26th May 2011 saw the coming into force in the UK of changes to the “Privacy and Electronic Communications (EC Directive) Regulations 2003″. These were required by the EU “ePrivacy Directive” 2009/136/EC. Judith Gordon takes us quickly through the main changes, including the much debated new rules on cookies.
Topic: On-line advertising
Who: Information Commissioner's Office, HM Government
When: May 2011
Where: UK
Law stated as at: 25 May 2011
What happened:
On 4 May 2011, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (the "2011 Regulations") were published. These regulations amended the earlier Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "2003 Regulations"), as well as other relevant legislation such as the Data Protection Act 1998 ("DPA").
These amendments were made in light of recent changes to the EU Privacy and Electronic Communications Directive 2002/58/EC (the "E-Privacy Directive"), which themselves came about as a result of various changes to this area of law under another European directive, the so called "Citizens' Rights" Directive 2009/136/EC.
The 2011 Regulations came into force on 26 May 2011.
Please note that whilst previous marketinglaw.co.uk articles have looked at the changes to the E-Privacy Directive itself and the particular changes to the cookies regime, this article looks to the finalised changes to the e-privacy regime as they are incorporated into UK law under the 2003/2011 Regulations.
What are the key changes?
The amendments made by the 2011 Regulations to the 2003 Regulations are significant in a number of areas. We set out the key changes as follows, noting also the comments from the Information Commissioner (the "Commissioner") in relation to the existence of any lead-in periods before enforcing any of these new provisions.
Security of Services
Regulation 5 of the 2003 Regulations already stated that a provider of a public electronic communications service had to take appropriate measures to safeguard the security of their service.
The Regulation has been amended however by the insertion of a new paragraph (1A) which specifies the minimum efforts expected of providers in relation to fulfilling this safeguarding obligation. An example of these particular efforts includes the obligation to implement a security policy with respect to the processing of personal data and ensuring that personal data can only be accessed by authorised persons for legally authorised purposes.
Personal data breaches and fixed monetary penalties
The Regulations contain a new definition: "personal data breach" which means 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service'.
New Regulation 5A then puts an obligation on public electronic communications service providers ("service providers") such as BT, AOL or Microsoft, to notify the Commissioner of the occurrence of a personal data breach, and where the breach is likely to adversely affect the personal data or privacy of the user/subscriber, further places an obligation on the service provider to notify the breach to the user/subscriber concerned.
Service providers will not however have to notify users should they be able to demonstrate that the relevant data accessed was in a form unintelligible to persons not authorised to view it. Service providers must also keep an inventory of all personal data breaches, so that the Commissioner may verify compliance with the notification obligations.
Further new Regulations 5B and 5C go on to state that the Commissioner may audit service providers' compliance with Regulation 5A, and may issue a fixed monetary penalty of £1,000 if they find the provider to be in breach of any of the notification obligations.
Service providers should therefore take particular care when handling personal data and note these new notification obligations. In terms of enforcement however, the Commissioner has stated in their guidance document published on 25 May (the "Enforcement Guidance"), that they will allow a one month lead in period before enforcing these penalties.
Cookies and similar technology
Cookies are small files downloaded on to a device such as a PC, laptop, tablet or mobile phone, most commonly when a user accesses certain websites. These files then allow the website to recognise the user's device when visiting the website in future, for example allowing the website to change the appearance of the website according to the user's preferences.
Under Regulation 6 of the 2003 Regulations, users of cookies were allowed to deploy them provided that those whose devices they were being dropped on were given clear and comprehensive information about the cookies and were given the opportunity to refuse their having access to the device or store information on it. The 2011 Regulations however amend Regulation 6 so as to replace the obligation to allow an opportunity to refuse the cookie's deployment with an obligation to only use the cookie where the user or subscriber "has given his or her consent."
Whilst the exception in Regulation 6(4) that the requirement for consent does not apply to cookies which are "strictly necessary" for a service requested by the user is retained, this can only be relied on in limited circumstances. An example of such circumstances would be the use of a cookie on a website selling goods, where the cookie remembers what the user has placed in their basket when they proceed to the checkout page. A cookie that merely remembers and instigates what will make the website more attractive to the user would not be permitted. Therefore aside from this exception, owners of websites which use cookies must start to look at ways to address the new obligation.
There is however a further new insertion into Regulation 6 which clarifies that consent "may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent".
Though this would be an attractive way forward for website owners, most browsers currently do not have the capability to allow users to change their settings in this way. Whilst the government is allegedly working with major browser manufacturers to establish whether this capability will be available in future, for now, website owners must look at other ways in which they can obtain consent from users, such as pop-ups.
Much concern was voiced by website providers at the prospect of finding a workable solution within the 3 week window from publication of the 2011 Regulations to date of entry into force, and so it was with great relief that Enforcement Guidance was released by the Information Commissioner's Office a day before the end of this window, outlining a 12 month lead-in period for compliance. The Commissioner acknowledged that immediate implementation of the new rule would cause disproportionate inconvenience to both providers and users and so providers would have until May 2012 before they would actually be taken to task for non-compliance.
