Legislation Update: Privacy and Electronic Communications Regulations 2018
2018 was undoubtedly a landmark year for data protection, with the General Data Protection Regulation (GDPR) fundamentally altering how businesses across every sector handle and process personal data. Likewise, data protection entered the popular mainstream with public awareness at an all time high as a result of countless emails from companies about ‘opting in’ and media coverage of high profile stories such as the Facebook/Cambridge Analytica scandal and Morrison’s supermarket being held vicariously liable for a rogue employee deliberately leaking employee data (to name just two).
With so much data protection news, you could be forgiven if you missed the Privacy and Communications (Amendment) Regulation 2018 which came into force on 17 December 2018; amending the Privacy and Communications (EC Directive) Regulations 2003 (PECR) which implements the EU “ePrivacy Directive” into UK law.
What is PECR?
In short, PECR sits alongside GDPR covering personal data in the context of electronic communications, including:
• Marketing by electronic means (including calls, texts, emails and faxes);
• Security of public electronic communications services; and
• Privacy of customers using communications networks or services.
Under PECR, unsolicited direct marketing (i.e. marketing that an individual has not consented to receiving) is prohibited. Where consent has been received, a marketer will need to meet the high GDPR threshold of consent having been “freely given, specific, informed and unambiguous”, and evidenced by clear affirmative action such as an opt-in mechanism.
Alternatively, where consent is not being relied upon, in certain circumstances, marketers may be able to rely on legitimate interests as a lawful basis to carry out marketing activities (although a discussion on this topic is outside the scope of this blog).
It is important to note, however, that PECR is not a new piece of legislation and has been regularly amended (seven times in total!), to include banning cold calling in relation to pensions, requiring caller ID to be displayed when making marketing calls and placing an obligation on website owners to obtain user consent to enable cookies.
Does PECR apply to you?
PECR will apply, and must be complied with, if you or your business carries out marketing activities that fall into any of the categories bullet pointed above.
While there may be some overlap between PECR and GDPR, particularly in relation to the definition of consent, PECR will apply even if the person being contacted cannot be identified.
What does the Amendment mean for you and your business?
Previously, the Information Commissioner’s Office (ICO) was only able to impose fines of up to £500,000 on companies that breached PECR. However, such fines were seen as largely ineffective, as companies were able to avoid paying the fine by dissolving and re-incorporating under a new name (a practice known as “phoenixing”).
As a result of the Amendment, the ICO can now impose fines against a company and its Officers (that is a director, manager, secretary or any person acting in such capacity) (Officers) of up to £500,000 for any action or inaction which results in a breach of PECR.