News and developments
The Electronic Communications Law enters into force. What are the new obligations for electronic communication entrepreneurs?
On 9 August 2024 the Electronic Communications Law was published in the Journal of Laws [1]. The new legislation, which will replace the current Telecommunications Law, introduces additional obligations for electronic communications entrepreneurs, a newly defined group of entities previously not covered by the former regulations. In this article, we explain who electronic communications entrepreneurs are and outline the obligations they will now be subject to.
Historical background
On 9 August 2024, the Electronic Communications Law (hereinafter: ECL), after almost four years of work and consultation, was published in the Journal of Laws. The primary purpose of this legislation is to implement the EU Directive establishing the European Electronic Communications Code [2] (hereinafter: EECC). The ECL replaces the existing Telecommunications Law, which has been the regulatory framework for Poland's telecommunications sector for the past 20 years.
The ECL had previously been submitted to the Sejm (lower chamber of the Polish parliament) in December 2022. However, the draft law was withdrawn from consideration due to strong criticism over highly controversial amendments introduced during the final stage of the government’s legislative process [3]. Following the elections in October 2023, work on the draft law resumed, and a revised version of the ECL, which excluded the most contentious changes, was published in February 2024. By the end of May 2024, the updated ECL draft was once again submitted to the Sejm.
Since July 2022, proceedings have been ongoing before the Court of Justice of the EU regarding Poland's failure to implement the provisions of the EECC on time. On 14 March 2024, the Court ruled that Poland was in breach of its obligations. The Court imposed a lump sum penalty of €4 million on Poland, along with a daily fine of €50,000 for each day of further non-compliance with the EECC. As a result, the total fines imposed on Poland have already exceeded €10 million.
The EECC was adopted and enforced in December 2018, setting a deadline for transposition by Member States set for December 2020. It aimed to establish a legal framework ensuring the freedom to provide electronic communications networks and services while consolidating and updating the existing directives governing the telecommunications market into a single piece of legislation.
Who will be covered by the ECL regulations?
One of the greatest changes introduced by the ECL is the expansion of its regulatory scope to include "electronic communications entrepreneurs." This term encompasses not only telecommunications entrepreneurs (as defined under the current Telecommunications Law) but also "entities providing a publicly available interpersonal communication service that does not use numbers." The extension of the scope of the subject matter of the regulation is intended to ensure that it adapts to the changing reality in which traditional telecommunications services are increasingly being replaced by modern forms of communication, provided primarily via the Internet.
Although the ECL itself does not explicitly define what constitutes an "interpersonal communication service that does not use numbers," the issue is clarified in the EECC. It indicates that these are services that enable interpersonal and interactive exchange of information between a finite (limited) number of people. They include, among other things, email, instant messaging, and online meeting tools that allow participants in such a meeting to communicate directly and bilaterally.
Excluded from this definition are services such as VOD platforms, websites, social networks, blogs, and communication tools that are merely supplementary to another service and cannot function independently, such as chat channels in online games.
However, this exclusion should be interpreted to a relatively narrow extent. Therefore, determining whether a particular service qualifies as an "interpersonal communication service that does not use numbers" can be challenging. This is because, potentially, the same service (the same technical solution) may be classified differently depending on the manner and context of use.
Obligations towards end-users
To begin with, it is important to highlight that many of the obligations listed below – either in identical or very similar form – are already present in the Telecommunications Law. Therefore, while not all of these regulations are entirely new to the legal framework, they will now also apply to businesses offering interpersonal communication services that do not use numbers.
One of the key sets of responsibilities imposed on all electronic communication entrepreneurs involves specific obligations towards end-users. Their detailed scope will depend on the type of service provided, but as a general rule they include:
Secrecy of electronic communications and data protection
Electronic communication entrepreneurs, along with their partners, will be required to uphold the confidentiality of electronic communications. They must also exercise due diligence in securing telecommunications equipment, public telecommunications networks, and data to prevent the disclosure of confidential electronic communications (Article 387 ECL).
In addition, the provider of electronic communication services will have to inform the end-user of, among other things, about:
Furthermore, to use the location data, the provider of electronic communication services will have to anonymise the data (Article 392 ECL).
In addition to their responsibilities under the GDPR, providers of electronic communication services must implement appropriate technical and organisational measures to safeguard the security of personal data processing. These measures must ensure at a minimum:
Additionally, providers of electronic communication services will have to keep a record of personal data breaches, including the facts surrounding the breach, its impact and the action taken (Article 405 ECL).
Cybersecurity
It is also worth noting that even though the ECL provisions do not govern the cybersecurity of electronic communication entrepreneurs and the services they provide, all such entities – regardless of their sizes – will be considered key or important entities under the currently drafted amendment to the Act on the National Cybersecurity System [4] (hereinafter: ANCS), which implements the EU's NIS 2 Directive [5].
Hence, the obligations of electronic communication entrepreneurs in this respect – based on the draft ANCS amendment of April 2024 – will include:
Financial penalties
In the event of non-performance or improper performance of most of the obligations described in this article, the President of the Office of Electronic Communications will have the authority to impose a financial penalty on electronic communication entrepreneurs of up to 3% of the revenue generated by the entrepreneur in the preceding calendar year.
Entry into force
Most of the ECL provisions will enter into force three months after the date of promulgation, i.e. on 10 November 2024. However, the enforcement date for some of the ECL provisions has been stretched out over time and varies from the day after the date of promulgation of the Law up to 12 months after that date.
Author: Agnieszka Wachowska, Piotr Nepelski and Piotr Konieczny
Footnotes
[1] https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20240001221/O/D20241221.pdf
[2] Directive 2018/1972 of the European Parliament and of the Council (EU) of 11 December 2018 establishing the European Electronic Communications Code
[3] These included the extension of tasks and responsibilities for defence, state security and public safety and order to all electronic communication entrepreneurs
[4] Draft Law on Amendments to the Act on the National Cybersecurity System and Some Other Acts (available here: https://legislacja.gov.pl/projekt/12384504/katalog/13055207)
[5] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148