Data Retention Rules in Belgium: uncertainty remains after third Constitutional Court ruling

The debate surrounding Belgium’s data retention legislation is far from over, despite recent decisions by the Constitutional Court. While some elements of the law have been upheld, the future of this legislation now hinges on the rulings of the European Court of Justice (ECJ) regarding the remaining contested sections. ISPA Belgium is closely following these developments as they have a direct impact on our members and the broader internet ecosystem in Belgium.

A long legal journey

Belgium’s data retention law, which seeks to comply with a European directive aimed at retaining mobile phone data, has faced significant legal hurdles over the years. In 2015, the Belgian Constitutional Court annulled the original legislation, deeming it too vague after a legal challenge by the Human Rights League, among others. A second attempt in 2021 was also struck down by the Court.

Now, the latest ruling by the Constitutional Court on the 2022 version of the data retention law shows some movement in the right direction. Certain key aspects were approved this time, including the concept of targeted data retention within specific geographical zones, also known as differentiated data retention. This provision allows for data retention in zones where there is heightened risk of serious crime or threats to public safety, a change from earlier laws that treated the entire country as a single entity.

Concerns remain

It is true that some legal guidelines have been established, providing much-needed reassurance for the ISP sector. However, with some aspects of the law still lacking clarity, unresolved issues pose technical challenges and create legal uncertainty for the internet ecosystem.

As a matter of fact, the future of Belgium’s data retention framework is still undecided. The Constitutional Court has referred several questions to the ECJ for clarification, particularly around how the EU Charter of Fundamental Rights should be interpreted in this context.

Striking the balance

A major area of concern for Belgian ISPs remains the issue of retaining geolocation data by mobile network operators. While the need for balance between ensuring public safety and upholding fundamental rights is recognised, the outcome of the ECJ rulings will play a decisive role in shaping how this balance is achieved, also on this aspect.

Conclusion

The legal landscape for data retention in Belgium continues to evolve, with both progress and uncertainties on the horizon. The focus of ISPA Belgium is to remain engaged in these discussions, and to ensure that the rights of citizens are respected while addressing the technical and legal challenges that our members face. As we await further developments from the ECJ, our commitment to advocating for balanced and effective policies remains steadfast.

It is crucial that the need to combat crime does not come at the cost of citizens’ fundamental right to privacy. ISPA remains committed to advocating for balanced, well-defined legislation that safeguards both public security and privacy.

ISPA Belgium

EuroISPA Council Member

Draft regulation on payment services: effective fight against bank fraud requires the continuous cooperation of all parties

As part of the negotiations on the Commission’s proposal for a regulation on payment services, the liability of electronic communications operators and more generally of technical intermediaries, including digital platforms, in the context of bank fraud has been raised in different fora. This is triggered by an increase in fraudulent practices based on impersonation to deceive bank customers using electronic means of communication. For example, one of the growing vectors of bank fraud concerns the theft of telephone numbers (number spoofing). By fraudulently using a number assigned to a bank or payment service provider (bank advisor number or credit card opposition centre), the fraudster lowers the customer’s level of distrust and deceives them to obtain confidential information (access codes, bank card number, etc.).

Electronic communications operators, notably faced with the misunderstanding of fraud victims, are already incentivised to fight such practices and ensure trust in the use of telephone numbers. Several national initiatives, whether voluntary or imposed by law, have been launched in this regard. For example, in France, the Naegelen law, adopted in July 2020 to combat illegal cold calling, requires operators to ensure the authenticity of numbers from the numbering plan established by the national regulatory authority when they are used as caller ID for calls and messages received by their end-user customers.

Despite these efforts, which must continue, fraudsters remain innovators by nature, which means that fraud is rapidly evolving to circumvent any technical obstacles put in place.

This is why attempts to shift the legal and financial liability of such bank fraud cases away from payment service providers to technical intermediaries would not bring any additional result in the effective fight against these fraudulent practices. On the contrary, this would certainly lower the incentive for payment service providers to secure their services through state-of-the-art technologies and endanger the very principles governing the functioning of electronic communications services: electronic communications operators do not have visibility or control over the contents of communications on their networks, hence cannot be held liable for reprehensible acts committed using their networks. Overall, this would conflict with provisions of existing EU law applying to electronic communication operators (such as European Electronic Communications Code or ePrivacy and net neutrality) and platforms (such as the Digital Services Act).

