Privacy and Electronic Communications (Amendment) Regulations 2018

Amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (PECR) have come into force today (19 December 2018). The intention of the 2018 Regs is to increase the powers of the Information Commissioner’s Office (ICO), by enabling it to impose penalties on officers (which includes directors of companies, partners in general partnerships and partners in limited liability partnerships) for breaching the PECR in respect of using automated calling systems and unsolicited direct marketing.

‘Direct Marketing’ is defined as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. The PECR specifically regulates marketing by electronic messages, such as telephone calls, emails, faxes or text messages, all of which, in practice, are covered by the definition of Direct Marketing.

The PECR prohibits any unsolicited Direct Marketing, which means any type of direct marketing which is not specifically requested and where the recipient’s consent to use their personal data in this way has not been provided. In practice, such consent will usually have been satisfied by way of an opt-in option such as a tick-box icon, providing the individual with the option to agree to receive unsolicited Direct Marketing messages from time to time. If this ’opt-in’ option is not selected, and no other type of consent is obtained, a company that sends direct marketing in breach of the PECR may be fined up to £500,000 by the ICO.

The 2018 Regs were enacted following reports from the ICO that its penalty imposing powers were not having the intended effect on unsolicited direct marketing. Whilst the ICO has, since 2015, had the power to impose penalties on companies that have breached the PECR, there has been a shortfall of approximately £2.5 million, in the amounts recovered from April 2015. The report suggests that the shortfall is a result of a practice known as “Phoenixing”, which is where a company is dissolved by the directors and then re-emerges under a new, often very similar, name and usually has the same directors and shareholders. Consequently, the ICO has no power to fine the new company, as the new company has not committed the breaches. This means that numerous companies continue to breach the PECR by using individuals’ personal data to contact them, without consent, attempting to advertise or market themselves or their products.

The primary objective of the 2018 Regs is to hold the directors and/or senior executives of companies that breach the PECR personally liable. The 2018 Regs will enable the ICO to impose penalties on the officers of those companies where they have conspired in the breach or where the breach is attributable to their neglect.

This is one of the measures that has been taken to uphold the PECR, together with several other courses of action, which are currently under discussion, including the introduction of a statutory code on Direct Marketing that aims to update the current code of practice to reflect the GDPR. There is also emphasis on requiring Direct Marketers to provide caller identification, which should assist in reducing and limiting activities, such as cold calling, where numbers are untraceable.