Under the radar so far save for some not entirely correct reports, the Telecoms Reform Directive will lead to changes to more than cookie deployment laws when it is implemented in the UK come May/June 2011. New compulsory audit process and other fresh enforcement delights lie in wait for marketers, as Stephen Groom reports.
Topic: Email marketing
When: May 2011
Law stated as at: 1 March 2011
In 2009 EU Ministers signed off Directive 2009/136/EC. Dubbed the "Telecoms Reform Directive" and by others the "Cookie Directive," this measure (the "TRD") makes amendments to two Directives and one Regulation. It is due for implementation by Member States by 25 May 2011.
One of the Directives which the TRD amends is the Privacy and Electronic Communications Directive 2002/58/EC ("PECD"), transposed into UK law by the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECRegs").
Changes extend beyond cookie provisions
However the subject of this report is other changes of interest to marketers which the TRD seeks to make. These also impact the PECD and hence the PECRegs, but this time they relate to the email and mobile marketing provisions of those instruments and to enforcement of the PECD as a whole.
To date there has been limited publicity or comment on these changes and such as there has been has not necessarily been altogether accurate. For its part, HM Government has demonstrated limited enthusiasm for the amendments, commenting in its Consultation document of September 2010 that "most of them are not substantive."
Here we try to cut to the chase and establish the nature of the changes and whether the UK Government is right in its assessment.
Penalties and enforcement
First up, the TRD introduces a new Article 15a to the PECD. This is lengthy and focuses on enforcement and penalties.
Edited highlights are as follows:
"Member States shall lay down the rules on penalties, including criminal sanctions where appropriate, applicable to infringements….and shall take all measures necessary to ensure that they are implemented. The penalties provided must be effective, proportionate and dissuasive….
Member States shall ensure that the competent national authority and where relevant other national bodies have the power to order the cessation of infringements….and the necessary investigative powers and resources, including the power to obtain any relevant information they might need to monitor and enforce [the Directive's provisions].."
Further provisions require Member States to consult with the Commission on the measures it proposes to introduce based on these amendments so that the Commission can satisfy itself that these will not adversely affect the functioning of the internal market.
PECD previously silent on penalties and enforcement
The BIS consultation remarks that all this is quite new and that the original PECD was silent on enforcement and penalties. In light of this, HM Govt says that it will review the current enforcement regime "which is mapped into Part V of the Data Protection Act 1998" ("DPA") (by which presumably they mean that the mechanisms for enforcement of the DPA also apply to the PECRegs).
BIS goes on to comment that "there are elements of the current regime which could work more effectively if they were more tailored to the electronic communications industry. In particular we consider that the enforcement notice is useful but could be more effective. We also consider that there is scope for a civil monetary penalty for certain breaches."
New audit powers
We will have to wait and see what BIS has in mind in its references to enforcement notices and civil monetary penalties. Certainly ICO will agree that there is a need to streamline the cumbersome enforcement notice procedure generally, not just in the context of electronic communications.
On the "necessary investigative powers and resources" requirement, BIS says it will need to make provision in the [new] regulations to give ICO the power "to audit procedures and compliance with the revised Directive."
Any such power would be a significant advance (from ICO's point of view) on ICO's current and heavily circumscribed audit powers. These arrived in April 2010 by way of the Coroners and Justices Act 2009 which introduced new DPA sections 41 A-C. These gave ICO powers to serve assessment notices and thereby conduct compulsory audits. However the procedure only applied to the public sector. Private sector data controllers could only be at risk if they were operating in a sector that was subsequently designated by secondary legislation.
Finally on the TRD's call for "criminal penalties", it simply comments that these "should be retained for only the most serious breaches." No seismic changes expected here as criminal proceedings are already contemplated by the DPA, whose enforcement procedures apply to the PECRegs.
Against this backdrop BIS says it will welcome suggestions on how the provisions of the amended PECD could be better enforced.
Does ICO need more PECRegs powers?
Some might say that given ICO's clear lack of appetite for using the powers it already has against those in breach of the PECRegs, the last thing it needs is more of them. In the 7 years since the PECRegs came into force the writer is not aware of a single reported case in which ICO has instigated PECRegs enforcement proceedings in respect of any of the wide range of activities which these regulations control. The vast majority if not all the enforcement that has gone on in this area has been by the Advertising Standards Authority, and has focused naturally on email and mobile marketing.
Having said this, clearly there are issues with the complex procedures which ICO currently has to follow in order to bring to book those in breach of the DPA or the PECRegs. Any tweaking to give enforcement more impact in the digital space may concentrate marketers' minds, whilst any new audit power that extends beyond the public sector will also likely be welcomed by ICO as a more flexible enforcement tool.
A new private right of action?
Another new provision indicated by the TRD comes in the form of a new Article 13.6 of the PECD.
"Member States shall ensure that any person adversely affected by infringements…and therefore having a legitimate interest in the cessation or prohibition of such infringements, including an electronic communications service provider protecting its legitimate business interests, may bring legal proceedings in respect of such infringements…"
At least one commentator has suggested that this heralds the introduction of a brand new private right of action for those affected by PECD breaches, for instance spamming. This is odd as the existing UK measure already confers just such a right.
