On 26 May 2011, the UK is implementing an amendment to the EU’s Privacy and Electronic Communications Directive. The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011 No. 1208) are now available. The amendments require UK businesses and organisations running web sites in the UK to get informed consent from visitors to their web sites in order to store and retrieve information on users’ computers. Cookies are of course the most obvious manifestation of ‘store and retrieve information’ or SARI.
The ICO advice, which is pitched at a relatively basic level and which follows the publication of UK regulations by the Department for Culture, Media and Sport, can be accessed here: http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf. The ICO states that it will help people to consider what type of cookie or similar technology their web site uses and for what purpose, how intrusive their use is, and offers advice on what solution for obtaining consent will suit them.
Amendment Regulations
The Explanatory Note to the Regulations describes them as follows:
These Regulations implement Articles 2 and 3 of Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws by making amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“the 2003 Regulations”).
Regulation 3 amends the definition of “location data” and inserts a new definition of “personal data breach” into the 2003 Regulations.
Regulation 4 makes provision in relation to the required measures to be taken by communications providers in ensuring that the processing of personal data is secure. Regulation 4 also gives the Information Commissioner the power to audit compliance with these requirements.
Regulation 5 inserts a new provision into the 2003 Regulations which relates to the notification of personal data breaches. In all cases, the Information Commissioner must be notified. In some cases, the subscriber or user must also be notified where there is a risk that the breach would adversely affect the personal data or privacy of that user.
Regulation 5 also inserts provision into the 2003 Regulations for the auditing and enforcement of the notification provisions. In the event of failure to comply, the Information Commissioner will be able to impose a fixed civil monetary penalty on a service provider.
Regulation 6 amends the provisions in the 2003 Regulations on the storage of or access to information on the terminal equipment of end users. It also makes provision as to the signification of consent which must be sought as a result of the changes to the Directive.
Regulation 7 makes a minor textual amendment to regulation 7 of the 2003 Regulations.
Regulation 8 makes a minor textual amendment to regulation 19(1) of the 2003 Regulations.
Regulation 9 amends regulation 23 of the 2003 Regulations, by providing for the prohibition of sending electronic mail which contravenes the information requirements in regulation 7 of the Electronic Commerce (EC Directive) Regulations 2002, or sending an e-mail which encourages recipients to visit websites which contravene that regulation.
Regulation 10 makes provision to allow police and the security services to have access to personal data of users of public electronic communications networks and services. It also makes provision to compel service providers to establish and maintain procedures to allow access to that data.
Regulation 11 makes minor amendments to regulation 31 of the 2003 Regulations. The amendments extend section 55A to 55E of the Data Protection Act 1998 to the 2003 Regulations which will allow the Information Commissioner to issue civil monetary penalties for non-compliance with the Regulations of up to £500,000.
Regulation 12 inserts new regulations 31A and 31B which make provision for third party information notices. The Information Commissioner may request information from a communications provider which relates to the use of that provider’s network or service by a third party which is in contravention of any part of the Regulations. New regulation 31B makes provision for appeals against third party information notices.
Regulation 13 inserts a new regulation 37 into the 2003 Regulations which requires the Secretary of State to conduct a review of the implementation of the Directive in the United Kingdom at least every 5 years and lay a report of that review before Parliament.
Regulation 14 amends Schedule 1 to the 2003 Regulations.
Regulation 15 amends the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.
Regulation 16 amends the Enterprise Act 2002 to include reference to the Information Commissioner, and Article 13 of the 2002 Directive for the purposes of the enforcement of the provisions of that Article as a Community Infringement under Part 8 of the Enterprise Act 2002.
Regulation 17 inserts article 13 of the 2002 Directive into the Schedule to the Enterprise Act 2002 (Part 8 Community Infringements Specified UK Laws) Order 2003, which lists Community infringements for the purposes of the Enterprise Act 2002.
Note that the Electronic Communications (Universal Service) (Amendment) Order 2011 (SI 2011 No. 1209) has also been made.
ICO Advice
The ICO has drawn up its advice to help organisations to start to think about the practical steps they will need to take to remain compliant with the new law. The advice will be supplemented by additional content as innovative ways to acquire users’ consent are developed.
Information Commissioner, Christopher Graham, said:
‘The advice we’ve issued today should help businesses and organisations to get on the road to compliance in a way that causes them – as well as UK consumers – minimal disruption. The implementation of this new legislation is challenging and involves significant technological considerations. That’s why we’ve already consulted a wide range of stakeholders. But we want to spread the net as wide as we can and would welcome further comments from others who have practical examples to share. This advice is very much a work in progress and doesn’t yet provide all of the answers. We’re responsible for regulating the new law and will undoubtedly start to receive complaints about companies who are using cookies without consent. We’d urge all UK businesses and organisations to read our advice and start working out how they will meet the requirements of this new law.’
Advice for consumers on what the new law will mean for them is being drafted. This, along with further information about the ICO’s approach to enforcement of the new rules, will be published shortly.