Much of the focus in relation to data protection and privacy law is on implementation of the Genera Data Protection Regulation, which becomes applicable from 25 May 2018. However, many of the discussions that are taking place in respect of GDPR implementation are forgetting the GDPR’s older cousin: the snappily named Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). This Directive from the European Union dating from 2002 was implemented in the United Kingdom through the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).
The Directive on privacy and electronic communications is concerned with the processing of personal data and the protection of privacy in the electronic communications sector and is of importance to telecommunications providers, Internet Service Providers and any person or organisation who conducts direct marketing by electronic means; however, this blog post is concerned only with direct marketing and is a follow-up to my recent blog post on whether consent is required under the GDPR.
The GDPR might be the big thing at the moment, but it is important not to consider it in isolation. When thinking about GDPR implementation it is necessary to take a holistic view and think about how it interacts with other laws because these other laws don’t stop having effect just because of the GDPR. Therefore, it is essential to consider how these other laws affect your GDPR implementation.
The rules on direct marketing by electronic means are relatively simple and straightforward, but this does not stop unlawful behaviour from taking place on an industrial scale. Rarely does a month go past without the Information Commissioner’s Office publishing information on enforcement action it has taken against businesses arising out of failing to comply with PECR, especially since the law changed to lower the legal threshold for Monetary Penalty Notices in relation to PECR infringements.
Electronic Mail includes E-mail and SMS text messaging. The general rule for direct marketing by electronic mail is that you need consent, as defined by the 1995 Data Protection Directive. This means that you must have a freely given, specific and informed indication that the person to whom you are directing the marketing wants to receive such marketing.
There is an exception to this which is referred to as the “soft opt-in”. This applies where you have obtained a person’s personal data “in the course of the sale or negotiations for the sale of a product or service” to them. You can then send direct marketing to this person, without first gaining their express consent, where you are marketing your own similar products or services. The data subject must be “given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected”.
Each direct marketing communication that is sent must include a simple means of opt-out of further direct marketing content (and this must be free of charge, except for the costs of transmission of the opt-out).
Telephone: Automated calls
The rules for direct marketing by telephone are split into automated and unsolicited live telesales calls. In the case of automated calls with recorded information played when the phone line being called is answered, the subscriber (i.e. the person who has contracted with the telephone service provider) must have notified the caller (or the person instigating the call where the caller is a third party acting on behalf of the instigator) that, for the time being, they consent to receiving such calls. Again, this requires there to be a freely given, specific and informed indication. Consent can be withdrawn.
Telephone: Unsolicited live telesales calls
You do not require consent to make such calls; however, you must not make such calls where the subscriber has notified you that they do not wish to receive such calls, or if the number is registered with the Telephone Preference Service (TPS). You can call numbers registered with the TPS where the subscriber has consented to receiving calls from you, notwithstanding that the number is registered with the TPS. Consent can, as always, be withdrawn at a later date.
Yes, it is still a thing and some people (and indeed whole sectors) still use fax machines. However, as it is more or less an obsolete technology all I will say on the matter is that PECR regulates the use of fax for direct marketing and the relevant parts are Regulations 20 and 25.
That is a very brief run through of the relevant law as it stands today. However, a couple of points to note in closing: Firstly, the EU is currently working on a replacement to the current Directive. It had been anticipated that the new E-Privacy Regulation would be implemented alongside the GDPR, but work started on it too late and so it won’t. Whether it will be finalised in and in force prior to Brexit is something that we will need to wait and see. Secondly, depending on what happens with the Brexit negotiations it may still end up being part of UK law even if it comes into force after the UK leaves the EU. Thirdly, there is likely to be some temporary adjustments to PECR from 25 May 2018, that is because PECR adopts a lot of definitions from the Data Protection Act 1998 and the 1995 Data Protection Directive (both of which will be repealed on 25 May 2018). Finally, the domestic Regulations were made under the European Communities Act 1972; therefore the European Union (Withdrawal) Bill may well have some impact upon them.