Crafted to fortify the privacy and integrity of electronic communications within the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) serve as a cornerstone of digital security measures. Responding to the EU e-privacy Directive (Directive 2002/58/EC), PECR has undergone multiple revisions, with the most recent update in June 2019. All entities fall under the purview of PECR mandates, encompassing regulations concerning marketing communications, web cookies, and location data. Furthermore, PECR imposes added responsibilities on service and network providers to uphold robust cybersecurity measures and avert breaches.
GDPR vs. PECR: The Two Pillars of EU Privacy Law
The EU’s e-privacy Directive predates the General Data Protection Regulation (GDPR), but despite their overlap, both the Privacy and Electronic Communications Regulations (PECR) and GDPR work in conjunction.
While the GDPR does not supersede the PECR, it does update the fundamental standards for obtaining, recording, and managing consent. Many measures required for GDPR compliance also contribute to PECR adherence. Nonetheless, there are notable distinctions to consider.
One key difference is that PECR regulations apply even when individuals contacted cannot be personally identified. To prevent redundancy, certain sections of the GDPR do not apply to network or service providers already subject to additional PECR obligations.
The EU is currently in the process of developing the e-privacy Regulation (ePR), slated to replace PECR eventually. However, as negotiations persist, its implementation is expected no sooner than 2022. Consequently, GDPR and PECR regulations will continue to coexist for the foreseeable future
Marketing, Cookies & More: A Breakdown of PECR’s Rules for Businesses and Service Providers
The Privacy and Electronic Communications Regulations (PECR) set forth a series of requirements encompassing various aspects of electronic communications, including marketing, web cookies, consent, and information security standards for service and network providers.
Regarding marketing communications, PECR prohibits unsolicited marketing via various electronic channels such as phone, fax, email, and text messages. Different rules apply depending on whether the marketing targets individuals or companies, with stricter regulations typically applied to individual marketing. Obtaining specific consent is often necessary for sending unsolicited direct marketing, commonly achieved through opt-in mechanisms.
In the realm of web cookies, PECR mandates organizations to disclose which cookies will be set to their intended functions and obtain consent before storing cookies on users’ devices. Similar requirements extend to other technologies deemed as ‘similar’ to cookies, necessitating clear information and user consent.
Service providers are obligated to maintain the security of their services, tailored to the nature of the risks involved, available technology, and cost considerations. This includes restricting access to personal data, safeguarding its storage and transmission, and implementing security policies for data processing.
In case of a personal data breach, PECR mandates service providers to report the breach to the Information Commissioner’s Office (ICO) within 24 hours of becoming aware of the incident. Affected individuals must also be promptly notified if the breach is likely to adversely affect their privacy or personal data. Notifications should include essential details of the breach, its impact, and measures taken to address and mitigate the risks.
How the ICO Holds Organizations Accountable
The Information Commissioner’s Office (ICO) serves both as a promoter of compliance best practices and as an enforcer of regulations, equipped with a range of enforcement powers to address non-compliance by organizations. These powers extend from conducting compulsory audits to initiating criminal proceedings. Service providers may be subject to audit requests from the ICO based on perceived risk levels. While participation in these audits is voluntary, failure to respond could result in the imposition of a compulsory audit. Audits comprise a blend of off-site assessments and on-site inspections to evaluate whether service providers have implemented appropriate technical and organizational measures to ensure the security of the electronic communications services they offer. The outcomes of PECR audits are made publicly available, detailing observations and recommendations for enhancement. On-compliant organizations face a maximum fine of £500,000. These fines are not limited to organizations alone but may also extend to directors. Additionally, sanctions under GDPR and PECR are not mutually exclusive, allowing for simultaneous fines for the most severe violations.
Conclusion
Working in tandem with the General Data Protection Regulation (GDPR), PECR addresses key aspects of electronic communications, including marketing, web cookies, consent, and information security standards. While PECR regulations are distinct, they complement GDPR requirements, aiming to protect individuals’ privacy rights in the digital realm.
The enforcement of PECR by the Information Commissioner’s Office (ICO) underscores the importance of compliance with these regulations. Through a combination of guidance, audits, and enforcement actions, the ICO holds organizations accountable for adhering to PECR standards, promoting transparency, and enhancing data security practices.
As technology continues to evolve, PECR remains adaptable, with updates reflecting changing digital landscapes and emerging privacy challenges. While the development of the e-privacy Regulation (ePR) signals potential future changes, GDPR and PECR will continue to coexist, providing a robust framework for privacy protection in electronic communications for the foreseeable future.
