News and developments
The Electronic Communications Law enters into force. What are the new obligations for electronic communication entrepreneurs?
On 9 August 2024 the Electronic Communications Law was published in the Journal of Laws [1]. The new legislation, which will replace the current Telecommunications Law, introduces additional obligations for electronic communications entrepreneurs, a newly defined group of entities previously not covered by the former regulations. In this article, we explain who electronic communications entrepreneurs are and outline the obligations they will now be subject to.
Historical background
On 9 August 2024, the Electronic Communications Law (hereinafter: ECL), after almost four years of work and consultation, was published in the Journal of Laws. The primary purpose of this legislation is to implement the EU Directive establishing the European Electronic Communications Code [2] (hereinafter: EECC). The ECL replaces the existing Telecommunications Law, which has been the regulatory framework for Poland's telecommunications sector for the past 20 years.
The ECL had previously been submitted to the Sejm (lower chamber of the Polish parliament) in December 2022. However, the draft law was withdrawn from consideration due to strong criticism over highly controversial amendments introduced during the final stage of the government’s legislative process [3]. Following the elections in October 2023, work on the draft law resumed, and a revised version of the ECL, which excluded the most contentious changes, was published in February 2024. By the end of May 2024, the updated ECL draft was once again submitted to the Sejm.
Since July 2022, proceedings have been ongoing before the Court of Justice of the EU regarding Poland's failure to implement the provisions of the EECC on time. On 14 March 2024, the Court ruled that Poland was in breach of its obligations. The Court imposed a lump sum penalty of €4 million on Poland, along with a daily fine of €50,000 for each day of further non-compliance with the EECC. As a result, the total fines imposed on Poland have already exceeded €10 million.
The EECC was adopted and enforced in December 2018, setting a deadline for transposition by Member States set for December 2020. It aimed to establish a legal framework ensuring the freedom to provide electronic communications networks and services while consolidating and updating the existing directives governing the telecommunications market into a single piece of legislation.
Who will be covered by the ECL regulations?
One of the greatest changes introduced by the ECL is the expansion of its regulatory scope to include "electronic communications entrepreneurs." This term encompasses not only telecommunications entrepreneurs (as defined under the current Telecommunications Law) but also "entities providing a publicly available interpersonal communication service that does not use numbers." The extension of the scope of the subject matter of the regulation is intended to ensure that it adapts to the changing reality in which traditional telecommunications services are increasingly being replaced by modern forms of communication, provided primarily via the Internet.
Although the ECL itself does not explicitly define what constitutes an "interpersonal communication service that does not use numbers," the issue is clarified in the EECC. It indicates that these are services that enable interpersonal and interactive exchange of information between a finite (limited) number of people. They include, among other things, email, instant messaging, and online meeting tools that allow participants in such a meeting to communicate directly and bilaterally.
Excluded from this definition are services such as VOD platforms, websites, social networks, blogs, and communication tools that are merely supplementary to another service and cannot function independently, such as chat channels in online games.
However, this exclusion should be interpreted to a relatively narrow extent. Therefore, determining whether a particular service qualifies as an "interpersonal communication service that does not use numbers" can be challenging. This is because, potentially, the same service (the same technical solution) may be classified differently depending on the manner and context of use.
Obligations towards end-users
To begin with, it is important to highlight that many of the obligations listed below – either in identical or very similar form – are already present in the Telecommunications Law. Therefore, while not all of these regulations are entirely new to the legal framework, they will now also apply to businesses offering interpersonal communication services that do not use numbers.
