The Open Internet Regulation 2015/2120 forms the legal basis for the net neutrality protections that are in effect in the EU. The Regulation foresaw that the net neutrality rules would be evaluated by 30 April 2019, roughly three and a half years after the Regulation came into effect, and while the European Commission has decided not to amend the regulation, the Body of European Regulators of Electronic Communications (BEREC) has decided to update their implementation guidelines for national regulators. These new guidelines have now been published.

5G network slicing and specialised services

In the past months, the European net neutrality debate has often revolved around the introduction of the next generation of mobile phone networks, 5G. This is because 5G specifies new ways in which operators can treat traffic that is transmitted over their networks in a differentiated way. In particular it ecompasses a technology called "network slicing", where multiple virtual networks with different quality of service characteristics are provided over the same infrastructure. A network slice could for example be optimised for very low latency, or guarantee a minimum bandwidth, or allow communications with particularly low energy requirements on the mobile device.

Equipment manufacturers such as Ericsson and Nokia have been marketing these new features of 5G to network operators by arguing that they allow operators to create new products addressing "verticals", meaning they could form partnerships with providers of specific applications and develop a bundled product aimed at a specific customer base. For example, network operators could partner with a weather sensor manufacturer and sell sensors, monitoring software, and the required network service as a bundle to large farming operations wishing to better monitor the environment their crops grow in.

The Regulation allows for "specialised services" that are treated distinctly from internet access services (IAS) and thus are not subject to the regular net neutrality rules. However, what services can be deployed under what conditions is crucial, so these exceptions cannot be used to circumvent the net neutrality protections that the Regulation otherwise establishes. The Regulation requires that deploying an application as a specialised service is actually necessary (it cannot be provided over the regular internet instead) and that specialised services are not detrimental to the general quality of the IAS.

In its draft of the new Guidelines, BEREC made several changes to the rules on specialised services, including some that weakened the language of the previous Guidelines on how national regulatory authorities (NRAs) are to assess whether a particular service is allowed. In particular, language was inserted that only quality decreases of the IAS "offered over the same network" would be considered, that it was to be assessed how many users are affected, and that usually several years would pass until a service that was approved would be reassessed. We objected to this language because several networking technologies used by the same operator may share backhaul capacity, and specialised services should not be to the detriment of any of these networks, and that the Regulation protected all users, and not just the majority of them, and that changing circumstances could require quick intervention by NRAs. In the final version of the Guidelines, this language has again been removed.

5G network slicing and new types of internet access service

Network slicing is not just relevant for specialised services: it also allows operators to create new IAS products where one subscription provides access to the internet using multiple slices with different quality of service characteristics in a way that had not been implemented on mobile devices before. We have always argued that such products are allowed under the Regulation if the subscriber is in full control over which application makes use of which slice. In the new Guidelines, BEREC has added language that reflects this: the Guidelines state that such products must handle the different quality of service levels in an application-agnostic way and clearly defines that this means independent of application (and not grouping similar applications together).

By adopting this guidance, BEREC is the first major regulatory body to make it clear that net neutrality regulation and 5G are compatible. The particular solution gives users control over how they want to use their internet access service.

Parental control filters

The legislativehistory of the Regulation shows that the legislators did not want to make special exceptions for the introduction of parental control filters by internet access providers. The UK had introduced an amendment that would have excepted such filters from the provisions of the Regulation that prohibit the blocking of traffic, but the amendment was not adopted. Surprisingly, the draft BEREC Guidelines contained new language that allowed IAS providers to offer parental control filters, not in the same way that other vendors provide "end-point based" filtering software (a term which was not defined), but merely in a "similar" way, which would then be assessed on a case-by-case basis. However, under the Regulation the prohibition on blocking of services based on commercial considerations (such as in providing a parental control service) is prohibited in general and not subject to a case-by-case assessment. We argued that this new language made what should be a clear issue unclear. In response, the final version of the Guidelines replaced "similar way" with "the same way", makes it clear that the "default" DNS resolver provided by the IAS provider must not block services, and states that "end-point based" filtering takes place in the subscriber's network. It is now clearer that the case-by-case assessment of filtering products is in addition to these rules.

