What are the PECR?
The PECR (Privacy and Electronic Communications (EC Directive) Regulations 2003) are a UK law that implements the EU’s ePrivacy Directive (Directive 2002/58/EC) and set out privacy rights relating to electronic communications.
Since Brexit, there are two versions of the GDPR that UK organisations might need to comply with:
- The UK GDPR, which, with the DPA (Data Protection Act) 2018, applies to the processing of UK residents’ personal data; and
- The EU GDPR, which continues to apply to the processing of EU residents’ personal data.
Learn more about the GDPR and how it has been affected by Brexit
The PECR have been amended six times – in 2004, 2011, 2015, 2016 and twice in 2018. The latest amendment came into effect on 17 December 2018, introducing director liability for non-compliance caused by director connivance or negligence.
They were due to be replaced by the ePR (ePrivacy Regulation) in 2018, but this regulation is now expected to come into force in 2022. It is not yet known whether the UK will fully implement the ePR's requirements.
UK data protection law is currently being revised. We are following the progress of the Data Protection and Digital Information Bill through parliament and will keep you updated on how it might affect your data processing obligations.
How do the PECR relate to the UK GDPR?
The UK GDPR’s standard of consent applies under the PECR. (The UK GDPR matches the EU GDPR’s standard of consent, which is much higher than that under the Data Protection Act 1998, which it replaced.)
To complicate matters, the PECR require the use of consent much more frequently than the UK GDPR does.
Consent must be “given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement”.
The PECR apply even if you are not processing personal data and therefore do not have to comply with the UK GDPR. For example, the PECR’s marketing rules apply even if the person you are contacting cannot be identified.
For network and service providers, the UK GDPR does not apply where the PECR already provide rules. In practice, this means providers need to comply only with the PECR’s requirements relating to:
- Security and security breaches;
- Traffic data;
- Location data;
- Itemised billing; and
- Line identification services.
However, some service providers, such as Internet service providers, might be obliged to comply with the NIS Regulations (Network and Information Systems Regulations 2018) as well, so they should check their compliance obligations carefully.
The ICO enforces both the UK GDPR and PECR and the NIS Regulations for DSPs (digital service providers).
What are the penalties for not complying with the PECR?
The ICO has the power to take action against organisations and, as of 17 December 2018, their officers for PECR violations. Actions include criminal prosecution, non-criminal enforcement, audit and the imposition of monetary penalties of up to £500,000.
An ‘officer’ is defined by The Privacy and Electronic Communications (Amendment) Regulations 2018 as “a director, manager, secretary or other similar officer of the body [corporate] or any person purporting to act in such capacity” or “where the affairs of the body are managed by its members, a member”. In relation to a Scottish partnership, an officer is “a partner or any person purporting to act as a partner”.
How IT Governance can help you comply
Understand your level of PECR compliance with our independent PECR Audit service, which assesses:
- Organisation-wide awareness of the PECR;
- How risks are managed and the accompanying documentation;
- The security procedures in place, such as access limitation;
- Handling of data subjects’ rights and privacy notices;
- Staff training;
- Data transfer mechanisms and third-party processors;
- Your ISMS (information security management system), including testing and frameworks; and
- Your breach response processes.
We will identify areas of non-compliance and deliver a report to help you take remedial action.
Find out more