The ePrivacy Regulation on Privacy and Electronic Communications (also known as the PECR, ePrivacy Regulation or ePR) will become the new law on electronic communications in the EU. Together with the GDPR, it will form the two pillars of data protection law in the EU. The European Commission intends for the ePrivacy Regulation, which is currently in draft form, to significantly change how electronic communications are regulated in the EU when it becomes law. It will replace the Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications (also known as the ePrivacy Directive or ePD) that had previously been in place, and become law across all the EU’s member states. This raises important questions for anyone involved in the electronic communications space in the EU and the rest of the world. In this article, we are not talking about the Privacy and Electronic Communications (EC Directive) Regulations 2003 in the United Kingdom. Those are something different. The United Kingdom enacted those regulations to comply with the ePrivacy Directive.
- Who does this regulation apply to?
- How does it apply?
- What will the consequences be for non-compliance?
Who does the ePrivacy Regulation (PECR or ePR) apply to?
The PECR applies to all controllers and processors who process electronic communications data to provide electronic communications services to end-users in the EU. It doesn’t make a difference whether the controllers and processors are processing the data in the EU or outside it.
Electronic communications services providers that the Regulation applies to include the following persons:
- providers of messaging services like Whatsapp, Facebook and Skype;
- website owners;
- app owners whose applications have electronic communication as a component;
- natural and legal persons sending commercial direct marketing communications;
- political parties sending messages electronically to promote their parties;
- telecommunications companies; and
- internet access services providers, like persons providing WiFi connections.
The PECR applies to both natural and legal persons. Legal persons have largely the same rights as natural persons, including the right to lay a complaint with a supervisory authority about the use of their data. The PECR also provides that consent, as defined in the General Data Protection Regulation (GDPR), includes consent that legal persons may give for the processing of their data.
What data does the PECR apply to?
The PECR widens the net of electronic communications data that it applies to. It even covers future means of electronic communication, including calls, internet access, instant messaging applications, email, internet phone calls and personal messaging provided through social media.
What is the status of the ePrivacy Regulation?
When will you have to comply? What is the ePrivacy Regulation deadline? It will probably be a date in 2021. Legislators had said that their intention was for the PECR to commence on 25 May 2018 – the same date that the GDPR implementation date because the two laws are closely connected to one another. But the PECR was not implemented on 25 May 2018. You can read the latest developments on the ePrivacy Regulation by looking on the EUR-Lex website.
Since the PECR will be a regulation and not a directive, it will be in force in member states without those states spending time passing any additional laws. There will most likely be a grace period of 24 months within which to comply after its enactment. Failing to comply after the grace period will bring about a variety of adverse consequences, including administrative fines, a claim for patrimonial and non-patrimonial damages by an end-user, and an enforcement order by a supervisory authority.
Actions you can take
- Increase your awareness by reading the full text of the draft Regulation and accessing a fact sheet or infographic on it.
- Know the latest developments on the ePrivacy Regulation by looking on the EUR-Lex website.
- Comply with data protection law by joining a programme.
- Find out if the ePrivacy Regulation applies to you by asking us to guide you.
- Know the impact of the Regulation on your processing by asking us your questions.
- Understand when and how to legally obtain the consent of your end-users by asking us to guide you.
- Learn more about direct marketing by asking us all your questions on advertising law.
- Be alerted to any new developments by subscribing to our newsletter.
Does the PECR require consent for all processing?
Consent plays a major role but is not required in all instances. For example, where the processing is for a legitimate purpose of properly providing a service that the consumer genuinely asked for. Another purpose for which the PECR doesn’t require the end user’s consent is the storing of cookies that keep track of the end user’s inputs when filling in online forms over several pages during a session on a website. Consent is also not a requirement where the cookies only measure web traffic to a website and don’t store any personal information.
Generally, end-users must be able to withdraw their consent with relative ease at any time.
For this purpose, unsolicited marketing communications must be clearly recognisable, and contain the proper identities and return addresses or numbers of the senders. An example of an end-user finding it easy to withdraw their consent is when the end-user gives consent to cookies, and the website uses the settings of the browser or other application to help with the withdrawal of the consent.
Direct marketers who market for commercial purposes must also obtain the consent of end-users before sending communications.
- The EDPB’s Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC) – wp247