The Privacy and Electronic Communications (EC Directive) Regulations 2003

Regulation 6

[F1Schedule A1U.K.Storing information in the terminal equipment of a subscriber or user

InterpretationU.K.

1.—(1) In this Schedule, “website” includes a mobile application and any other platform by means of which an information society service is provided.

(2) For further provision about the interpretation of this Schedule, see regulation 6(2).

ConsentU.K.

2.—(1) Regulation 6(1) does not prevent a person storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user if the subscriber or user—

(a)is provided with clear and comprehensive information about the purpose of the storage or access, and

(b)gives consent to the storage or access.

(2) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user for the same purpose on more than one occasion, it is sufficient that the requirements of sub-paragraph (1) are met in respect of the initial use.

(3) For the purposes of sub-paragraph (1)(b), the means by which the subscriber or user may signify consent include—

(a)amending or setting controls on the internet browser which the subscriber or user uses;

(b)using another application or programme.

Transmission of a communication over an electronic communications networkU.K.

3.  Regulation 6(1) does not apply to—

(a)technical storage of information in the terminal equipment of a subscriber or user, or

(b)technical access to information stored in such equipment,

for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Storage or access strictly necessary to provide an information society serviceU.K.

4.—(1) Regulation 6(1) does not apply to—

(a)technical storage of information in the terminal equipment of a subscriber or user, or

(b)technical access to information stored in such equipment,

where the storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

(2) For the purposes of this paragraph, the technical storage of, or technical access to, information is strictly necessary for the provision of an information society service requested by the subscriber or user if, for example, the storage or access is strictly necessary—

(a)to protect information provided in connection with, or relating to, the provision of the service requested,

(b)to ensure that the security of the terminal equipment of the subscriber or user is not adversely affected by the provision of the service requested,

(c)to prevent or detect fraud in connection with the provision of the service requested,

(d)to prevent or detect technical faults in connection with the provision of the service requested, or

(e)to enable either of the following things to be done where necessary for the provision of the service requested—

(i)automatically authenticating the identity of the subscriber or user, or

(ii)maintaining a record of selections made on a website, or information put into a website, by the subscriber or user.

Collecting information for statistical purposesU.K.

5.—(1) Regulation 6(1) does not prevent a person storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user if—

(a)the person provides an information society service,

(b)the sole purpose of the storage or access is to enable the person—

(i)to collect information for statistical purposes about how the service is used with a view to making improvements to the service, or

(ii)to collect information for statistical purposes about how a website by means of which the service is provided is used with a view to making improvements to the website,

(c)any information that the storage or access enables the person to collect is not shared with any other person except for the purpose of enabling that other person to assist with making improvements to the service or website,

(d)the subscriber or user is provided with clear and comprehensive information about the purpose of the storage or access, and

(e)the subscriber or user is given a simple means of objecting, free of charge, to the storage or access and does not object.

(2) In sub-paragraph (1), the reference to gaining access to information stored in the terminal equipment of a subscriber or user does not include a reference to collecting or monitoring information automatically emitted by the terminal equipment.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user for the same purpose on more than one occasion, it is sufficient that the requirements of sub-paragraph (1)(d) and (e) are met in respect of the initial use.

Website appearance etcU.K.

6.—(1) Regulation 6(1) does not prevent a person storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user if—

(a)the person provides an information society service by means of a website,

(b)the sole purpose of the storage or access is—

(i)to enable the way the website appears or functions when displayed on, or accessed by, the terminal equipment to adapt to the preferences of the subscriber or user, or

(ii)to otherwise enable an enhancement of the appearance or functionality of the website when displayed on, or accessed by, the terminal equipment,

(c)the subscriber or user is provided with clear and comprehensive information about the purpose of the storage or access, and

(d)the subscriber or user is given a simple means of objecting, free of charge, to the storage or access and does not object.

(2) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user for the same purpose on more than one occasion, it is sufficient that the requirements of sub-paragraph (1)(c) and (d) are met in respect of the initial use.

Emergency assistanceU.K.

