Privacy and Electronic Communications Directive (PECR) refers to a set of European directives which have been issued and refined since 2002. These directives were written specifically to address the requirements of new digital technologies and ease the adoption of new and innovative electronic communications services. The Directives complement the Data Protection Directive and applies to matters which are not specifically covered by that Directive.
In Ireland the current directive is implemented by S.I. No. 336/2011 – European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. The SI was brought into force by Minister Pat Rabbitte in 2011.
Keen students of European data protection law will be aware that the data protection directive has been superseded by the GDPR. Similarly the PECR was supposed to be superseded in 2018 by the E-Privacy Regulation (ePR), that legislative processes is badly delayed and no one is clear on how it will evolve.
S.I. No. 336/2011 makes it clear that the DPC is responsible 17.(1) for enforcing PECFR and in case of dispute, the first step is the circuit court. To do so it gives powers to the DPC to serve an enforcement notice requiring the recipient to take, within a specified period, such steps as are specified in the enforcement notice. In section 19 of the SI, the DPC is given a right to appoint authorised officers who can enter premises and inspect equipment. The SI backs up these powers with fines of up to €250,000 for an organisation or €50,000 for an individual.
The SI gives effect to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive), and the amendments to that Directive as introduced by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009.
There are three big items in Directive 2009/136/EC: Spam, Cookies and Data Retention.
Cookies: are covered in Article (25). Where they are described as having possibly benign purposes for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information about the purposes of cookies.
In its cookie advice the UK’s ICO says that explicit opt-in is the gold standard for consent but goes to great lengths to open doors for implied consent. This concept of implied consent probably doesn’t survive the introduction of GDPR, but that finding will have to wait for CJEU rulings or the enactment of ePR.
Spam to individuals, be it via phone or fax is basically banned, but interestedly not to organisations. Data Retention is likewise strictly curtailed for e-services, except for billing or Lawful Interception purposes.
In the Irish SI which implements the EU wide PECR there are two interesting little local variations: Calling line identification 8.1(a) & (b) and inclusion in phone directories (12.2 (a) & (b)) must be optional. The SI also revokes the previous two SIs “European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (S.I. No. 535 of 2003)” and the “European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (S.I. No. 526 of 2008)”, which have been revoked by these Regulations.