Today we would like to share with you a series of mandatory legal aspects that, in relation to Internet security, mean that the implementation of Wi-Fi services for public Internet access, through Hotspot mode, must be carried out by qualified companies that have the appropriate technology and tools to do so.

Not everything is as simple as having a network and opening it up to customers

The responsibility involved in providing such a service is very high —one only has to look at the associated fines and penalties—. And it is necessary to take into account a series of legal aspects that, little by little, are regulating cybersecurity from different institutions. In this sense, it is complicated from a legal point of view to keep up with the speed of technological evolution. But there is a whole new wave of Internet-related cybercrime from which users must be protected by law.

Esferize would like to give you a summary of the obligations to which public Internet access service providers are subject:

Register

  • Keep a record of persons connecting to the wireless network, and inform the competent authorities in case of any incidents or illegalities (Clause 27 of the Commission’s proposal for a Directive on Network and Information Security, NIS, adopted by the European Parliament on 13 March 2014).

Availability, integrity and confidentiality

  • They must establish mechanisms to guarantee the availability, integrity and confidentiality of information with measures that guarantee “cybersecurity” (Spanish Cyber Security Institute (SCSI). Report on National Cybersecurity, a commitment by all. The need to evolve from a reactive culture to one of prevention. Published in June 2012).

Time limit of 8 hours

  • In case the authorities require information about a user’s access to the network, the service provider has 8 hours to respond to the requested information (Commission Proposal for a Directive on Network and Information Security, NIS, adopted by the European Parliament on 13 March 2014).

Data retention obligation

  • The obligation to conserve the aforementioned data ceases after twelve months from the date on which the communication took place and they may only be transferred with prior judicial authorisation, and only to authorised agents, although it could be reduced to a minimum of 6 months and a maximum of 2 years, taking into consideration the cost of storing and conserving the data as a measure focused, above all, on the sustainability of SMEs (Article 5 of Law 25/2007 of 18 October, on the conservation of data relating to electronic communications and public communications networks).

Privacy policy

  • In the event that the service provider has an authentication mechanism for registration via social networks, it must have a “Privacy Policy” where the customer is informed of the personal data to which he/she will have access. These are usually email or telephone and the password (Organic Law 15/1999 on Personal Data Protection).

Parental consent

  • Children under the age of 14 should not access the Wi-Fi service without parental consent. To this end, the service provider must establish mechanisms to prevent such improper searches (Guide on risks and good practices in online authentication published by INCIBE).

According to Article 6 of the Civil Code:

“Ignorance of the law is no excuse for not obeying it”.

And, despite the fact that legal aspects are always a difficult subject for those who are new to the subject, we believe it is important to offer you this information in order to be able to make the right decision when it comes to choosing companies that are experts in the implementation of networks, Wi-Fi access and Internet security.

We hope it has been of help to you. For further information on this and other topics, the Esferize team will be happy to help you or, if you prefer, you can consult our website.