The PECR (Privacy and Electronic Communications Regulations) and EU ePrivacy Directive
The PECR (Privacy and Electronic Communications (EC Directive) Regulations 2003) implement the EU’s ePrivacy Directive (Directive 2002/58/EC) and set out privacy rights relating to electronic communications.
The PECR have been amended six times – in 2004, 2011, 2015, 2016 and twice in 2018. The latest amendment came into effect on 17 December 2018, introducing director liability for non-compliance caused by director connivance or negligence.
They were due to be replaced by the ePR (ePrivacy Regulation) in 2018, but this regulation is now expected to come into force in 2019. It is not yet known whether this will be after the UK leaves the EU and, if so, whether the UK will implement the ePR in full.
What do the PECR cover?
The PECR apply to:
- Electronic marketing, including telephone calls, SMS messages, emails and faxes;
- The use of website cookies to track visitors;
- The security of public electronic communications services; and
- The privacy of users of electronic communications services.
How do the PECR relate to the GDPR?
The GDPR’s standard of consent is much higher than under the Data Protection Act 1998 that it replaced, and this applies under the PECR. To complicate matters, the PECR require the use of consent much more frequently than the GDPR does.
Consent must be “given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement”.
The PECR apply even if you are not processing personal data and therefore do not have to comply with the GDPR. For example, the PECR’s marketing rules apply even if the person you are contacting cannot be identified.
For network and service providers, the GDPR does not apply where the PECR already provide rules. In practice, this means providers need comply only with the PECR’s requirements relating to:
- Security and security breaches;
- Traffic data;
- Location data;
- Itemised billing; and
- Line identification services.
Some service providers, such as Internet service providers, might, however, be obliged to comply with the NIS Regulations (Network and Information Systems Regulations 2018) as well, so should check their compliance obligations carefully.
Both the GDPR and PECR are enforced by the ICO (Information Commissioner’s Office), which also regulates the NIS Regulations for DSPs (digital service providers).
What are the penalties for not complying with the PECR?
The ICO has the power to take action against organisations and, as of 17 December 2018, their officers for PECR violations. Actions include criminal prosecution, non-criminal enforcement, audit and the imposition of monetary penalties of up to £500,000.
An ‘officer’ is defined by The Privacy and Electronic Communications (Amendment) Regulations 2018 as “a director, manager, secretary or other similar officer of the body [corporate] or any person purporting to act in such capacity” or, “where the affairs of the body are managed by its members, a member”. In relation to a Scottish partnership, an officer is “a partner or any person purporting to act as a partner”.
Understand your level of PECR compliance with our independent PECR Audit Service, which assesses:
- Organisation-wide awareness of the PECR;
- How risks are managed and the accompanying documentation;
- The security procedures in place such as access limitation;
- Handling of data subjects’ rights and privacy notices;
- Staff training;
- Data transfer mechanisms and third-party processors;
- Your ISMS (information security management system), including testing and frameworks; and
- Your breach response processes.
We will identify areas of non-compliance and deliver a report to help you take remedial action.
Find out more about the PECR Audit Service >>
Speak to an expert
Please contact our expert team, who will be able to give advice and guidance about the compliance options.