Amidst the brouhaha over how the UK will transpose the new “cookie consent” laws in Directive 2009/136/EC, other key changes in this Directive have gone largely unnoticed. One change even seems to have escaped the notice of the UK Government, as Stephen Groom reports.
Topic: On-line advertising
Who: Department for Culture, Media & Sport, HM Government
When: April 2011
Where: UK
Law stated as at: 4 May 2011
What happened:
The UK Government published a paper entitled "Implementing the revised EU Electronic Communications Framework" (the "Paper").This was based on responses received to its September 2010 consultation (the "BIS Consultation") on how the UK should transpose EU Directive 2009/136/EC (the "Directive") into UK law.
The Directive makes amendments to a number of existing EU measures and is due to be implemented across the EU by 25 May 2011.
A key change is made to a provision in the Privacy and Electronic Communications Directive 2002/58/EC ("PECD") impacting the use of cookies. This aspect is reported elsewhere on marketinglaw. In this article we will report on other changes which the Directive makes to the PECD of relevance to marketers.
Penalties and enforcement
First up, the Directive introduces a new Article 15a to the PECD. This is lengthy and focuses on enforcement and penalties.
Edited highlights are as follows:
"Member States shall lay down the rules on penalties, including criminal sanctions where appropriate, applicable to infringements….and shall take all measures necessary to ensure that they are implemented. The penalties provided must be effective, proportionate and dissuasive….
Member States shall ensure that the competent national authority and where relevant other national bodies have the power to order the cessation of infringements….and the necessary investigative powers and resources, including the power to obtain any relevant information they might need to monitor and enforce [the Directive's provisions].."
Further provisions require Member States to consult with the Commission on the measures it proposes to introduce based on these amendments so that the Commission can satisfy itself that these will not adversely affect the functioning of the internal market.
PECD previously silent on penalties and enforcement
The BIS Consultation remarked that all this was quite new and that the original PECD was silent on enforcement and penalties. It went on to comment that "there are elements of the current regime which could work more effectively if they were more tailored to the electronic communications industry. In particular we consider that the enforcement notice is useful but could be more effective. We also consider that there is scope for a civil monetary penalty for certain breaches."
New PECD enforcement powers for ICO on the way
The Paper reports on responses to the above comments and, significantly, states that it is minded to move forward with its previous proposals. In particular it proposes three key changes as follows. It should be borne in mind here that these will apply to breaches of any provisions of the PECD.
Therefore they could apply to misuse of cookies, sending marketing emails without the required prior opt in, cold calling without prior Telephone Preference Service checks, using automated calling systems to send pre –recorded marketing messages or use of location data for marketing purposes without the requisite prior consent.
Increased civil monetary penalties
The powers conferred on ICO by ss 55A-55E of the Data Protection Act 1998 ("DPA") to impose fines of up to £500,000 will be extended to cover breaches of the PECD.
These powers will be available in cases where there have been serious breaches of the relevant provisions of the PECD likely to cause substantial damage or distress and either the contravention was deliberate or the party knew or ought to have known that there was a risk that the breach would occur and that the breach would be of a kind likely to cause substantial damage or distress, but failed to take reasonable steps to prevent the contravention.
New audit powers
The Paper proposes to introduce new provisions in relation to the auditing of businesses' compliance with the PECD. No more information is given at this stage, but an assurance is given that the regime will not conflict with the existing audit regime under the DPA, which currently only extends to public bodies.
Information from third parties
The Paper proposes to make provision in the new regulations implementing the Directive for obtaining information from third parties. It is envisaged that there will be two classes of persons which might be subject to "Third party information notices." These are:
- Telephone providers (withheld Calling Line Identification)
- ISPs
The idea is that this power will enable ICO to find the guilty companies in cases of cold calling where the number is withheld and in cases of spamming.
A new private right of action?
Another new provision indicated by the Directive comes in the form of a new Article 13.6 of the PECD.
This reads:
"Member States shall ensure that any person adversely affected by infringements…and therefore having a legitimate interest in the cessation or prohibition of such infringements, including an electronic communications service provider protecting its legitimate business interests, may bring legal proceedings in respect of such infringements…"
However the existing UK measure already confers just such a right.
This is contained in Regulation 30 of the UK Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECRegs"), which is headed "Proceedings for compensation for failure to comply with requirements of the Regulations." This does what it says on the tin, by providing:
"(1) A person who suffers damage by reason of any contravention of any of the requirements of these Regulations by any other person shall be entitled to bring proceedings for compensation from that person for that damage."
This regulation has been used. There have been at least four reported cases since the PECRegs came into force in December 2003 where civil actions for damages and ion one case an injunction, have been instigated, based on Regulation 30, all against defendants allegedly breaching the PECRegs' email marketing provisions. In at least one case the claimant successfully relied on the High Court's inherent powers to grant an injunction prohibiting activity in breach of statutory regulations
In first introducing this right in 2003, the UK Government went beyond the provisions of the PECD, but now it seems that Brussels is finally catching up, and in light of this, it is perhaps not surprising that neither the BIS Consultation nor the Paper make any specific reference to this amendment and evidently feel that this part of the Directive calls for no substantive change to existing UK law.
The "user/subscriber" change
The "opt in" provisions of the PECRegs impacting email and mobile marketing currently follow the PECD's example by only applying to the sending or instigating of such communications "to individual subscribers."
"Subscriber" is defined as "a person who is a party to a contract with a provider of public communications services for the supply of such services."
"User" is defined as "any individual using a public electronic communications service."
The most obvious example of such a non subscriber user would be an employee of a company receiving an email at work. Another example would be a member of a household who is not the "subscriber" receiving an unsolicited marketing email on the family PC at home.
Under the PECD and the PECRegs, these mere users do not qualify for the protection conferred by the consent provisions of the PECD.
The practical impact of this has been that unsolicited marketing emails to employees of limited companies, for example, have not been covered by the "prior notification of consent" provisions of the PECRegs, so can be legitimately sent such communications unless and until they unsubscribe.
The Directive now changes this by applying the relevant provisions to subscribers "or users". So the key, so-called opt in provision now reads:
"Member States shall take appropriate measures to ensure that unsolicited communications for purposes of direct marketing …are not allowed either without the consent of the subscribers or users concerned or in respect of the subscribers or users who do not wish to receive these communications…"
The effect of this is that, in the context of "B2B" commercial email where employees of limited companies receive this at their desks, the correct transposition of the Directive into UK law should have the effect of extending the "prior consent" requirement to such communications. (We say "UK law" here, because the CAP Code introduces a further gloss on this by designating such B2B emails as in contravention of the Code unless the email is selling only "business products.")
In light of this, it is odd that neither the BIS Consultation nor the Paper make any reference to this significant change. Could it be that BIS and now the DCMS have not picked up the point or do they regard the change as de minimis and therefore not worthy of a consequential amendment? Perhaps we should be told.
Why this matters:
The changes to the enforcement regime for the PECD are game changers and might finally see ICO take on some of the policing responsibilities largely shouldered to date by the ASA. We await with interest the detailed provisions as to the new audit right, for example, as well as the Guidance on this to be produced by ICO.
As for the "user/subscriber" change, it remains to be seen whether the new Regulations implementing the Directive, assuming these materialise at some point before 25 May 2011, will make any reference to these.