The UK government has issued the Privacy and Electronic Communications Regulations (Amendment) 2018 (ePrivacy Regs), which comes into force on 17 December 2018.
The ePrivacy Regs amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and modify the application of the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 and the Data Protection (Monetary Penalties) Order 2010. The amendments are intended to ensure that the regime covering breaches is “effective, proportionate and dissuasive” in accordance with the criteria outlined in the PECR.
Background on PECR
Compliance in marketing and advertising
The PECR prohibits companies from transmitting or instigating the transmission of unsolicited electronic communications to consumers for the purposes of direct marketing, unless that individual has given their prior consent to receive such communications or if the sender can demonstrate an existing commercial relationship with the recipient. Companies interested in strengthening compliance in this area may also find the newly revised UK Code of Non-Broadcast Advertising and Direct Marketing to be instructive. The Committee of Advertising and Practice (CAP) and the Advertising Standards Authority announced the release of the CAP code on 6 November 2018. This document includes guidance on use of data for marketing purposes and online behavioural advertising.
Impact of revisions to the ePrivacy Regs. The ePrivacy Regs broaden the scope of monetary penalties that can be imposed by the Information Commissioner. The Information Commissioner will also now have the power to fine an “officer” of a body in addition to the body corporate (or Scottish partnership) itself where there has been a serious breach of regulations 19–24 (automated calling and unsolicited direct marketing) of the 2003 Regulations and where a breach is caused by the action or inaction of an officer.
Directors should therefore take particular note of the new ePrivacy Regs as they increase liability to fines of up to £500,000. This liability will arise where they have consented to or connived in the breach, or if that breach is attributable to their neglect.
While the GDPR has arrived in a wave of heightened public awareness, it is critical to recall that there is a framework of other regulations that work in conjunction with it. Noncompliance with these other privacy-related laws could lead to monetary and reputational damage as well. Compliance programs and training should include efforts to educate employees – particularly those involved in marketing and IT initiatives related to those projects.