The ePrivacy Regulation on Privacy and Electronic Communications (also known as the PECR) will become the new law on electronic communications in the EU. Together with the GDPR it will form the two pillars of data protection law in the EU. The European Commission intends for the ePrivacy Regulation or PECR, which is currently in draft form, to significantly change how electronic communications are regulated in the EU when it becomes law. It will replace the directive that had previously been in place, and become law across all the EU’s member states. This raises important questions for anyone involved in the electronic communications space in the EU. Who does this regulation apply to? How does it apply? What will the consequences be for non-compliance?
Who does the ePrivacy Regulation (PECR) apply to?
The PECR applies to all controllers and processors who process electronic communications data to provide electronic communications services to end-users in the EU. It doesn’t make a difference whether the controllers and processors are processing the data in the EU or outside it.
Electronic communications services providers that the Regulation applies to include the following persons:
- providers of messaging services like Whatsapp, Facebook and Skype;
- website owners;
- app owners whose applications have electronic communication as a component;
- natural and legal persons sending commercial direct marketing communications;
- political parties sending messages electronically to promote their parties;
- telecommunications companies; and
- internet access services providers, like persons providing WiFi connections.
The PECR applies to both natural and legal persons. Legal persons have largely the same rights as natural persons, including the right to lay a complaint with a supervisory authority about the use of their data. The PECR also provides that consent, as defined in the General Data Protection Regulation (GDPR), includes consent that legal persons may give for the processing of their data.
What data does the PECR apply to?
The PECR widens the net of electronic communications data that it applies to. It even covers future means of electronic communication, including calls, internet access, instant messaging applications, email, internet phone calls and personal messaging provided through social media.
Does the PECR require consent for all processing?
Consent plays a major role but is not required in all instances. For example, where the processing is for a legitimate purpose of properly providing a service that the consumer genuinely asked for. Another purpose for which the PECR doesn’t require the end user’s consent is the storing of cookies that keep track of the end user’s inputs when filling in online forms over several pages during a session on a website. Consent is also not a requirement where the cookies only measure web traffic to a website and don’t store any personal information.
Generally, end-users must be able to withdraw their consent with relative ease at any time.
For this purpose, unsolicited marketing communications must be clearly recognisable, and contain the proper identities and return addresses or numbers of the senders. An example of an end-user finding it easy to withdraw their consent is when the end-user gives consent to cookies, and the website uses the settings of the browser or other application to help with the withdrawal of the consent.
Direct marketers who market for commercial purposes must also obtain the consent of end-users before sending communications.
When will you have to comply?
Legislators have said that their intention is for the PECR to commence on 25 May 2018 – the same date that the GDPR implementation date because the two laws are closely connected to one another. But the PECR was not implemented on 25 May 2018.
Since the PECR will be a regulation and not a directive, it will be in force in member states without those states spending time passing any additional laws. This means that there will most likely not be any additional time within which to comply after it’s implementation date. Failing to comply after the commencement date will bring about a variety of adverse consequences, including administrative fines, a claim for patrimonial and non-patrimonial damages by an end-user, and an enforcement order by a supervisory authority. For more on this discussion, read the full text of the Regulation.
Actions you can take
- Comply with data protection law by joining a Data Protection Compliance Programme.
- Find out if the Regulation applies to you by asking us to guide you.
- Know the impact of the Regulation on your processing by asking us all your questions.
- Empower yourself with practical knowledge and its potential impact on your organisation by attending one of our GDPR workshops.
- Understand when and how to legally obtain the consent of your end-users by asking us to guide you.
- Learn more about direct marketing by asking us all your questions on advertising law.
- Know more about the impact of the Protection of Personal Information Act (POPI) on your marketing by attending a POPI Act workshop.
- Be alerted to any new developments by subscribing to our newsletter.