The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011

EXPLANATORY NOTE

(This note is not part of the Order)

These Regulations implement Articles 2 and 3 of Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws by making amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“the 2003 Regulations”).

Regulation 3 amends the definition of “location data” and inserts a new definition of “personal data breach” into the 2003 Regulations.

Regulation 4 makes provision in relation to the required measures to be taken by communications providers in ensuring that the processing of personal data is secure. Regulation 4 also gives the Information Commissioner the power to audit compliance with these requirements.

Regulation 5 inserts a new provision into the 2003 Regulations which relates to the notification of personal data breaches. In all cases, the Information Commissioner must be notified. In some cases, the subscriber or user must also be notified where there is a risk that the breach would adversely affect the personal data or privacy of that user.

Regulation 5 also inserts provision into the 2003 Regulations for the auditing and enforcement of the notification provisions. In the event of failure to comply, the Information Commissioner will be able to impose a fixed civil monetary penalty on a service provider.

Regulation 6 amends the provisions in the 2003 Regulations on the storage of or access to information on the terminal equipment of end users. It also makes provision as to the signification of consent which must be sought as a result of the changes to the Directive.

Regulation 7 makes a minor textual amendment to regulation 7 of the 2003 Regulations.

Regulation 8 makes a minor textual amendment to regulation 19(1) of the 2003 Regulations.

Regulation 9 amends regulation 23 of the 2003 Regulations, by providing for the prohibition of sending electronic mail which contravenes the information requirements in regulation 7 of the Electronic Commerce (EC Directive) Regulations 2002, or sending an e-mail which encourages recipients to visit websites which contravene that regulation.

Regulation 10 makes provision to allow police and the security services to have access to personal data of users of public electronic communications networks and services. It also makes provision to compel service providers to establish and maintain procedures to allow access to that data.

Regulation 11 makes minor amendments to regulation 31 of the 2003 Regulations. The amendments extend section 55A to 55E of the Data Protection Act 1998 to the 2003 Regulations which will allow the Information Commissioner to issue civil monetary penalties for non-compliance with the Regulations of up to £500,000.

Regulation 12 inserts new regulations 31A and 31B which make provision for third party information notices. The Information Commissioner may request information from a communications provider which relates to the use of that provider’s network or service by a third party which is in contravention of any part of the Regulations. New regulation 31B makes provision for appeals against third party information notices.

Regulation 13 inserts a new regulation 37 into the 2003 Regulations which requires the Secretary of State to conduct a review of the implementation of the Directive in the United Kingdom at least every 5 years and lay a report of that review before Parliament.

Regulation 14 amends Schedule 1 to the 2003 Regulations.

Regulation 15 amends the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.

Regulation 16 amends the Enterprise Act 2002 to include reference to the Information Commissioner, and Article 13 of the 2002 Directive for the purposes of the enforcement of the provisions of that Article as a Community Infringement under Part 8 of the Enterprise Act 2002.

Regulation 17 inserts article 13 of the 2002 Directive into the Schedule to the Enterprise Act 2002 (Part 8 Community Infringements Specified UK Laws) Order 2003, which lists Community infringements for the purposes of the Enterprise Act 2002.

A transposition and a full impact assessment of the effect that this instrument will have on the costs of business and the voluntary sector are available from the Department for Culture, Media and Sport, 2-4 Cockspur Street, London, SW1Y 5DH and are published with the Explanatory Memorandum alongside the instrument on www.legislation.gov.uk.