In the same document however, the Commissioner warned that taking no action in the period to May 2012 would not be acceptable, and organisations could be subject to warnings from the Commissioner as to the future use of their enforcement powers if it appears to them that adequate preparations are not being made. Organisations should therefore be seen to be taking steps towards compliance during this 12 month period.
Spam
Regulation 23 (regarding anonymous emails for the purpose of direct marketing – i.e. spam) has been amended to incorporate two new subsections regarding compliance with regulation 7 of the Electronic Commerce (EC Directive) Regulations 2002 ("EC Reg 7").
EC Reg 7 states that commercial communications by service providers shall be clearly identifiable as such and shall further clearly identify the person behind the communication, giving full details of any promotional offers and related conditions within that email in a clear and unambiguous fashion.
Regulation 23 states that emails must not only comply with EC Reg 7, but must also not contain any encouragement to recipients to visit websites which contravene EC Reg 7.
The relevant provision of the E-Privacy Directive on which this amendment is based (Article 13) further sets out a right of persons so-affected by an infringement of this restriction, to bring legal proceedings in respect of that infringement. This right is however already covered by a general right to bring proceedings in respect of non-compliance with the Regulations under Regulation 30.
Access to personal data for reasons of national security and law enforcement
New Regulation 29A states that "communications providers" (defined as a person who provides an electronic communications network or an electronic communications service) must have in place internal procedures for responding to requests for users' personal data when Regulations 28 and 29 apply (which concern exemption from the Regulations in situations where national security or the prevention of crime is at stake).
Communications providers must on demand further supply the Commissioner with information about these internal procedures and the number of and details of the requests they have received.
Note however that again, the Commissioner is allowing a lead-in period prior to the enforcement of this Regulation, citing awareness of the fact that some communications providers may not have procedures in place for responding to such requests. Relevant organisations will therefore have 3 months (i.e. until the end of August 2011) to establish such procedures, with the Commissioner confirming that they do not envisage demanding the relevant information from communications providers before August 2011.
ICO powers of enforcement
Regulation 31 has been amended so as to refer to modifications to the DPA which extend the ICO's enforcement powers. These changes are set out in Schedule 1 to the amended 2003 Regulations.
The effect of these changes is that sections 55A and 55B of the DPA now state that where there has been a "serious contravention" of the 2011 Regulations, the Commissioner may impose a fine of up to £500,000 on the organisation or person in breach. Prior to this, the fining powers were limited to contraventions of certain provisions of the DPA.
Section 55A clarifies that a "serious contravention" will be one that is of a kind "likely to cause substantial damage or substantial distress" and will apply to persons who knew or ought to have known i) that there was a risk of the contravention occurring, and ii) that the contravention would be of the kind likely to cause substantial damage or distress. Such a contravention will not however apply where reasonable steps are taken to prevent the contravention.
The Enforcement Guidance further clarifies that the potential for "substantial" damage or distress can be met where it affects large numbers of people, despite the actual effect on the individual being more limited. Whilst the applicability of this section therefore has the potential to be fairly wide-reaching, such fines will not be imposed straight away. The Commissioner is required to issue revised guidance in light of the extension of their power under the DPA and has confirmed that such guidance is unlikely to be available before October 2011. The Commissioner does not therefore intend to impose any penalties for contraventions of the 2011 Regulations until such time as the guidance is issued.
Organisations should further note that this power to impose fines in cases of serious contravention cannot be applied retrospectively, and so will only apply to breaches taking place after 26 May 2011. The Commissioner however has reserved the right to gather information about breaches taking place between May and whenever the guidance is issued for future use in imposing such fines.
Third party information notices
Under new Regulation 31A the Commissioner can serve notices on communications providers requesting that they provide them with information about other people's use of an electronic communications network or service, where that person's compliance with the 2003 Regulations is in question.
It is thought that the rationale behind this provision is to make it easier for the Commissioner to catch infringers who for example are guilty of cold calling or sending spam in breach of the Regulations.
Note however that providers may appeal against such requests being made of them via new Regulation 31B.
Why this matters:
For organisations who have a website and who engage in any sort of electronic marketing, the implications here are significant.
Whilst the main concern for many is the drastic reversal of policy in relation to consent to the use of cookies, care should nonetheless be taken to note the new obligations in respect of personal data breaches, notifications and the sending of commercial marketing emails as well.
Organisations should also not be too reliant on the lead-in periods granted in respect of many of the new provisions. Other than in relation to the change in the law around cookies, these lead-in periods are relatively short and do not leave much time for organisations to ignore consideration of their new obligations.
The Commissioner has further made it pointedly clear that the year long period before compliance will be enforced with respect to the cookie law should not be interpreted as an opportunity to do nothing in the interim. The lead-in has been granted so as to allow for organisations to work out how best to address the new requirements for their sites and blatant inaction will not go unnoticed.