One of the key sets of responsibilities imposed on all electronic communication entrepreneurs involves specific obligations towards end-users. Their detailed scope will depend on the type of service provided, but as a general rule they include:
- The obligation to provide consumers, free of charge and on a durable medium, with a range of pre-contractual information and a concise summary of the terms and conditions, even before the contract is signed (Articles 285 et seq. of the ECL);
- A prohibition against discrimination based on nationality, residence, or domicile, as well as a ban on making a contract conditional upon not entering into an agreement with another supplier (Article 298 ECL);
- An obligation to publish up-to-date information on its website in a clear, understandable, and machine-readable format, accessible to users with disabilities. This information must include details about the services offered, their key features, pricing, after-sales services, and the standard contract terms (Article 300 ECL);
- Restrictions on the ability of electronic communications providers to unilaterally amend the terms and conditions of contracts for the provision of electronic communication services (Articles 306 et seq. ECL);
- An obligation to ensure that users with disabilities have access to services and facilities in a manner equivalent to that provided to the general public, with information about these services published on the provider's website (Article 340 of the ECL);
- An obligation to obtain prior consent from subscribers before activating any optional debit service (Article 349 ECL);
- An obligation to address complaints related to electronic communication services or optional debit services (Article 378 ECL).
Secrecy of electronic communications and data protection
Electronic communication entrepreneurs, along with their partners, will be required to uphold the confidentiality of electronic communications. They must also exercise due diligence in securing telecommunications equipment, public telecommunications networks, and data to prevent the disclosure of confidential electronic communications (Article 387 ECL).
In addition, the provider of electronic communication services will have to inform the end-user of, among other things, about:
- The scope and purpose of processing transmission data and other related data;
- Possibilities available to influence the scope of this processing;
- The type of transmission data that will be processed and the duration of processing for the purposes of marketing electronic communication services or offering value-added services (Article 391 ECL).
Furthermore, to use the location data, the provider of electronic communication services will have to anonymise the data (Article 392 ECL).
In addition to their responsibilities under the GDPR, providers of electronic communication services must implement appropriate technical and organisational measures to safeguard the security of personal data processing. These measures must ensure at a minimum:
- Access to personal data is granted to a person with an authorisation issued by the data controller;
- Protection of personal data against accidental or unlawful destruction, loss, alteration, and unauthorised or illegal storage, processing, access, or disclosure;
- Implementation of a security policy with regard to the processing of personal data (Article 401 ECL).
Additionally, providers of electronic communication services will have to keep a record of personal data breaches, including the facts surrounding the breach, its impact and the action taken (Article 405 ECL).
Cybersecurity
It is also worth noting that even though the ECL provisions do not govern the cybersecurity of electronic communication entrepreneurs and the services they provide, all such entities – regardless of their sizes – will be considered key or important entities under the currently drafted amendment to the Act on the National Cybersecurity System [4] (hereinafter: ANCS), which implements the EU's NIS 2 Directive [5].
Hence, the obligations of electronic communication entrepreneurs in this respect – based on the draft ANCS amendment of April 2024 – will include:
- Systematic incident risk assessment and management;
- Technical and organisational measures that are appropriate and proportionate to the assessed risks, considering the state of the art, the costs of implementation, the size of the entity, the likelihood of incidents, and the exposure of the entity to risks;
- Collecting information on cyber threats and vulnerabilities of the information system used to provide the service;
- Incident management;
- Measures to prevent and limit the impact of incidents on the security of the information system used to provide the service;
- Secure electronic means of communication as part of the national cybersecurity system, taking into account multi-factor authentication.
Financial penalties
In the event of non-performance or improper performance of most of the obligations described in this article, the President of the Office of Electronic Communications will have the authority to impose a financial penalty on electronic communication entrepreneurs of up to 3% of the revenue generated by the entrepreneur in the preceding calendar year.
Entry into force
Most of the ECL provisions will enter into force three months after the date of promulgation, i.e. on 10 November 2024. However, the enforcement date for some of the ECL provisions has been stretched out over time and varies from the day after the date of promulgation of the Law up to 12 months after that date.
Author: Agnieszka Wachowska, Piotr Nepelski and Piotr Konieczny
Footnotes
[1] https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20240001221/O/D20241221.pdf
[2] Directive 2018/1972 of the European Parliament and of the Council (EU) of 11 December 2018 establishing the European Electronic Communications Code
[3] These included the extension of tasks and responsibilities for defence, state security and public safety and order to all electronic communication entrepreneurs
[4] Draft Law on Amendments to the Act on the National Cybersecurity System and Some Other Acts (available here: https://legislacja.gov.pl/projekt/12384504/katalog/13055207)
[5] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148