7.  Regulation 6(1) does not prevent a person storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user if—

(a)the person receives a communication from the terminal equipment,

(b)the communication is a request from the subscriber or user for emergency assistance or otherwise indicates that the subscriber or user is in need of emergency assistance, and

(c)the sole purpose of the storage or access is to enable the geographical position of the subscriber or user to be ascertained with a view to the emergency assistance being provided.]

Regulation 31

[F2SCHEDULE 1U.K.Information Commissioner’s enforcement powers

Provisions applied for enforcement purposesU.K.

1.  For the purposes of enforcing these Regulations, the following provisions of Parts 5 to 7 of the Data Protection Act 2018 apply with the modifications set out in paragraphs 2 to 29—

• section 140 (publication by the Commissioner);

• section 141A (notices from the Commissioner);

• section 142 (information notices);

• section 143 (information notices: restrictions);

• section 144 (false statements made in response to an information notice);

• section 145 (information orders);

• section 146 (assessment notices);

• section 146A (assessment notices: approval of person to prepare report);

• section 147 (assessment notices: restrictions);

• section 148 (destroying or falsifying information and documents etc);

• section 148A (interview notices);

• section 148B (interview notices: restrictions);

• section 148C (false statements made in response to interview notices);

• section 149 (enforcement notices);

• section 150 (enforcement notices: supplementary);

• section 152 (enforcement notices: restrictions);

• section 153 (enforcement notices: cancellation and variation);

• section 154 and Schedule 15 (powers of entry and inspection);

• section 155 and Schedule 16 (penalty notices);

• section 156 (penalty notices: restrictions);

• section 157 (maximum amount of penalty);

• section 159 (amount of penalties: supplementary);

• section 160 (guidance about regulatory action);

• section 161 (approval of first guidance about regulatory action);

• section 162 (rights of appeal);

• section 163 (determination of appeals);

• section 164 (applications in respect of urgent notices);

• section 180 (jurisdiction);

• section 181 (interpretation of Part 6);

• section 182 (regulations and consultation);

• section 196 (penalties for offences);

• section 197(1) and (2) (prosecution);

• section 198 (liability of directors etc);

• section 200 (guidance about PACE codes of practice);

• section 202 (proceedings in the First-tier Tribunal: contempt);

• section 203 (Tribunal Procedure Rules).

General modification of references to the Data Protection Act 2018U.K.

2.  The provisions listed in paragraph 1 have effect as if—

(a)references to the Data Protection Act 2018 or to a Part of that Act were references to the provisions of that Act or that Part as applied by these Regulations;

(b)references to a particular provision of that Act were references to that provision as applied by these Regulations.

Modification of section 142 (information notices)U.K.

3.  Section 142 has effect as if—

(a)in subsection (1), for paragraphs (a) and (b) there were substituted—

“(a)require any person to provide the Commissioner with information or documents that the Commissioner reasonably requires for the purposes of determining whether that person has complied or is complying with the requirements of the PEC Regulations,

(b)require a communications provider to provide the Commissioner with information or documents relating to another person’s use of an electronic communications network or electronic communications service for the purposes of determining whether that other person has complied or is complying with the requirements of the PEC Regulations, or

(c)require any person to provide the Commissioner with information or documents that the Commissioner reasonably requires for the purposes of investigating a suspected failure by another person to comply with the requirements of the PEC Regulations.”;

(b)in subsection (2)(a), for “(b)(i) or (b)(ii)” there were substituted “(b) or (c)”;

(c)after subsection (8) there were inserted—

“(8A) Subsections (8B) and (8C) apply if an information notice given to a person under subsection (1)(b) or (c) contains—

(a)a statement that a duty of confidentiality applies in relation to the notice, and

(b)an explanation of the effects of subsections (8B) and (8C).

(8B) The person to whom the information notice is given, and any person employed or engaged for the purpose of that person’s business, must not disclose the existence of the notice without reasonable excuse.

(8C) Subsection (8B) does not prevent—

(a)a disclosure to a person employed or engaged for the purpose of the business of the person to whom the notice is given,

(b)a disclosure made with the permission of the Commissioner (whether the permission is contained in the information notice or otherwise), or

(c)a disclosure made for the purpose of obtaining legal advice.”;

(d)subsections (9) and (10) were omitted.

Modification of section 143 (information notices: restrictions)U.K.