But this does not imply that nothing can be done: cooperation at EU level among all parties involved in the fight against bank fraud (including operators, digital service providers, payment service providers, banks, customers’ associations, telecom regulators, and banking supervisors) could be strengthened and structured to identify and qualify trends in bank frauds, promote best practices in technical remediation, seek interoperability in telephone number authentication systems, and better inform customers for them to make better decisions when using payment services.

Remedying new forms of bank fraud requires a collective effort from the digital and the banking sector – the EU should not miss the opportunity to make it happen. It should ensure the Payment Services Regulation remains proportionate and incentivise efficient cooperation between the banking sector and the electronic communications sector, while duly considering the roles of each player in the value chain and without transfer of liability. 

Romain Bonenfant

EuroISPA Board Member
Managing Director, Fédération Française des Télécoms

For the future of the Internet, EU policy needs to focus on digital infrastructure

With the EU progressively increasing its focus on digital policymaking, it is ever more crucial that digital infrastructure be kept at the core of decisions that impact the Internet. The true advancement of digital policies incorporates all actors along the value chain of Internet service provision and has the potential to create an innovative digital sphere in the interest of EU citizens. Policies must be adapted to the reality of an ecosystem that is composed of many kinds of actors, taking into account differences in resources and precedent, particularly if we want to see even implementation across the entire sector. Indeed, what we need in order to create a sustainable EU digital policy life-cycle is clarity regarding implementation and coherence with existing legislation, and avoidance of legislative overlap.

The EU is seen as a driving force of innovation globally; but in order to truly enable an innovative, free, and fair Internet, the EU must consider all the actors within the sphere of Internet service provision. By considering all players and creating a level-playing field, the EU can create a cohesive internal market and enable increased sharing of knowledge and best practice. For the EU to maintain its status as a key actor at the global level of Internet services provision, it must nurture a competitive digital market at the infrastructure and service level. The EU has the chance to play a leading role in the development of emerging technologies, including AI, quantum technology, blockchains, and virtual worlds, and to build legislation which allows players of all sizes to participate – and it must take that chance to be at the forefront change.

Meanwhile, we must not forget that a safer Internet is crucial for the integrity of EU democracy. Ensuring technology neutrality and encompassing every actor within the Internet ecosystem allows for effective policy-making that creates a safer and freer Internet for all EU citizens. 

Elina Ussa
President of EuroISPA

Read EuroISPA’s Manifesto for the 2024 European Elections here.

Collaborative Strategies in Combating Online Piracy

In May 2023, the European Commission released a recommendation on combating online piracy of sports and other live events. The recommendation underlines rapid action against unauthorised streams and fosters collaboration across the Internet industry. In October, a conference co-hosted by the Commission and EUIPO spotlighted the fight against online piracy, at which Worldstream was invited due to our established measures.

In line with the recommendation, Worldstream has developed its own proactive Notice and Take Down tool. This tool empowers rightsholders to quickly block IP addresses used to distribute infringing content during live events, effectively disrupting online piracy as it happens. This tool is part of a broader strategy to foster industry-wide efforts, aligning with the Commission’s plan.

However, the challenge is not just about implementing tools: real progress in combating online piracy requires industry-wide cooperation. The current efforts often feel fragmented, with each party handling issues in isolation. From intermediaries to rightsholders, everyone has a crucial role, and only through sharing knowledge and resources can we collectively stay ahead of piracy. Creating working groups or direct communication channels might be the key to consolidating our efforts. By sharing insights, processes, and challenges, we can transform individual actions into a cohesive, industry-wide strategy against online piracy.

Wouter Van Zwieten
Chief Legal Operations Officer, Worldstream

Charting the Connectivity Landscape: challenges, investments, and the EU’s vision for a digital future

In 2023, the challenges for the connectivity sector in Europe were dramatically highlighted. The European Commission initiated an exploratory consultation, underlining the crucial need to review the existing regulatory framework to attract more investment in infrastructure in response to the profound changes in practices and to the development of innovative technologies, which are affecting the financial balance of the ecosystem.