Deep Packet Inspection

Ordinarily, IAS providers only need to process certain metadata that is provided by their subscribers in order to relay their traffic (primarily source and destination address). However, Deep Packet Inspection (DPI) technology allows providers to look at data streams as a whole and treat traffic distictly based on criteria such as the domain name the service accessed is provided under, or single web pages that are accessed by a browser. The Regulation however states that traffic management based on "specific content" is not considered reasonable traffic management, and with specified exceptions, is prohibited. The previous Guidelines made clear that this means that DPI could not be used for traffic management as they stated that "specific content" comprises the transport protocol layer payload, which contains information such as domain names. However, the industry seems to have wanted these rules changed, and in particular allow the evaluation of domain names.

In conjunction with its consultation on the draft Guidelines, BEREC asked stakeholders questions on whether this definition should be changed, and also wrote a letter to the European Data Protection Board (EDPB) on whether the processing of such data could be lawful. Our response as well as the EDPB's are clear: it's very unlikely that Deep Packet Inspection can be deployed in a lawful manner. The final Guidelines left the relevant paragraphs unchanged and thus uphold the prohibition of DPI in traffic management. We hope that telecoms and data protection regulators will become more diligent in enforcing these provisions.

Traffic management

In cases before NRAs and the courts regarding their traffic management practices, telecoms operators have argued that the rules on traffic management in the regulation (in particular Article 3(3)) only apply where an IAS provider acts unilaterally, and that agreements with the provider could supersede these provisions. Such an interpretation would of course upend the entire Regulation: any IAS provider could simply give itself carte blanche to perform any kind of unreasonable traffic management by including such provisions in the contract. The operators' arguments were rebuffed by both NRAs and the courts. In the new Guidelines, BEREC has added language that reflects these court decisions and makes clear that customers cannot waive their rights by means of an agreement.

Zero-Rating and other application-specific pricing

Many mobile operators offer products where traffic generated by particular applications or services is not counted towards a subscriber's data cap, or where it is billed at a lower price. While it is our opinion that the Regulation prohibits offers like these under its general non-discrimation provision in Article 3(3), the BEREC Guidelines subject them to a case-by-case assessment and lists possible assessment criteria.

Zero-rating and similar offers come primarily in two forms: open offers in principle allow all providers of applications or services of a specific type to become part of the programme, whereas in the case of closed offers this is not the case, participation is closed to all but the partners of the operator. In practice, the efforts required to join an open programme are often significant, they require technical adaptations and application and service providers must overcome bureaucratic hurdles. In the new Guidelines, BEREC has added language particularly addressing these requirements for open programmes. However, our 2018 survey shows that the majority of zero-rating and similar offers are closed offers, which can distort the market even more than open programmes. While the new language acknowledges that zero-rating and similar offers create an incentive to use some applications over others, it does little to address the problem of closed offers.

In addition to the assessment criteria in the body of the Guidelines, BEREC has added a more detailed list in a new annex. We had asked BEREC to include price per usage duration as an assessment criterion, which would reflect the incentive that is created by the differential pricing of some applications and services. Unfortunately, BEREC did not adopt our suggestion and thus falls short of addressing the systemic problem of zero-rating in Europe.

Transparency obligations

Article 4 of the Regulation obliges IAS providers to provide (potential) subscribers with information on their traffic management practices and quality of service parameters. In practice, we find that these obligations are rarely fulfilled and regulators rarely mention them in their annual reports. Encouragingly, the draft text of the new Guidelines included a provision where information on traffic management practices "should be as specific as possible". Disappointingly, this provision has been removed in the final version of the Guidelines.

Conclusions

This reform of the Guidelines moves the needle a little closer towards a free and open internet. While the net neutrality debate becomes increasingly challenging worldwide, the debate in Europe continues below the surface at a steady pace. BEREC has done a diligent job, however it did not in our opinion adequately address the systemic problem of zero-rating. We hope the emphasis on user control in its guidance on new access products in 5G will shape the global discussions on 5G business models. 

Since you're here

… we have a small favour to ask. You want to keep a close eye on the government? You want to stay up-to-date on surveillance, privacy, net neutrality, and all matters related to your fundamental rights on the internet? Subscribe to our newsletter and approximately once a month, we will send you a message (in German) about everything that happens around digital policy in Austria and in Europe, about our actions, legal analyses and position papers.

Together, we defend our fundamental rights in the digital age – because civil society works! Stay informed!

Related stories: