Can carriers balance data sovereignty?

09 March 2016 |


As governments adopt a tougher stance on data protection and exert greater control online, dramatic legislative battles are unfolding that could result in a rather unforgiving world for telecoms operators. Alex Hawkes investigates.

cover story april may

Two years ago at Capacity Middle East, the guest speaker and world-renowned futurist Gerd Leonhard told delegates that he feared the potential break-up of the global internet or, as he liked to put it, the emergence of the ‘Splinternet’. 

The NSA scandal had rattled governments. So too had the growing threat of cyber terrorism. This, he predicted, would prompt authorities to tighten control online, posing a risk to the open internet model. Flash forward to 2016 and the first cracks do seem to be appearing in the worldwide web. A number of countries, such as Russia, Indonesia and Vietnam, have followed China’s attempts to cut off their internet from the outside world. Meanwhile, in Europe, major legislative change is coming – the largest and most high-profile of which is the General Data Protection Regulation (GDPR). 

The EU council, commission and parliament agreed the final text of the GDPR in December, and its final approval is imminent – most likely in March.

The GDPR will place enormous pressure on businesses to secure their customer data. It looks set to introduce severe penalties if data isn’t robustly secured: we’re talking up to 5% of annual worldwide turnover, or €100 million, with the possibility for individuals and associations, acting in the public interest, to bring claims for non-compliance.

It will have a major impact on how every business deals with security – but, of course, it will have even greater repercussions for telecoms operators.  

One point to make very clear: it is not just European telcos that ought to be concerned about the GDPR. Any carrier based anywhere in the world that has customers or employees who are EU citizens will be subject to these regulations. 

Globalisation happened quicker than regulators could keep up. As a result, a disparate regulatory landscape has emerged where companies operating globally can find themselves caught in the crossfire between various countries’ individual telecoms laws. 

“The GDPR doesn’t single out telecoms operators. It is more about maintaining a more consistent landscape across Europe, so you do not have different countries interpreting data privacy in different ways,” says Mark Thompson, head of privacy practice at KPMG. 

“The only caveat is that the GDPR covers privacy, but there are a number of specific telecoms laws in some countries that also restrict the movement of data outside of a jurisdiction.”

The issue of legacy systems 

There are many gambits to the GDPR, but two stand out as potential pitfalls for telecoms operators.  

The first is data portability. Under the new regulation, a customer will be able to request access to their data from a telecoms operator, and have it transferred to another service provider in a machine readable format. 

The second is erasing data. Companies will be allowed to house data only for a limited time. At the end of the allotted time the company will be required to review or erase the data.

These both could prove a hefty challenge for telcos with a vast number of different billing and management systems. The telecoms industry, particularly in Europe, has grown through M&A, with the larger operators snapping up the smaller ones, until three or four were left in each market. 

As a result service providers have inherited over time “hundreds of billing systems, hundreds of customers relationship management systems and lots of provisioning systems”, says Thompson.

“It is very difficult for operators to understand what customer is on what system.”

And dealing with legacy systems is just one half of the challenge. John Shaw, VP of product management at cyber security specialist Sophos Labs, points out the security risk involved with such legislative change.  

In the instance of data portability, Shaw says there will be pressure on carriers to validate customer identification. “It is not enough that the person has the right username and password, they will need multifaceted forms of identification,” he says. 

“Clearly data needs to be stored in encrypted form, which could have another major implication for carriers.” 

Equally important is the right for consumers to erase data. 

“It is not enough to delete a file or record. The data will still be on an underlying system in solid state memory somewhere, so you will need to go further to scramble the disk in order to prove it is deleted,” says Shaw, adding: “There will be technical challenges there as well.”   

The year 2018 is likely to be when compliancy to the GDPR becomes mandatory. This small two-year window does not leave carriers with much time to play with. KPMG’s Thompson likens compliance to “trying to herd the world’s population of cats up Mount Everest”.

He thinks an immediate first step for carriers could be an inventory exercise, examining what data they’ve got and where it is being processed. 

Equally as pressing is ensuring there are sufficient internal resources to oversee the compliance process: “If you look at the FTSE 100, less than half those organisations will have a global privacy officer. They may have a data protection officer, which is nominee appointed role, but isn’t really doing what needs to be done,” says Thompson. 

“A lot of organisations have a few smart people doing the best they can. They don’t have rigorous sustainable systems in place. What are your gaps? What are your risks? What effort is needed to mediate those risk? At the moment most organisations are not in a position to be able to make decisions about risk,” he adds. 

Ann LaFrance, a partner at Squire Patton Boggs, who co-leads its data privacy and cybersecurity practice, believes compliance with the GDPR will be gradual, but the process has to begin now. “A lot of companies are already starting to figure out how to get all their compliance ducks in a row,” she says. 

She thinks the GDPR will also make carriers rethink certain business decisions: “As cloud contracts come up, for example, customers will start to raise compliance issues with cloud providers.”

In fact, LaFrance speculates that in the longer term, the GDPR and various localisation laws could even impact the volume of international transit between operators.

“Governments, law enforcement authorities and security agencies worldwide are starting to worry about all this data being sat somewhere else, and are concerned about how, jurisdictionally, they can get their hands on it,” she says. 

“A by-product of the heightened surveillance and cybersecurity concerns is the ‘Splinternet’, with more and more telecoms operators and cloud providers keeping content – and traffic – local.” 

She cites the example of China, where almost 100% of internet content originates in the country, and questions what will happen to international transit if many other countries follow suit. 

“[In that eventuality] will we need all the subsea cables and international infrastructure being planned? Some of that long-term planning might need adjusting,” she says. 

There is a possibility as well that such legislation could in the long term see tier 1 global operators instead focus their efforts on particular regions or markets. 

“There is a challenge for a Vodafone or Telefonica to try and reduce or consolidate systems and infrastructure,” says KPMG’s Thompson. “That is going to be very difficult to do and could have a knock-on effect on the provision of services.”

Challenging times ahead for carriers

Carriers could be forgiven for feeling like they’re being dragged in opposite directions. 

While the GDRP could be seen as acting in the best of interests of a consumer and ensuring their data is protected, at the same time developments such as the UK Investigatory Powers Bill are attempting to give governments easier access to that same data.

 As countries continue to try and exert greater control online, there is expected to be a rise in practices such as filtering. In February, India’s regulator Trai banned telecoms providers from offering discriminatory tariffs for data services based on content, and from entering deals to subsidise access to certain websites. 

The regulator was in particularly targeting Facebook and its Free Basics service, but it serves as yet another example of the legislative battles taking place in each market. 

“It is a challenging time for any company that is a carrier or service provider to get on top of these different strands of legislation. I don’t envy carriers right now,” says Shaw. 

Why you also need to keep an eye on the UK's Investigatory Power Bill

Why you also need to keep an eye on the EU-US Privacy Shield