4.—(1) Section 143 has effect as if subsections (1) and (9) were omitted.

(2) In that section—

(a)subsections (3)(b) and (4)(b) have effect as if for “the data protection legislation” there were substituted “the PEC Regulations”;

(b)subsection (7)(a) has effect as if for “this Act” there were substituted “section 144, 148 or 148C or paragraph 15 of Schedule 15”;

(c)subsection (8) has effect as if for “this Act (other than an offence under section 144)” there were substituted “section 148 or 148C or paragraph 15 of Schedule 15”.

Modification of section 145 (information orders)U.K.

5.  Section 145(2)(b) has effect as if for “section 142(2)(b)” there were substituted “section 142(2)”.

Modification of section 146 (assessment notices)U.K.

6.  Section 146 has effect as if—

(a)in subsection (1)—

(i)for “a controller or processor” there were substituted “a person within subsection (1A)”;

(ii)for “the controller or processor” there were substituted “the person”;

(iii)for “the data protection legislation” there were substituted “the requirements of the PEC Regulations”;

(b)after subsection (1) there were inserted—

“(1A) A person is within this subsection if the person—

(a)is a communications provider, or

(b)is engaged in any activity regulated by the PEC Regulations.”;

(c)in subsection (2)—

(i)for “controller or processor” there were substituted “person to whom it is given”;

(ii)in paragraph (h), for “the processing of personal data” there were substituted “any activity regulated by the PEC Regulations”;

(iii)in paragraph (i), for “process personal data on behalf of the controller” there were substituted “are involved in any such activity on behalf of the person to whom the notice is given”;

(d)in subsection (3A), for “controller or processor” there were substituted “person”;

(e)in subsection (7), for “controller or processor” there were substituted “person to whom the notice is given”;

(f)in subsection (8)—

(i)in paragraph (a), for “controller or processor” there were substituted “person to whom the notice is given”;

(ii)in the words after paragraph (c), for “controller or processor” there were substituted “person”;

(g)in subsection (9)—

(i)in paragraph (a), for the words from “a controller” to “this Act” there were substituted “the person to whom the notice is given has failed or is failing to comply with the requirements of the PEC Regulations or that an offence under section 144, 148 or 148C or paragraph 15 of Schedule 15”;

(ii)in paragraph (d), for “controller or processor” there were substituted “person”;

(h)in subsection (10), for “controller or processor” there were substituted “person”;

(i)subsection (11) were omitted;

(j)in subsection (11A)—

(i)for “controller or processor”, in the first place it occurs, there were substituted “person to whom it is given”;

(ii)for “controller or processor”, in the second place it occurs, there were substituted “the person”.

Modification of section 146A (assessment notices: approval of person to prepare report)U.K.

7.  Section 146A has effect as if—

(a)in subsection (1), for “a controller or processor” there were substituted “a person (“P”)”;

(b)in subsection (2), for “The controller or processor” there were substituted “P”;

(c)in subsections (3) to (6), for “the controller or processor” (in each place) there were substituted “P”.

Modification of section 147 (assessment notices: restrictions)U.K.

8.—(1) Section 147 has effect as if subsection (5) were omitted.

(2) In that section, subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “the PEC Regulations”.

Modification of section 148A (interview notices)U.K.

9.  Section 148A has effect as if—

(a)in subsection (1)—

(i)for “a controller or processor” there were substituted “a person”;

(ii)in paragraph (a), for “as described in section 149(2)” there were substituted “to comply with a requirement of the PEC Regulations”;

(iii)in paragraph (b), for “this Act” there were substituted “section 144, 148 or 148C or paragraph 15 of Schedule 15”;

(b)in subsection (3)—

(i)in paragraph (a), for “the controller or processor” there were substituted “the person mentioned in subsection (1)”;

(ii)in paragraph (b), for “the controller or processor” there were substituted “that person”;

(iii)in paragraph (c), for “the controller or processor” there were substituted “that person”.

Modification of section 148B (interview notices: restrictions)U.K.

10.—(1) Section 148B has effect as if subsections (8) and (9) were omitted.

