Practical questions

Is an operator allowed to process identification data in order to find out which subscriber’s subscriber connection is the source of messages or spam containing malicious software?

Identification data may only be processed to the extent necessary for the purpose of the provision and use of a network service, communications service or value added service and for the purpose of ensuring information security in these services (section 9 of PPEC). In order to combat violations of information security and to remove information security disruptions, a telecommunications operator has the right to undertake necessary measures in order to prevent the transmitting and receiving of e-mail messages, text messages and other similar messages and to remove from the messages malicious software (section 20 of PPEC). In other words, identification data may in principle be processed for the purpose of discovering who the sender of malicious software is as well as stopping spam mail if that endangers the usability and information security of the communications service.

An operator also has the obligation to take measures in order to rectify the situation and, if necessary, isolate the communications network or equipment from the public communications network if a communications network or equipment item causes danger or interference to a communications network, equipment, communications network user or another person (section 131 of CMA). Therefore, the subscriber connection may also be totally disconnected from the public communications network, if it is, at that moment, the only way to rectify the situation causing danger or disturbance.