Sometimes it’s difficult for lawmakers to keep up with the pace of technological change. This can result in uncertainty for businesses and consumers. For our clients this is perhaps nowhere more keenly felt than in the area of electronic communications and data governance, now integral to the running of most types of business.
In an EU context, disagreement among Member States has led to repeated failures to reform the out-dated e-Privacy Directive (EPD). Here we look at the rules on electronic communications that are in place (the current Privacy and Electronic Communications Regulations (PECR), we examine some of the difficulties businesses face when it comes to compliance and consider what regulatory changes may be coming down the track.
- What’s the difference between GDPR and PECR?
- Does Brexit change the rules on electronic communications?
- What is the scope of Privacy and Electronic Communications Regulations?
- Why does PECR matter to your business?
- Will the changes to PECR affect how you do business?
- What challenges do businesses face when complying with PECR?
- What other changes to communications, data and privacy regulations are in the pipeline?
What’s the difference between GDPR and PECR?
While the GDPR is a general law covering the collection and processing of personal data, the PECR is designed to protect the privacy and security of personal data of users and recipients of electronic communications.
Remember, GDPR applies only to personal data. PECR on the other hand must be complied with even if you are not processing personal data. The two regulations complement one another and ensure that when a business engages in electronic communications it must guarantee certain privacy and security rights of individuals and companies. If you use electronic marketing or employ cookies or similar technology you need to comply with both GDPR and PECR, particularly in relation to obtaining the consent of individuals when required.
Because the PECR and GDPR exist alongside one another, there is some overlap, and if you comply with the PECR, this will help you comply with GDPR. What’s more, if you are a network or service provider and there are specific PECR rules that apply, you will only be required to comply with PECR and not GDPR, for example in relation to security and breaches, traffic and location data, itemised billing and line identification services.
Does Brexit change the rules on electronic communications?
The PECR rules – while originating from Brussels – have been introduced into UK law so they’ll still apply after Brexit. However, the reforms to PECR currently under discussion by EU Member States won’t apply in the UK as they will come into force after the UK leaves the EU. The extent to which the UK government aligns itself with these updated rules remains to be seen. But if your business could be affected, we recommend you familiarise yourself with the latest changes.
What is the scope of Privacy and Electronic Communications Regulations?
PECR introduced the E-Privacy Directive (EPD) into UK law. It aims to protect specific privacy rights of individuals and businesses in receipt of electronic communications.
The regulations strengthen the EU’s Digital Market Strategy, intended to boost technology-based businesses, protect consumers and upgrade the communications infrastructure across the region.
The rules cover several areas that are relevant to businesses, including:
- Marketing carried out using electronic means
- The security and privacy of users of communications networks and services
In recognition of the fact that the internet and digital mobile networks expose consumers to greater privacy risks, PECR requires that organisations such as internet service providers, mobile phone carriers and telephone companies take:
‘appropriate technical and organisational measures to safeguard security of [their] services’ and ‘ensure that communications are confidential by prohibiting ‘listening, tapping, storage…. without the consent of the users concerned’.
PECR, like the GDPR, requires that the collection and processing of personal data be minimised. For example, it:
- Restricts use of data relating to traffic and routing of calls and bans listening and surveillance.
- Requires organisations to ask users for their consent to collect and process web cookies that monitor or target consumers for marketing or advertising purposes.
Why does PECR matter to your business?
Electronic communications are fundamental to the way most of us now do business. If you use email, web chat or text to engage with customers or other businesses you need to be familiar with PECR and how it applies to your business. While new rules continue to be debated at an EU level, we are confident that more recently developed forms of electronic communication are likely to be covered by any changes to the regulations. For example, instant messaging applications, Voice over IP (VoIP), web chat, web-based email services, internet phone calls and personal messaging using social media such as WhatsApp and Facebook Messenger (collectively these are known as ‘over-the-top’ services or OTTS).
Will the changes to PECR affect how you do business?
While the PECR is principally intended to target public communications networks and services, nevertheless your business is caught by the rules if you:
- Market to customers using phone, email, SMS or OTTS channels
- Compile a directory of customers
The obligations on businesses using OTTS services include the following:
- A prohibition on listening into, capturing, storing, or intercepting any communications carried by OTTS channels without the consent of the user. This would cover technologies such as email scanning for the purpose of targeting or personalising advertisements or marketing features without prior consent.
- A ban on using traffic data (timing of messages or calls), details of the participants or location information except for billing purposes. In addition, use of the data for marketing or advertising is permissible only if specific, informed consent has been given.
If your business uses OTTS, and a provision of the PECR applies, then the rules for processing information contained in or relating to those communications will apply, including any exemptions. In all other cases where you are processing personal data, for example, the rights of data subjects, the GDPR will apply.
There is a carve-out in the legislation for ancillary services, such as messaging services in dating apps and computer games, although these must be minor and purely an ancillary feature to the main purpose of the service, and this carve-out must not be used to get around the privacy requirements of the new rules that apply to OTTS.
If you routinely use OTTS to communicate with customers, as with the GDPR, you will need to consider whether any processing you carry out of the content and data that results from this is permitted, or whether you will need to get consent.
If you do need to get consent, then you should consult the GDPR for guidelines of the nature and degree of consent required, for example giving detailed information to the customer as to what they are consenting to, and the methods of ensuring consent is specifically given.
What challenges do businesses face when complying with PECR?
EU delays in agreeing an updated version of the EPD (and consequential changes to the PECR regime) mean that our clients sometimes face an uphill struggle to ensure compliance with the rules. For example because PECR is relatively out of date it can be difficult to know how it applies to rapidly developing technologies such as artificial intelligence. In addition, the different weight placed on particular areas of data security by GDPR and PECR means the rules at times appear inconsistent and difficult for businesses to interpret.
What other changes to communications, data and privacy regulations are in the pipeline?
The current proposals making their way through the EU’s legislative process include extending existing rules that apply to traditional telecoms providers to providers of OTTS. These include:
- Applying e-privacy rules consistently across the EU to individuals and businesses.
- Applying privacy rules to the content of communications as well as to meta data such as timing of calls and location.
- Simpler rules on cookies, whereby browser settings can be set to automatically block or accept cookies and similar technologies. It will also clarify that no consent is required for certain activities such as remembering the contents of shopping carts.
- The banning of unsolicited communications by emails, SMS and OTTS (SPAM), either by default or via an opt-in service. The makers of such calls will have to use a special identifier so that customers realise that the call is a sales call.
- Local data protection authorities will be charged with enforcement of the new rules.
Like the GDPR, the new EPD will apply to international companies, as well as EU-based firms, with similar penalties as those currently imposed by the GDPR (4% of global revenue in some cases).