(2) In that section—

(a)subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “the PEC Regulations”;

(b)subsection (6)(a) has effect as if for “this Act” there were substituted “section 144, 148 or 148C or paragraph 15 of Schedule 15”;

(c)subsection (7) has effect as if for “this Act (other than an offence under section 148C)” there were substituted “section 144 or 148 or paragraph 15 of Schedule 15”.

Modification of section 149 (enforcement notices)U.K.

11.—(1) Section 149 has effect as if subsections (2) to (5A) and (7) to (9) were omitted.

(2) In that section—

(a)subsection (1) has effect as if—

(i)for “as described in subsections (2), (3), (4), (5) or (5A)” there were substituted “to comply with a requirement of the PEC Regulations”;

(ii)for “sections 150 and 151” there were substituted “section 150”;

(b)subsection (6) has effect as if the words “given in reliance on subsection (2), (3), (5) or (5A)” were omitted.

Modification of section 150 (enforcement notices: supplementary)U.K.

12.—(1) Section 150 has effect as if subsection (3) were omitted.

(2) In that section, subsection (2) has effect as if the words “in reliance on section 149(2)” were omitted.

Modification of section 152 (enforcement notices: restrictions)U.K.

13.  Section 152 has effect as if subsections (1), (2) and (4) were omitted.

Modification of Schedule 15 (powers of entry and inspection)U.K.

14.—(1) Schedule 15 has effect as if paragraph 3 were omitted.

(2) Paragraph 1(1) of that Schedule (issue of warrants in connection with non-compliance and offences) has effect as if for paragraph (a) (but not the final “and”) there were substituted—

“(a)there are reasonable grounds for suspecting that—

(i)a person has failed or is failing to comply with a requirement of the PEC Regulations, or

(ii)an offence under section 144, 148, or 148C or paragraph 15 of this Schedule has been or is being committed,”.

(3) Paragraph 2 of that Schedule (issue of warrants in connection with assessment notices) has effect as if—

(a)in sub-paragraphs (1) and (2), for “controller or processor” there were substituted “person”;

(b)in sub-paragraph (2), for “the data protection legislation” there were substituted “the PEC Regulations”.

(4) Paragraph 5 of that Schedule (content of warrants) has effect as if—

(a)in sub-paragraph (1)(c), for “the processing of personal data” there were substituted “an activity regulated by the PEC Regulations”;

(b)in sub-paragraph (2)(d), for the words from “controller or processor” to the end there were substituted “person mentioned in paragraph 1(1)(a) has failed or is failing to comply with a requirement of the PEC Regulations”;

(c)in sub-paragraph (3)(a) and (d)—

(i)for “controller or processor” there were substituted “person mentioned in paragraph 2(1)”;

(ii)for “the data protection legislation” there were substituted “the requirements of the PEC Regulations”.

(5) Paragraph 11 of that Schedule (privileged communications) has effect as if, in sub-paragraphs (1)(b) and (2)(b), for “the data protection legislation” there were substituted “the PEC Regulations”.

Modification of section 155 (penalty notices)U.K.

15.  Section 155 has effect as if—

(a)in subsection (1)—

(i)in paragraph (a), for “as described in section 149(2), (3), (4), (5) or (5A)” there were substituted “to comply with a requirement of the PEC Regulations”;

(ii)after paragraph (c), there were inserted “, or

(d)has failed to comply with the prohibition in section 142(8B),”;

(b)after subsection (1) there were inserted—

“(1A) But the Commissioner may not give a penalty notice to a person in respect of a failure to comply with regulation 5A of the PEC Regulations.”;

(c)for subsection (2) there were substituted—

“(2) When deciding whether to give a penalty notice to a person and determining the amount of the penalty, the Commission must have regard to the matters listed in subsection (3), so far as relevant.”;

(d)in subsection (3)—

(i)for “the controller or processor” (in each place) there were substituted “the person”;

(ii)in paragraph (c), for the words from “data subjects” to the end there were substituted “subscribers or users”;

(iii)in paragraph (d), for the words “in accordance with section 57, 66, 103 or 107” there were substituted “with a view to securing compliance with the requirements of the PEC Regulations”;

(iv)paragraph (g) were omitted;

(v)in paragraph (j), the words “or certification mechanism” were omitted;

(e)subsection (4) were omitted;

(f)after subsection (4) there were inserted—

“(4A) If a penalty notice is given to a body in respect of a failure to comply with any of regulations 19 to 24 of the PEC Regulations, the Commissioner may also give a penalty notice to an officer of the body if the Commissioner is satisfied that the failure—

(a)took place with the consent or connivance of the officer, or

(b)was attributable to any neglect on the part of the officer.

