Alongside data protection law runs a set of rules relating to electronic communications – the Privacy and Electronic Communications Regulations (EC Directive) 2003, or PECR. Data protection law reform has been centre stage recently, with the General Data Protection Regulation coming into effect in May 2018. But plans to reform EU legislation underlying PECR have not been widely discussed. EU law-makers intend to introduce the changes along with the GDPR next May. The details of the changes are not hammered down yet. This presents a problem for any organisation that uses technology to communicate with the public. In this blog, we take a look at the existing rules, and the likely changes that will (or may) come in next year.
What do the current rules say?
The existing rules give individuals specific privacy rights relating to electronic communications. The scope of electronic communications is explained in guidance made available by the Information Commissioner's Office, and includes phone calls, faxes, text messages, video messages, emails and internet messaging. The rules deal with cookie notices, cybersecurity, customer privacy and importantly consent to receiving messages or calls. Briefly:
- Unsolicited messages require an opt-in from the customer.
- Previous dealings with a customer can replace the need for opt-in consent in relation to similar products and services, if a suitable unsubscribe mechanism is offered.
- Unsolicited live phone calls are not permitted where someone has registered with the Telephone Preference Service or told you they don't want your calls.
- Unsolicited automated calls are only allowed with specific consent.
The planned rule changes in the new ePrivacy Regulation are substantial. As currently drafted the Regulation would:
- Remove separate security obligations, which will be covered under the GDPR, but introduce customer notification of specific security risks.
- In terms of cookies and other online tracking devices, shift focus from website cookie banners to users' browser settings, and seek to address issues around ad-blocking and Wi-Fi location tracking.
- Tighten the rules on marketing, with the default position being that all marketing to individuals by phone, text or email must be opt-in.
- Incorporate the GDPR's two-tier system of fines of up to €20 million, or 4% of worldwide turnover if greater, for breaches of some parts of the Regulation.
- Apply to services providing so-called "over-the-top" communication channels over the internet, such as Skype, Messenger or WhatsApp. It will also apply to businesses providing customer Wi-Fi access, and machine to machine interactions (IoT), as well as the traditional telecoms and internet providers.
- Apply to organisations based anywhere in the world if they provide services to people in the EU.
The UK government has confirmed its intention to implement the changes.
Plans to settle and implement the new rules by May 2018 seem ambitious. Only partway through the legislative process, they have already generated debate and conflicting views. Consumer organisation BEUC, for example, considers the draft to be too limited and has called for much stronger protection in areas like default privacy settings and location tracking.
And once finalised, businesses are likely to be left little time to implement the new regime. Potentially affected organisations will need to monitor progress and be ready to work towards compliance once a final position is agreed, probably at the end of 2017 or early in 2018.