PECR. They are still around!
When discussing the Privacy and Electronic Communications Regulations (2003) (as amended numerous times) the Outsourced DPO usually finds one of several reactions:
- What? Never heard of ‘em.
- No! That can’t possibly be right – it’s bonkers!
- But I thought they were replaced by the GDPR.
- I’ve never really understood them as they are so complicated.
Having recently delivered a PECR Master Class, the Outsourced DPO thought that the PECR deserved unpacking and unpicking over the next few weeks. Don’t forget to contact us at Data Protection People if you have any questions about anything related to data protection and information security including the PECR.
It’s worth looking at the background to the PECR because it is true that it does a lot of things.
Those old enough to remember the late ‘90s and early noughties will remember the meteoric growth of platforms such as Friends Reunited which grew from a standing start in June 2000, to having 3,000 members by the end of the year and 2.5 million members 12 months later. Heady days indeed when the most popular mobile phone was the Nokia 3310.
Legislators were concerned about the increasing capacity for automated storage and processing of data relating to subscribers and users brought about by new advanced digital technologies being introduced in public communications networks in the European Community, giving rise to specific requirements concerning the protection of personal data and privacy of the user. Access to digital mobile networks was becoming available and affordable for a large public and it was recognised that these digital networks had large capacities and possibilities for processing personal data. Recitals 5, 6 and 7 of the Directive sum up the mood of the time.
As a result of this landscape Directive 2002/58/EC (the e-Privacy Directive) was enacted In July 2002 providing legislation concerning the processing of personal data and the protection of privacy in the electronic communications sector. The e-Privacy Directive recognised that the Internet was overturning traditional market structures by providing a common, global infrastructure for the delivery of a wide range of electronic communications services opening up new possibilities for users but also new risks for their personal data and privacy.
It sought to ensure respect of the fundamental rights and observe the principles recognised in particular by the Charter of fundamental rights of the European Union (Recital 2) and aimed to harmonise the various provisions of Member States to ensure an adequate level of protection of fundamental rights and freedoms (and in particular the right to privacy) regarding the processing of personal data in the electronic communications sector and to enable the free movement of such data and of electronic communication services and equipment in the European Community.
It was designed to go into more detail about the electronic communications services/sector and complement Directive 95/46/EC [the Data Protection Directive]. It also aimed to provide for protection of the legitimate interests of subscribers who are legal persons (Article 1).
Because of its broad scope, the Directive therefore covers a great deal of ground including security and confidentiality of communications, the use of calling line identification (CLI), and the publication of telephone directories, as well as regulating the use of location data, and traffic data. It also provides a regulatory framework for the use of electronic communications services/systems for sending unsolicited communications which represents 99% of the Outsourced DPO’s work with PECR.
Unlike European Regulations which take direct effect on Member States with no enabling domestic legislation, European Directives must be implemented into domestic legislation in each of the Member States of the EU. The e-Privacy Directive was transposed into British law in the form of the Privacy and Electronic Communications Regulations (2003) which came into force on 11th December 2003.
The bit of the PECR that the Outsourced DPO is most interested in is that regarding the use of the internet and electronic communications systems for direct marketing which is covered in Article 13 of the e-Privacy Directive.
Article 13 begins by prohibiting the use of automated calling systems (such as auto diallers – computers that plough through a database and place calls to each number in turn. When a connection is made (i.e. someone picks up the phone), the auto dialler looks for an available agent. If it can’t find one it drops the call leading to a “silent call” otherwise it will connect the call to an available telephone agent). The Directive quaintly describes automated calling systems as “telephone systems that place calls without human intervention”. The prohibition is extended to facsimile machines (fax) and electronic mail.
Electronic mail is defined as any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient which includes a wide range of use-cases including e-mail, SMS, MMS, and messaging through social media channels.
Article 13 clearly states that the use of these tools and technologies is prohibited for the purposes of direct marketing without the prior consent of the subscriber.
Subscribers and users
The term “Subscriber” is not defined in the Directive but its scope is outlined in Recitals 12 and 13 which provide that a subscriber may be a natural or a legal person (i.e. a human or an organisational entity) with a contractual relationship with service providers. A subscriber therefore is the person with the phone contract, the Twitter or Facebook account or the LinkedIn subscription.
The e-Privacy Directive not only refers to subscribers, but also to users – a term it does define in Article 2 as, “any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service”.
The PECR therefore recognises that users may, for example, use a business email address or phone number without necessarily being the subscriber with a relationship with the service provider and is entitled to the upholding of their fundamental rights and freedoms.
As data protection professionals, the emphasis in the Directive we need to be mindful about is that of protecting people’s right to privacy through the rapidly rising capabilities and falling costs of electronic communications systems and services and the seemingly insatiable desire of an eager public to use them. We need to be mindful of the words of Article 2 – the Directive is meant to complement the Data Protection Directive but also to go above and beyond it. To “particularise” data protection with regard to the electronic communications sector and electronic communications services.
Next week the Outsourced DPO will begin to examine the regulations around unsolicited communications for direct marketing purposes and how they have evolved into the current interpretation and implementation of the law.