Information Commissioner's Office
ePrivacy reform: Privacy and electronic communications regulations (PECR) under review
Blog posted by: Jo Pedder, Interim Head of Policy and Engagement, 06 April 2017.
While preparations for the GDPR dominate the headlines, it’s not the only change for the digital economy. As technology evolves at a phenomenal rate, the laws that govern internet-based services are moving at an equally rapid pace.
The next piece of legislation in line for an overhaul is the European directive that forms the basis of the Privacy and Electronic Communications Regulations (PECR).
PECR currently set out the rules on electronic communications, including nuisance calls and messages, cookies and the provision of internet or telecoms services.
Earlier this year, the European Commission published its proposal for the new updated ePrivacy Regulation (ePR), to better protect people’s privacy in the digital age.
What is the proposal?
This proposal is just the beginning of the process, and the details are likely to change as we move forward. It will be a tough deadline for EU lawmakers to meet – the ePR is due to come into effect in May 2018 alongside the GDPR. With only 14 months to go, the next step is for the European Parliament and the European Council to each review the draft and form their own view on what it should say, before coming together around the end of this year to negotiate the final text.
As a regulation, it will apply directly within every EU member state. As with GDPR, the UK government has confirmed it would be implemented in the UK before we leave the EU.
The current draft proposal includes some headline changes:
- It removes separate security obligations, which will be covered under the GDPR, but introduces customer notification of specific security risks.
- In terms of cookies and other online tracking devices, the focus shifts from website cookie banners to users’ browser settings, and seeks to address issues around ad-blocking and Wi-Fi location tracking.
- It tightens the rules on marketing, with the default position being that all marketing to individuals by phone, text or email must be opt-in.
- It incorporates the GDPR’s two-tier system of fines of up to €20 million, or 4% of worldwide turnover, for breaches of some parts of the Regulation.
- It would apply to services providing so-called ‘over-the-top’ communication channels over the internet, such as Skype, Messenger or WhatsApp. It would also apply to businesses providing customer Wi-Fi access, as well as the traditional telecoms and internet providers.
- It would apply to organisations based anywhere in the world if they provide services to people in the EU.
What’s the ICO’s role?
The responsibility for enforcement will mirror the GDPR and therefore will fall to the ICO. We’ll be watching the negotiations closely to understand how they might affect the UK.
We have already provided our views to those drafting the proposal and we are currently working with the Article 29 Working Party, the group of European data protection authorities, to influence a collective opinion on how it could be improved.
Where appropriate we will provide input to try and achieve a good outcome for individuals and businesses alike. We are likely to have a role in providing expert advice to assist the UK government during this process.
Because there is currently no agreed timetable for finalising the new ePrivacy law within Europe, we can’t yet make fixed plans for guidance.
An initial guidance document from the ICO, highlighting the likely key issues, is planned for later in the year. We will consider how best to follow this up with more detail on what the key changes are likely to be as negotiations progress.
We’ll keep you updated through data protection reform section of the ICO’s website. You can also follow us on Twitter, and sign up for our e-newsletter which provides regular monthly updates on all of our work.
Latest News from
Information Commissioner's Office
The 12 ways that Christmas shoppers can keep children and data safe when buying smart toys and devices24/11/2017 11:05:00
In an increasingly digital world, more and more toys and devices aimed at children now have internet-connected technology. As the Christmas shopping season begins, many parents will be considering buying them for their children.
ICO statement on Uber data breach22/11/2017 13:10:00
James Dipple-Johnstone, ICO Deputy Commissioner today gave a statement on Uber data breach.
Blog: Changes to Binding Corporate Rules applications to the ICO21/11/2017 09:25:00
The Information Commissioner’s Office is widely recognised as a leader in Binding Corporate Rules (BCR) authorisations. Around 25 per cent of the BCRs approved across Europe so far have been authorised by the ICO.
Personal data must be safe from prying eyes17/11/2017 15:20:00
Blog posted by Mike Shaw, Enforcement Group Manager, November 16, 2017.