The Privacy and Electronic Communications (EC Directive)(Amendment) Regulations 2011 (the e-Privacy Regulations 2011) came into force on 26 May, implementing amendments to the e Privacy Directive (2002/58/EC) that were introduced by the Citizens Rights Directive (2009/136/EC).
They introduce important changes to the law governing privacy in electronic communications, including, among other changes, new data security requirements for telcos and Internet service providers (ISPs) and powers for the Information Commissioner’s Office (ICO) to audit compliance with these requirements; mandatory personal data breach notification rules for telcos and ISPs; new requirements for consent when storing or accessing information—including cookies—on the terminal equipment of end users; new rules on direct marketing e-mails that prohibit the sending of e-mails that contravene certain e-commerce law information disclosure requirements, and new ICO powers to impose monetary fines of up to £500,000 for serious breaches of the regulations, which the ICO has welcomed, especially in relation to unsolicited marketing calls and messages.
New breach notification obligations for telcos and ISPs
The e-Privacy Regulations 2011 introduce new mandatory breach notification obligations for providers of public electronic communications services, such as telcos and ISPs. In all cases of a personal data breach, the ICO must be notified. In some cases, the subscriber or user must also be notified where there is a risk that the breach would adversely affect the personal data or privacy of that user or subscriber. Service providers must maintain an inventory of personal data breaches comprising the facts surrounding the breach, the effects of that breach and the remedial action taken. The ICO may audit the compliance of service providers and may impose a fixed civil monetary penalty of £1000 (reduced to £800 for early settlement) for noncompliance. Although the amount of this fine has been criticised for not being a meaningful deterrent, service providers will additionally remain at risk of attracting fines of up to £500,000 for data breaches that also constitute a serious breach of the Data Protection Act 1998.
New requirements for cookie “consent”
The e-Privacy Regulations 2011 introduce a controversial new rule governing the storage of or access to information stored on the terminal equipment of end users, including the use of cookies. As expected, the new rule requires the “consent” of the subscriber or user, but new Regulation 6 clarifies that consent may be signified by a subscriber who amends or sets controls on the Internet browser which the subscriber uses (or similar application) to signify consent.
On 9 May the ICO published guidance on the new cookie rule, urging website operators to act now to implement ways to obtain visitors' consent to cookies. While browser settings will play an important role in obtaining visitors' consent in the longer term, in the ICO’s opinion, current browser settings are insufficient to obtain consent and, therefore, in the interim, website operators are responsible for implementing their own consent solutions. The ICO, therefore, encourages website operators to assess what cookies are served through the website—and how intrusive they are—and to consider and implement appropriate consent solutions for compliance with the new rule.
