: this points out a recital to the ePrivacy Directive, commenting that temporary storage of (personal) information is allowed where it is "necessary for ... transmission or traffic management purposes", so long as the privacy of the stored information is protected. The EDPS concludes that this does allow packets to be delayed (i.e. stored), or indeed dropped, where this is necessary to resolve the congestion. However by proportionality he argues that this should be done in the least intrusive way, and for the shortest period, that is required to resolve the congestion problem.
• Consent: the ePrivacy Directive also contains a number of specific and general reasons for which it may be acceptable to process header or content data provided the consent of the affected users has been obtained (different sections provide for both opt-in and opt-out consent in different circumstances). These include providing value added services that the user has requested: the EDPS notes that ISPs might use this permission, for example, to offer a reduced price for a service that excluded peer-to-peer traffic, or one where users' activities were logged in order to provide relevant behavioural advertising. However the EDPS notes that there is "little experience on the application of the [legal] framework" and that ISPs should proceed carefully when developing such service offerings. In particular he notes an issue that has puzzled me in the past - if you have to get consent from every affected user, how can a service provider know when the user who has consented hands the keyboard to someone else?

The Opinion concludes that the current Data Protection framework is adequate to protect network users. However at least guidelines, and possibly legislation, are likely to be required to help activities in these areas to comply with that legal framework.