Information Commissioner's Office
ePrivacy reform: Privacy and electronic communications regulations (PECR) under review
Blog posted by: Jo Pedder, Interim Head of Policy and Engagement, 06 April 2017.
While preparations for the GDPR dominate the headlines, it’s not the only change for the digital economy. As technology evolves at a phenomenal rate, the laws that govern internet-based services are moving at an equally rapid pace.
The next piece of legislation in line for an overhaul is the European directive that forms the basis of the Privacy and Electronic Communications Regulations (PECR).
PECR currently set out the rules on electronic communications, including nuisance calls and messages, cookies and the provision of internet or telecoms services.
Earlier this year, the European Commission published its proposal for the new updated ePrivacy Regulation (ePR), to better protect people’s privacy in the digital age.
What is the proposal?
This proposal is just the beginning of the process, and the details are likely to change as we move forward. It will be a tough deadline for EU lawmakers to meet – the ePR is due to come into effect in May 2018 alongside the GDPR. With only 14 months to go, the next step is for the European Parliament and the European Council to each review the draft and form their own view on what it should say, before coming together around the end of this year to negotiate the final text.
As a regulation, it will apply directly within every EU member state. As with GDPR, the UK government has confirmed it would be implemented in the UK before we leave the EU.
The current draft proposal includes some headline changes:
- It removes separate security obligations, which will be covered under the GDPR, but introduces customer notification of specific security risks.
- In terms of cookies and other online tracking devices, the focus shifts from website cookie banners to users’ browser settings, and seeks to address issues around ad-blocking and Wi-Fi location tracking.
- It tightens the rules on marketing, with the default position being that all marketing to individuals by phone, text or email must be opt-in.
- It incorporates the GDPR’s two-tier system of fines of up to €20 million, or 4% of worldwide turnover, for breaches of some parts of the Regulation.
- It would apply to services providing so-called ‘over-the-top’ communication channels over the internet, such as Skype, Messenger or WhatsApp. It would also apply to businesses providing customer Wi-Fi access, as well as the traditional telecoms and internet providers.
- It would apply to organisations based anywhere in the world if they provide services to people in the EU.
What’s the ICO’s role?
The responsibility for enforcement will mirror the GDPR and therefore will fall to the ICO. We’ll be watching the negotiations closely to understand how they might affect the UK.
We have already provided our views to those drafting the proposal and we are currently working with the Article 29 Working Party, the group of European data protection authorities, to influence a collective opinion on how it could be improved.
Where appropriate we will provide input to try and achieve a good outcome for individuals and businesses alike. We are likely to have a role in providing expert advice to assist the UK government during this process.
Because there is currently no agreed timetable for finalising the new ePrivacy law within Europe, we can’t yet make fixed plans for guidance.
An initial guidance document from the ICO, highlighting the likely key issues, is planned for later in the year. We will consider how best to follow this up with more detail on what the key changes are likely to be as negotiations progress.
We’ll keep you updated through data protection reform section of the ICO’s website. You can also follow us on Twitter, and sign up for our e-newsletter which provides regular monthly updates on all of our work.
Latest News from
Information Commissioner's Office
Man prosecuted and police force given undertaking after sensitive data leak on Twitter19/01/2018 09:10:00
A Kent man who posted sensitive police information on Twitter has appeared in court after he admitted breaking the Data Protection Act.
Company which made 75 million nuisance automated calls in four months is fined by the ICO18/01/2018 09:10:00
A company which made 75 million nuisance calls in four months has been fined £350,000 by the Information Commissioner’s Office (ICO).
Statement in response to reports of Just Eat story17/01/2018 10:20:00
An ICO spokesperson yesterday gave a statement in response to reports of Just Eat story.
Firms behind 44 million spam emails, 15 million nuisance calls and one million spam texts fined by the Information Commissioner’s Office12/01/2018 11:10:00
Four companies that disrupted people with nuisance marketing have been fined a total of £600,000 by the Information Commissioner’s Office (ICO).
Carphone Warehouse fined £400,000 after serious failures placed customer and employee data at risk11/01/2018 09:10:00
Carphone Warehouse has been issued with one of the largest fines by the Information Commissioner’s Office (ICO), after one of their computer systems was compromised as a result of a cyber-attack in 2015.