ICO issues additional guidance on Privacy and Electronic Communications Regulations (PECR)

By Privacy Counsel

What is PECR? 


In February of this year, the Information Commissioner’s Office (ICO), or UK’s Data Protection Regulator, published additional guidance on the Privacy and Electronic Communications Regulations (PECR), initially passed in 2003, on applying PECR to the DPA.

How does PECR apply?


There is frequently a lot of discussion around the e-Privacy Directive (Directive 2009/136/EC) and very little surrounding the UK. Although the UK is no longer part of the EU, it has adopted a GDPR national privacy law, The Data Protection Act (DPA). PECR applies in the context of UK residents specifically. The e-Privacy Directive applies to GDPR and EU residents. The chart below provides the similarities and distinctions between the two. 

 


Differences from the E-Privacy Regulation



PECR

E-Privacy Directive

Scope

PECR applies to the transmission of unsolicited electronic messages to individuals in the UK.

ePD applies to the processing of personal data and security of the transmission of electronic Communications within the EU.



Application 

PECR specifically covers the following areas:


  • Marketing communications marketing texts (sms), calls, faxes, and emails B2B and B2C;

  • Website tracking technologies, such as cookies and beacons;

  • Communications related to data breaches; 

  • Security requirements for ISP, telephone, and network providers and

  • Businesses that create, manage, or maintain email, telephone, or fax directories.

ePD 

  • the security of services and networks;

  • the confidentiality of communications;

  • access to stored data;

  • processing of location and traffic data;

  • caller identification (caller-id);

  • public directories (name, Telephone, fax number, email); and

  • unsolicited commercial Communications ("spam")

  • notification of data breaches.


Exemption 

Exceptions:

Law enforcement, national security, and compliance with other laws. 

Exceptions are narrow and apply to:


Compliance with law or judicial order

processing carried out for journalistic purposes or academic, artistic, or literary expression.


Differences 

  • PECR allows for soft opt-in (implied consent). Companies can send texts and emails to existing customers.

  • Regulation 5A PECR requires communications service providers (CSPs)  to notify the ICO within 24* hours of becoming aware of a personal data breach

  • GDPR requires active opt-in for marketing consent. Soft-in is not allowed. Customers must opt-in to marketing emails.

  • Art. 33 GDPR, Sec 1 Controllers have 72 hours to notify the Data Protection Authority of a data breach.

B2B Communications 

PECR does not require consent for B2B marketing. Sender must identify their telephone/fax/email number and entity/business sending the message and provide the user with an option to unsubscribe or opt-out or unsubscribe of the messages.


Depends on the country. Irish Data Protection Authority has said prior consent is not necessary in B2B communications. However, the French Data Protection Authority, CNIL, states that prior consent even in a B2B situation is required.

Fines

The maximum fine for breaching the PECR is £500,000.

Fines are up to 4% of annual revenue per violation or 20 million Euros.

 

How do Businesses comply with PECR or the ePD?


Here are the many ways businesses can work toward compliance with PECR and ePD:


1. Taking inventory of the marketing data in the business process (store and collect);

2. Determining the source of the personal data (the UK or the EU);

3. Classify the personal data (B2B or B2C);

4. Update your privacy notices and marketing consent language per applicable law; apply location detection tracking to display and provide the proper marketing consent notices and

5. Maintain records of processing around obtaining and updating users' consent.

6. Maintain an incident management plan to effectively and timely respond to data breaches. ( see ICO will use discretion when enforcing the 24-hour notice period for data breaches so long as they receive notice within 72 hours.)


The EU has proposed an e-Privacy Regulation (ePR) to replace the e-Privacy Directive (ePD), which will become a part of GDPR. The UK is no longer part of the EU, so any updates to the ePR will not become part of the UK Data Protection Act. Presently, PECR guides businesses on how to comply with UK privacy law and will be updated accordingly.

Comments

Post a Comment

all comments to this blog are moderated

Popular posts from this blog

Sample Privacy Risk Assesment Example and Explanation

Image
Privacy impact assessments (PIAs) are a tool that can be used to identify and reduce privacy risks. A PIAs can reduce the risks of harm to individuals by preventing the misuse of their personal information. PIAs are an integral part of taking a privacy by design ( PbD ) approach. They are used to design more efficient and effective processes for handling personal data. The use of PIAs is not something new, in fact the process has been used by a number of companies, entities and governments for over forty years now.  The PIA was created by the United States Office of Technology Assessment. The U.S. office of Management and Budget (OMB) publishes guidance on the implementation the privacy provisions by Federal Agencies under E-Government Act of 2002, including when to conduct a PIA. Under GDPR,  PIAs have become a centerpiece and necessary in certain situations. A PIA must be completed if a company is doing one of the following: Data controller or the data processor o
Read more

Preserving User Privacy in Digital Advertising: Navigating Consent and Privacy by Design

  By Victorianne Musonza #privacy-by-design #digitaladvertising #dataprivacy #CCPA #GDPR In the ever-evolving world of digital advertising, user consent, and data privacy should be an afterthought but rather something that is built into the design. As companies strive to engage consumers effectively, it is important to address these issues and implement robust mitigation strategies, all while embracing the concept of privacy by design. User consent is a major focus for data privacy in digital advertising. Consumers must have clear, transparent information about how their data is collected, used, and shared. By obtaining explicit consent, companies can establish trust and ensure that users are aware of the purpose and extent of data processing. This consent should be easily accessible, providing users with options to manage their preferences and exercise control over their personal information. However, obtaining mere consent is not enough; organizations must prioritize data privacy mit
Read more

Cross Border Transfer Mechanism: Model Clauses

A cross border transfer is one where the personal data is transferred from the EU to a country that is outside of the EU (EEA*). If the country where the data is transferred to does not have an adequate level of protection, a transfer mechanism must be used. Under GDPR, Model clauses are one of the many mechanism that can use used for cross border transfers . Model Clauses (Also known as Standard Clauses) are contractual clauses that are generally drafted and adopted a Data Protection Authority (DPA).  The Commission (One of the many EU governmental bodies) may also adopt Model Clauses, but have yet to do so. MCs set out the duties and obligations for both Controllers and Processors.  There are several noticeable differences between MCs and Binding Corporate Rules (BCRs): MCs require processors to provide an adequate level of protection of the personal data. MCs maybe used by unrelated entities. MCs do not require approval by the DPA.  MCs can not be altered and tailored.
Read more