Very high-capacity networks capable of processing massive amounts of data are needed for the EU to remain competitive, but electronic communications operators today face growing economic pressure. Digital markets are constantly changing, and the need for investment to keep pace with these developments is exploding. For example, incoming mobile traffic in France increased 18-fold between 2012 and 2021 and is expected to further increase 6-fold by 2030. Faced with an expected deficit of nearly 200 billion euros in investments to achieve the connectivity objectives of the Digital Decade by 2030, the industry must be supported by the European Union through a proactive and ambitious policy plan, spreading the investment effort across the entire value chain to ensure the resilience of an essential infrastructure at the heart of our economy.

The Digital Network Act is expected in 2024, as announced by Internal Market Commissioner Breton, who rightly reminded that cutting-edge telecommunications infrastructure is a fundamental pillar for growth, innovation and job creation. Among the priorities there is the need to adapt the regulatory framework to reduce costs and facilitate the rapid deployment of very high-capacity networks. The Gigabit Infrastructure Act proposed by the Commission in February 2023 was a promising start, but its ambition needs to be confirmed in the ongoing negotiations.

Finally, the green transition is affecting all sectors, including connectivity. Telecom operators seek to reach sustainability goals, but the success of these initiatives requires a global commitment towards a more optimised use of networks from the digital sector as a whole.

With the upcoming EU elections, 2024 will be a crucial year to make the connectivity aspirations of the European Union a reality. The announced “connectivity package” could be an essential instrument to overcome the challenges and secure the future of the sector, ensuring the sustainability of our infrastructures for the benefit of European citizens and businesses.

Romain Bonenfant
EuroISPA Board Member
Managing Director, Fédération Française des Télécoms

Cybersecurity in the EU: Milestones, Challenges, and the Road Ahead

The past year has brought several significant developments at EU level both in the Cybercrime and Cybersecurity field.

The adoption of the European Commission’s flagship project, the e-Evidence Regulation, in the summer of 2023, was a significant milestone given the ongoing discussions on the topic since 2017. For the first time, law enforcement authorities will now be able to directly address service providers established on the territory of a different Member State. The focus will now be on the technical implementation of the Regulation in the Member States, where new challenges will be posed by the EU-wide harmonisation of the national technical platforms for the secure exchange of data between law enforcement authorities and service providers via a decentralised IT-system.

Another central topic is the importance of encryption. The initial proposal on the Regulation to combat child sexual abuse stipulated detection measures that would have significantly undermined the use of end-to-end encryption in communication services. This provoked a huge wave of criticism showing that secure communications are also important to the broader public. This response ultimately led the European Parliament to explicitly exclude end-to-end encrypted communications from the scope of the Regulation.

At EU Member State level, the implementation of the NIS-2-Directive is still ongoing and will require substantial efforts by the affected companies, especially those that have not been subject to any cybersecurity requirements until now. On the other hand, providers of electronic communication networks and services are already under a sector-specific security regime as part of the European Electronic Communication Code. It will therefore be important that the national implementation of the NIS-2-Directive take into account the already existing security concepts in this sector and only stipulate additional measures where these would in fact lead to a higher level of security.

A political agreement on the Cyber Resilience Act has been reached, which harmonises cybersecurity standards for products and software with digital components and will also assist providers under the NIS-2-Directive to ensure supply chain security. Finally, it must be noted that the enormous frequency of new legal acts in the field of cybersecurity in recent years poses major challenges for the companies affected by them, as their internal processes must constantly be adapted, and it is often hard to find the necessary skilled workers to implement new requirements. With this in mind, along with the new mandate coming up this year, the focus of the upcoming European Commission should be on the smooth implementation of these legal acts rather than on new proposals.

Andreas Gruber
Former Chair of the EuroISPA Cybercrime & Cybersecurity Committee

Navigating the future: regulatory streamlining of electronic communications in the European Union

Over the next five years, the European Union (EU) is poised to witness a transformative era in the development of electronic communications networks. This period is anticipated to be marked by a concerted effort to modernise the existing infrastructure and reduce barriers to the construction of advanced VHCN networks. The so-called GIA legislation is trying to focus on harmonisation across Member States and reduce bureaucratic procedures. The question we must ask is “Will that be enough?”.