This is contained in Regulation 30, which is headed "Proceedings for compensation for failure to comply with requirements of the Regulations." This does what it says on the tin, by providing:
"(1) A person who suffers damage by reason of any contravention of any of the requirements of these Regulations by any other person shall be entitled to bring proceedings for compensation from that person for that damage."
This regulation has been used. There have been at least four reported cases since the PECRegs came into force in December 2003 where civil actions for damages and ion one case an injunction, have been instigated, based on Regulation 30, all against defendants allegedly breaching the PECRegs' email marketing provisions. In at least one case the claimant successfully relied on the High Court's inherent powers to grant an injunction prohibiting activity in breach of statutory regulations
In first introducing this right in 2003, the UK Government went beyond the provisions of the PECD, but now it seems that Brussels is finally catching up, and in light of this, it is perhaps not surprising that the BIS consultation makes no specific reference to this amendment and evidently feels that this TRD measure calls for little substantive change.
The "user/subscriber" change
The "opt in" provisions of the PECRegs impacting email and mobile marketing currently follow the PECD's example by only applying to the sending or instigating of such communications "to individual subscribers."
"Individual" is defined as "a living individual and includes an unincorporated body of such individuals"
"Subscriber" is defined as "a person who is a party to a contract with a provider of public communications services for the supply of such services."
So what happens where a marketing email is sent to someone who is not actually paying the bill for the relevant telecoms service, in other words a mere "user."? The PECRegs define a "User" as "any individual using a public electronic communications service."
The most obvious example of such a user would be an employee of a company receiving an email at work. Another example would be sending an email to a household member who is not the "subscriber."
The impact of the above has been that unsolicited marketing emails to employees of limited companies have not been covered by the "prior notification of consent" provisions of the PECRegs, so can be legitimately sent such communications unless and until they unsubscribe.
The TRD changes this by applying the relevant provisions to subscribers "or users". So the key, so-called opt in provision now reads:
"Member States shall take appropriate measures to ensure that unsolicited communications for purposes of direct marketing …are not allowed either without the consent of the subscribers or users concerned or in respect of the subscribers or users who do not wish to receive these communications…"
The effect of this is that, in the context of "B2B" commercial email where employees of limited companies receive this at their desks, the correct implementation of the TRD should have the effect of extending the "prior consent" requirement to such communications.
We say "under UK law" here, because the CAP Code introduces a further gloss on this by designating such B2B emails as in contravention of the Code unless the email is selling only "business products."
In light of this, it is odd that the BIS Consultation makes no reference to this significant change at all. Could it be that they have not picked up the point or do they regard the change as de minimis and therefore not worthy of a consequential amendment? Perhaps we should be told.
E commerce Directive consolidation
Another amendment made by the TRD which will not result in any substantive change to UK email marketing laws or codes is the addition to the general requirement that direct marketing emails should not disguise or conceal the identity of the sender of a further requirement that such communications must comply with Article 6 of Directive 2000/31/EC. This is the so-called E commerce Directive implemented in the UK by the Electronic Commerce (EC Directive) Regulations 2002 ("ECRs").
This is irritating as a cross reference then has to be made. It is also a fruitless exercise as on arriving at Article 6, a raft of requirements are found that are already imposed on those sending marketing emails by UK law by way of the ECRs, viz:
Information to be provided
In addition to other information requirements established by Community law, Member States shall ensure that commercial communications which are part of, or constitute, an information society service comply at least with the following conditions:
(a) the commercial communication shall be clearly identifiable as such;
(b) the natural or legal person on whose behalf the commercial communication is made shall be clearly identifiable;
(c) promotional offers, such as discounts, premiums and gifts, where permitted in the Member State where the service provider is established, shall be clearly identifiable as such, and the conditions which are to be met to qualify for them shall be easily accessible and be presented clearly and unambiguously;
(d) promotional competitions or games, where permitted in the Member State where the service provider is established, shall be clearly identifiable as such, and the conditions for participation shall be easily accessible and be presented clearly and unambiguously.
So another area where, as BIS says, no further UK implementation is needed.
Why this matters:
Analysis of the "non cookie" changes affecting marketing wrought by the TRD indicates that for the most part these are not game-changing amendments and will not need substantive changes to UK law.
The most noteworthy exceptions are arguably those introducing a new audit right (which it should not be forgotten will apply to all obligations imposed by the PECRegs as amended, not just those impacting marketing emails and sms), and the "user/subscriber" change, which so far does not seem to have hit the UK Government's radar.
It remains to be seen how the actual wording of the Directive will fare in the implementing UK regulation. It will also be interesting to see exactly what BIS means when it ominously concludes the section of the Consultation document dealing with the PECD changes:
"There are other amendments to the Directive which will require…. minor amendments…These include provisions on the use of personal data for marketing certain services and using automated systems to make unsolicited marketing communications."
Neither of these threatened areas of change obviously equates to the relevant section of the TRD, so we await with interest the publication of the draft amending regulations, which should not be too long away since transposition is now due in less than 3 months.