Privacy and electronic communications

The PEC Regulations

This section explains that the DUAA amends the Privacy and Electronic Communications Regulations 2003 (PECR).

Interpretation of the PEC Regulations

This section amends the definition of a ‘call’ so that it includes attempts to make a connection via a telephone call, rather than just calls that are actually connected. 

It amends the definition of a ‘communication’ to include information that has been transmitted, rather than just information that has been exchanged or conveyed. This means that texts and emails that have been sent but not necessarily received fall within the scope of the Regulations. 

It amends the definition of a ‘recipient’ of a communication to include an intended recipient.
 
It inserts the definition of ‘direct marketing’ that is in the DPA 2018 into PECR. This is ”the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. 

And it clarifies that time periods should be defined in accordance with the Periods of Time Regulation.

Duty to notify the Commissioner of personal data breach: time periods

This section amends the time period within which communications providers need to inform the ICO of a personal data breach from without undue delay or within 24 hours, to ”without undue delay and where feasible, not later than 72 hours after having become aware of it”. 

If an organisation takes longer than 72 hours to advise the ICO about a personal data breach, it must provide the ICO with the reasons for the delay. 

This aligns the timeline for notification of PECR security breaches with that of the UK GDPR.

Storing information in the terminal equipment of a subscriber or user

This section amends the rules on storing or accessing information on people’s devices or terminal equipment. These are sometimes known as the cookie rules.

It says that storage or access is prohibited unless an exception applies. 

The exceptions are listed in schedule 12 - Storing information in the terminal equipment of a subscriber or user that inserts a new schedule into PECR. 

It also gives the Secretary of State some powers.   

Emergency alerts: interpretation of time periods

This section inserts a minor amendment that clarifies, but doesn’t alter, the seven day time limit within which a relevant public communications provider must: 

• erase traffic data or location data that it has used to provide an emergency alert service; or
• modify it so that it no longer constitutes personal information.

Use of electronic mail for direct marketing by charities

This section adds a new soft opt-in rule for charities. This allows a charity to send electronic mail marketing, aimed at furthering its charitable purposes, to ‘individual subscribers’, so long as the charity:

• obtained the email address when the person offered support to, or expressed an interest in, the charity’s charitable purposes;
• gave the person the opportunity to opt out of the charity using their details when it first collected them; and
• gives the person the same opportunity each time they contact them. 

Commissioner’s enforcement powers

This section gives the Secretary of State a power to make regulations to vary the amounts payable under a fixed monetary penalty. 

It brings the enforcement powers under PECR into line with UK GDPR, so that enforcement mechanisms and penalties are the same in most cases. 

These powers are specified in schedule 13 - Privacy and electronic communications - Commissioner’s powers.

Codes of conduct

This section imposes a new duty on the ICO to encourage representative bodies to produce PECR codes of conduct for different sectors and to submit those codes to the ICO in draft. 

It sets out what the ICO must do when considering and approving codes and accrediting monitoring bodies. 

It sets some requirements for accrediting bodies. 

It also provides that an organisation may use its adherence to an approved code of conduct  as a means of demonstrating its compliance with PECR.