Any harmonisation effort should primarily target regulatory framework, aiming to streamline and simplify the procedures for network development. This will involve revising existing regulations and possibly introducing new ones to address the evolving landscape of electronic communications. The goal is to eliminate unnecessary bureaucratic hurdles that currently impede progress and innovation. By doing so, the EU intends to foster an environment conducive to investment, innovation, and rapid deployment of advanced networks like 5G and beyond.

A significant part of this harmonisation will be the standardisation of technologies and protocols. This will ensure interoperability of networks and services across the EU, enhancing the user experience and promoting a more connected European digital market. It’s not just about enhancing speed and bandwidth; it’s also about ensuring reliability, resilience, and security of these networks, especially in the wake of increased cyber threats.

Alongside these developments, there will be a strong emphasis on the formulation of clear and fair rules for data privacy in the digital space, especially data retention. The EU recognises the need for law enforcement agencies to access certain types of data for security purposes. However, this need must be balanced against the fundamental rights of individuals, particularly their right to privacy and data protection. This framework will aim to provide clarity and certainty for both law enforcement agencies, telecommunication service providers and providers of information society services, as well as protect the privacy rights of EU citizens. The future of electronic communications network development in the EU will be characterised by a drive towards harmonisation to reduce barriers for building new infrastructure and a focus on setting clear, human rights-centred rules for data protection in the digital space. These efforts will be critical to ensure that the EU remains at the forefront of digital innovation while safeguarding the rights and freedoms of its citizens.

Jaromir Novak
Partner for Regulatory Affairs, CZ.NIC

What does Artificial Intelligence mean for the Internet Industry, now and in the future?

Today, the European Parliament is holding the final vote on the Artificial Intelligence Act (AI Act), which proposes groundbreaking regulations for the use of artificial intelligence in the EU. In this context, EuroISPA Vice-President Lars Steffen illustrates how Artificial Intelligence will fundamentally change the landscape of the Internet industry


Artificial Intelligence (AI) is fundamentally changing the landscape of the Internet industry, ushering in a new era of efficiency, personalisation and innovation. In recent years, AI has become a cornerstone of many Internet-based services, influencing everything from search algorithms to customer service interactions. Its impact is not only transformative, but also indicative of the future trajectory of the Internet industry.

One of the most noticeable changes brought about by AI is the improvement of the user experience. From content recommendations on streaming platforms to personalised search results, AI algorithms are analysing vast amounts of user data to tailor online experiences. Not only does this keep users engaged, but it also fosters a sense of connectedness as the Internet becomes more attuned to individual preferences. This is why European copyright law must continue to be adapted to the digital age, and why excessive liability of ISPs for AI-generated content must be avoided.

AI also plays a key role in cybersecurity within the Internet industry. As online threats become more sophisticated, AI-powered systems have become particularly adept at detecting and preventing cyberattacks. Machine learning algorithms can analyse patterns and anomalies in real time, providing robust defences to protect sensitive data and ensure the integrity of online platforms.

Looking ahead, the Internet industry will see even more profound changes driven by AI. The emergence of advanced natural language processing and understanding is likely to revolutionise human-computer interactions. Conversational AI, chatbots and virtual assistants will become more sophisticated, enabling seamless communication between users and online platforms. In addition, AI-driven automation will continue to streamline various aspects of the Internet industry. From content creation and curation to logistics and supply chain management, automation will optimise efficiency and reduce costs. This will not only benefit businesses, but also contribute to a faster and more responsive Internet ecosystem.

However, these advances come with certain challenges, such as ethical concerns around data privacy and the potential for job displacement. Striking a balance between innovation and the responsible use of AI will be crucial for the sustainable growth of the Internet industry. AI is a global technology with a wide range of applications, some of which are not yet foreseeable, which means that clear assessments of the opportunities and risks in certain application areas are not always possible. In this respect, the ex-ante regulation of use cases cannot address the complexity of AI and its applications and risks weakening Europe’s capacity for innovation.

It is clear that the symbiotic relationship between AI and the Internet industry is reshaping the digital landscape. Challenges remain, but the future holds the promise of an Internet ecosystem that is smarter, more responsive and more attuned to the needs of its users. Embracing these changes with a thoughtful and balanced approach will be key to realising the full potential of AI in shaping the future of the European Internet industry.

Lars Steffen
EuroISPA Vice-President
Head of International, Digital Infrastructures and Resilience at eco – Association of the Internet Industry