The Privacy and Electronic Communications (Amendment) Regulations 2018

Statutory Instruments

2018 No. 1189

Electronic Communications

The Privacy and Electronic Communications (Amendment) Regulations 2018

Made

15th November 2018

Laid before Parliament

16th November 2018

Coming into force

17th December 2018

The Secretary of State is a Minister designated(1) for the purposes of section 2(2) of the European Communities Act 1972(2) in respect of matters relating to electronic communications.

The Secretary of State makes these Regulations in exercise of the powers conferred by that section.

Citation and commencement

1.  These Regulations may be cited as the Privacy and Electronic Communications (Amendment) Regulations 2018 and come into force on 17th December 2018.

Amendment of the Privacy and Electronic Communications (EC Directive) Regulations 2003

2.—(1) Schedule 1 to the Privacy and Electronic Communications (EC Directive) Regulations 2003(3) is amended as follows.

(2) Before paragraph 1 insert the following heading—

Modifications of the Data Protection Act 1998(4).

(3) In paragraph 8AA(5)—

(a)after paragraph (c) insert—

(ca)before subsection (4) there shall be inserted the following subsections—

(3B) If a monetary penalty notice has been served under this section on a body, the Commissioner may also serve a monetary penalty notice on an officer of the body if the Commissioner is satisfied that the contravention in respect of which the monetary penalty notice was served on the body—

(a)took place with the consent or connivance of the officer, or

(b)was attributable to any neglect on the part of the officer.

(3C) In subsection (3B)—

“body” means a body corporate or a Scottish partnership;

“officer” in relation to a body means—

(a)

in relation to a body corporate—

(i)

a director, manager, secretary or other similar officer of the body or any person purporting to act in such capacity, or

(ii)

where the affairs of the body are managed by its members, a member; or

(b)

in relation to a Scottish partnership, a partner or any person purporting to act as a partner.; and

(b)in paragraph (d), after “person” (but before the closing quotation mark following it) insert “on whom it is served”.

(4) At the end insert the following—

Modifications of secondary legislation

Modification of the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010

12.(1) The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010(6) are extended for the purposes of these Regulations and have effect subject to the following modifications.

(2) Regulation 1 applies as if in paragraph (2), at the end, there were inserted “as modified by regulation 31(1) of, and Schedule 1 to, the Privacy and Electronic Communications (EC Directive) Regulations 2003”.

(3) Regulation 3 (notices of intent) applies as if—

(a)in paragraph (a) for “data controller” there were substituted “person”;

(b)paragraph (b)(i) were omitted;

(c)for paragraph (b)(ii) there were substituted—

(ii)the nature of the contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003,; and

(d)in a case where paragraph 8AA of Schedule 1 to the Privacy and Electronic Communications (EC Directive) Regulations 2003 applies—

(i)paragraph (b)(iv) were omitted, and

(ii)after paragraph (v) there were inserted—

(vi)if the notice is served on an officer of a body, the reason the Commissioner considers that the officer has responsibility for the contravention..

(4) Regulation 4 (monetary penalty notices) applies as if—

(a)in paragraphs (a), (b) and (g) for “data controller” there were substituted “person”;

(b)paragraph (d)(i) were omitted;

(c)for paragraph (d)(ii) there were substituted—

(ii)the nature of the contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003,; and

(d)in a case where paragraph 8AA of Schedule 1 to the Privacy and Electronic Communications Regulations 2003 applies—

(i)paragraph (d)(iv) were omitted, and

(ii)after paragraph (d)(v) there were inserted—

(vi)if the notice is served on an officer of a body, the reason the Commissioner considers that the officer has responsibility for the contravention;.

Modification of the Data Protection (Monetary Penalties) Order 2010

13.(1) The Data Protection (Monetary Penalties) Order 2010(7) is extended and has effect for the purposes of these Regulations subject to the following modifications.

(2) Article 1(2) (interpretation) applies as if at the end there were inserted “as modified by regulation 31(1) of, and Schedule 1 to, the Privacy and Electronic Communications (EC Directive) Regulations 2003”.

(3) Article 5(2) (monetary penalty notices: cancellation) applies as if after “take any further action” there were inserted “against the person on whom that notice was served”.

(4) Article 6(c) (monetary penalty notices: enforcement) applies as if for “data controller” there were substituted “person on whom the notice is served”.

