• International Workplace
  • 25 April 2017

ePrivacy reform: Privacy and electronic communications regulations (PECR) under review

While preparations for the GDPR dominate the headlines, it’s not the only change for the digital economy. As technology evolves at a phenomenal rate, the laws that govern internet-based services, such as eLearning, are moving at an equally rapid pace.

The next piece of legislation in line for an overhaul is the European directive that forms the basis of the Privacy and Electronic Communications Regulations (PECR). PECR currently set out the rules on electronic communications, including nuisance calls and messages, cookies and the provision of internet or telecoms services.

Earlier this year, the European Commission published its proposal for the new updated ePrivacy Regulation (ePR), to better protect people’s privacy in the digital age.

What is the proposal?

This proposal is just the beginning of the process, and the details are likely to change. It will be a tough deadline for EU lawmakers to meet – the ePR is due to come into effect in May 2018 alongside the GDPR. With only 14 months to go, the next step is for the European Parliament and the European Council to each review the draft and form their own view on what it should say, before coming together around the end of this year to negotiate the final text.

As a regulation, it will apply directly within every EU member state. As with GDPR, the UK government has confirmed it would be implemented in the UK before we leave the EU.

The current draft proposal includes some headline changes:

  • It removes separate security obligations, which will be covered under the GDPR, but introduces customer notification of specific security risks.
  • In terms of cookies and other online tracking devices, the focus shifts from website cookie banners to users’ browser settings, and seeks to address issues around ad-blocking and Wi-Fi location tracking.
  • It tightens the rules on marketing, with the default position being that all marketing to individuals by phone, text or email must be opt-in.
  • It incorporates the GDPR’s two-tier system of fines of up to €20m, or 4% of worldwide turnover, for breaches of some parts of the Regulation.
  • It would apply to services providing so-called ‘over-the-top’ communication channels over the internet, such as Skype, Messenger or WhatsApp. It would also apply to businesses providing customer Wi-Fi access, as well as the traditional telecoms and internet providers.
  • It would apply to organisations based anywhere in the world if they provide services to people in the EU.

What’s the ICO’s role?

The responsibility for enforcement will mirror the GDPR and therefore will fall to the ICO, which will be watching the negotiations closely to understand how they might affect the UK.

The ICO has already provided its views to those drafting the proposal and is currently working with the Article 29 Working Party, the group of European data protection authorities, to influence a collective opinion on how it could be improved.

Where appropriate it will provide input to try and achieve a good outcome for individuals and businesses alike. It is likely to have a role in providing expert advice to assist the UK government during this process. An initial guidance document from the ICO, highlighting the likely key issues, is planned for later in the year.


Reproduced from the Information Commissioner’s Office, licensed under the Open Government Licence.