The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) is a UK law which sits alongside the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) to enforce strict rules relating to privacy rights and electronic communications.
Any organisation that sends electronic marketing communications via phone, fax, email or text, uses web cookies, or provides communications services to the public falls under the PECR’s scope, and must be aware of its information security requirements.
What are PECR?
The Privacy and Electronic Communications (EC Directive) Regulations 2003, or PECR, are designed to strengthen the privacy and security of electronic communications across the UK.
Introduced in response to the EU e-privacy Directive (Directive 2002/58/EC), the PECR have been updated several times, most recently in June 2019. All organisations are subject to PECR restrictions on marketing communications, web cookies and location data. The PECR also introduce additional obligations for service and network providers to maintain robust cyber security and prevent breaches.
PECR and GDPR
The EU’s e-privacy Directive was devised before the enactment of the General Data Protection Regulation (GDPR), but despite the overlap, the PECR and GDPR apply in tandem.
While the GDPR does not replace the PECR, it does update the underlying standards for obtaining, recording and managing consent. Many of the controls that organisations need to implement to adhere to the requirements of the GDPR will also help to achieve PECR compliance. However, there are important differences to be aware of.
The main distinction is that the PECR apply even where the individuals being contacted cannot be personally identified. To avoid duplication, sections of the GDPR do not apply to network or service providers who already have additional obligations under the PECR.
The EU is currently in the process of developing a new e-privacy Regulation, the ePR, which will eventually replace the PECR. However, with negotiations still continuing, it is yet to be agreed and will not come into force until 2022 at the earliest. This means that for the foreseeable future, GDPR and PECR rules will continue to apply alongside each-other.
The requirements of PECR
PECR requirements include new rules on marketing communications, web cookies, updated thresholds for consent and new information security standards for service and network providers.
Marketing, cookies and consent
The PECR outlaws unsolicited marketing communications by phone, fax, email, text and other electronic means.
There are different rules for different kinds of communication. In general, these rules are stricter for marketing to individuals than for marketing to companies.
Organisations will often require specific consent to send unsolicited direct marketing. The best way to obtain valid consent is to ask customers to tick opt-in boxes confirming they are happy to receive marketing calls, texts or emails.
Organisations that use web cookies must:
- State which cookies will be set
- Explain what the cookies will do
- Obtain consent to store cookies on devices
PECR also applies to what are deemed ‘similar technologies’, such as fingerprinting techniques. This means that unless an exemption applies, any use of such technologies requires clear and comprehensive information, as well as the consent of the user or subscriber.
Communications networks and services
Service providers must take appropriate measures to safeguard the security of their service. The definition of ‘appropriate’ depends on the nature of the risk, the available technology and the cost.
Service providers must also inform their customers about any significant security risks.
At the very least, measures must:
- Ensure that personal data can be accessed only by authorised personnel for legally authorised purposes
- Protect personal data which is stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure
- Ensure the implementation of a security policy for the processing of personal data
For service providers, PECR breach reporting requirements override equivalent rules set by the GDPR and Data Protection Act 2018. The PECR defines a personal data breach as:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.
Service providers in the UK are required to notify the Information Commissioners Office (ICO) if a personal data breach occurs within 24 hours of becoming aware of the essential facts. If the breach is likely to adversely affect the privacy or personal data of individuals, those individuals also be notified ‘without unnecessary delay’.
Notifications must include the date and times of compromise and detection, alongside basic details on the nature and scope of the breach and the personal data affected. Any affected individuals must also be notified of the likely impact and the measures being taken to address and mitigate the risks.
How the ICO enforces PECR
The ICO offers advice and guidance to promote compliance best practice, but in order to deal with organisations that fail to comply with the rules, it also has a range of enforcement powers to enable it to take action when organisations fail to comply. These range from the performance of compulsory audits to criminal proceedings.
Service providers may receive audit requests at the will of the ICO, based on their perceived level of risk. Participation is voluntary, but organisations that fail to respond could be subjected to a compulsory audit.
Audits themselves involve a combination of off-site checks and on-site reviews to identify whether service providers have taken appropriate technical and organisational measures to safeguard the security of the public electronic communications service they provide. The results of PECR audits are published online and include observations and recommendations for improvement.
The maximum fine a non-compliant organisation can receive is £500,000. Fines can be issued not just against organisations but also directors, and sanctions between standards are not mutually exclusive, meaning the most serious offences can result in both GDPR and PECR fines.
How Redscan can help
Redscan is an award-winning provider of security services, helping organisations to better understand and minimise their cyber security risk in line with PECR, GDPR and other compliance requirements.
Our range of offensive security services, including penetration testing and red team operations, are designed to help organisations improve their security posture by identifying and addressing vulnerabilities before they be exploited maliciously.
ThreatDetect™, our Managed Detection and Response service, combines world-class SOC expertise, the latest detection technologies and aggregated threat intelligence to help organisations hunt for, detect and promptly report breaches.