Margot James

Minister of State

Department for Digital, Culture, Media and Sport

15th November 2018

EXPLANATORY NOTE

(This note is not part of the Regulations)

These Regulations amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (“the 2003 Regulations”). They also modify the application of the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (SI 2010/31) (“the 2010 Regulations”) and the Data Protection (Monetary Penalties) Order 2010 (SI 2010/910) (“the 2010 Order”).

The 2003 Regulations implemented the provisions of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector. The 2003 Regulations were amended in 2004 (SI 2004/1039), 2010 (SI 2010/22), 2011 (SI 2011/1208) (which implemented the European legislative changes contained in provisions of Directive 2009/136/EC), in 2015 (SI 2015/355), in 2016 (SI 2016/524 and SI 2016/1177 and paragraph 14 of Schedule 10 to the Investigatory Powers Act 2016) and in 2018 by section 35 of the Financial Claims and Guidance Act 2018, and section 211 of the Data Protection Act 2018.

Under the 2003 Regulations, the Information Commissioner may impose a monetary penalty, under the Data Protection Act 1998 as applied to, and modified by, the 2003 Regulations, for a serious breach of regulations 19 to 24 of the 2003 Regulations. The effect of the amendments made by regulation 2 is to enable the Commissioner to impose such a penalty on an officer of a body corporate or Scottish partnership in addition to the body itself, where such a breach occurs as a result of action, or inaction, by that officer.

The 2010 Regulations are made in exercise of powers in sections 55A and 55B of the Data Protection Act 1998 which apply in respect of enforcement against data controllers for breach of section 4(4) of that Act. The 2010 Order is made in exercise of the power in section 55E of the 2003 Regulations. Those sections were repealed by the Data Protection Act 2018, but were saved in respect of their application to the 2003 Regulations. Those sections are extended with modifications set out in Schedule 1 to the 2003 Regulations, in respect of contraventions of the 2003 Regulations, by regulation 31 of the 2003 Regulations. The modifications to the instruments made under those sections made by regulations 3 and 4 are consequential to the changes effected by regulation 2.

These amendments are intended to ensure that the penalty regime for breaches is “effective, proportionate and dissuasive” as required by Article 15a of Directive 2002/58/EC, as amended by Directive 2009/136/EC.

A full impact assessment has not been produced for this instrument as no impact, or no significant impact, on the private, voluntary or public sector is foreseen.

(1)

See S.I. 2001/3495 to which there have been amendments not relevant to these Regulations.

(2)

1972 c. 68; Section 2(2) was amended by section 27 of the Legislative and Regulatory Reform Act 2006 (c. 51) and section 3 of, and Part 1 of the Schedule to, the European Union (Amendment) Act 2008 (c. 7). The 1972 Act will be repealed by section 1 of the European Union (Withdrawal) Act 2018 (c. 16).

(3)

S.I. 2003/2426 was amended by paragraph 14 of Part 1 of Schedule 10 to the Investigatory Powers Act 2016 (c. 25), section 35 of the Financial Claims and Guidance Act 2018 (c. 10), section 211(1)(b) and paragraphs 291 to 293 of Part 2 of Schedule 19 to the Data Protection Act 2018 (c. 12) and S.I. 2004/1039, S.I. 2010/22, S.I. 2011/1208, S.I. 2015/355, S.I. 2016/524 and S.I. 2016/1177.

(4)

The Data Protection Act 1998 (c. 29) was repealed by section 211 of, and paragraph 44 of Part 1 of Schedule 19 to, the Data Protection Act 2018; savings in relation to S.I. 2003/2426 were made by section 213 of, and paragraph 58 of Part 9 of Schedule 20 to the 2018 Act.

(5)

Paragraph 8AA was inserted by S.I. 2015/355.

(6)

S.I. 2010/31; the enabling powers for this instrument were repealed by the Data Protection Act 2018, but this instrument was saved in relation to the 2003 Regulations by section 213 of, and paragraph 58 of Part 9 of Schedule 20 to that Act.

(7)

S.I. 2010/910; the enabling power for this Order was repealed by the Data Protection Act 2018 but this instrument was saved in relation to the 2003 Regulations by section 213 of, and paragraph 58 of Schedule 20 to, the 2018 Act.