(4B) In subsection (4A)—

“body” means a body corporate or a Scottish partnership;

“officer”, in relation to a body, means—

(g)subsections (6) to (8) were omitted.

Modification of Schedule 16 (penalties)U.K.

16.  Schedule 16 has effect as if paragraphs 3(2)(b) and 5(2)(b) were omitted.

Modification of section 156 (penalty notices: restrictions)U.K.

17.—(1) Section 156 has effect as if subsections (1), (2), (4)(b) and (5) were omitted.

(2) In that section, subsection (3) has effect as if for the words from “controller” to “determined by or” there were substituted “penalty notice to a person who acts”.

Modification of section 157 (maximum amount of penalty)U.K.

18.  Section 157 has effect as if—

(a)subsection (1) were omitted;

(b)in subsection (2)—

(i)for “Part 3 of this Act” there were substituted “the PEC Regulations”;

(ii)in paragraph (a), for the words from “section 35” to “or 78” there were substituted “regulation 5, 6, 7, 8, 14, 19, 20, 21, 21A, 21B, 22, 23 [F3, 24 or 32B(4) or (5)]”;

(c)subsections (3) and (4A) were omitted;

(d)after subsection (4A) there were inserted—

“(4B) In relation to an infringement of section 142(8B) of this Act, the maximum amount of the penalty that may be imposed by a penalty notice is the higher maximum amount.”

Modification of section 159 (amount of penalties: supplementary)U.K.

19.  Section 159 has effect as if—

(a)in subsection (1), the words “Article 83 of the UK GDPR and” were omitted;

(b)in subsection (2), the words “Article 83 of the UK GDPR,” and “and section 158” were omitted.

Modification of section 160 (guidance)U.K.

20.  Section 160 has effect as if, in subsection (4)(f), for “controllers and processors” there were substituted “persons”.

Modification of section 162 (rights of appeal)U.K.

21.  Section 162 has effect as if subsection (4) were omitted.

Modification of section 163 (determination of appeals)U.K.

22.  Section 163 has effect as if subsection (6) were omitted.

Modification of section 180 (jurisdiction)U.K.

23.—(1) Section 180 has effect as if subsections (2)(b), (c), (d) and (e) and (3) were omitted.

(2) Subsection (1) of that section has effect as if for “subsections (3) and (4)” there were substituted “subsection (4)”.

Modification of section 181 (interpretation of Part 6)U.K.

24.  Section 181 has effect as if the definition of “certification provider” were omitted.

Modification of section 182 (regulations and consultation)U.K.

25.—(1) Section 182 has effect as if subsections (3), (6), (8), (11), (12) and (14) were omitted.

(2) Subsection (13) of that section has effect as if for “provision comes into force” there were substituted “coming into force of section 115 of the Data (Use and Access) Act 2025”.

Modification of section 196 (penalties for offences)U.K.

26.—(1) Section 196 has effect as if subsections (3) to (5) were omitted.

(2) In that section—

(a)subsection (1) has effect as if the words “section 119 or 173 or” were omitted;

(b)subsection (2) has effect as if for “section 132, 144, 148, 148C, 170, 171 or 184” there were substituted “section 144, 148 or 148C”.

Modification of section 200 (guidance about PACE codes of practice)U.K.

27.  Section 200 has effect as if, in subsection (1), for “this Act” there were substituted “section 144, 148 and 148C and paragraph 15 of Schedule 15”.

Modification of section 202 (proceedings in the First-tier Tribunal: contempt)U.K.

28.  Section 202 has effect as if, in subsection (1)(a), for sub-paragraphs (i) and (ii) there were substituted “on an appeal under section 162”.

Modification of section 203 (tribunal procedure rules)U.K.

29.  Section 203 has effect as if—

(a)in subsection (1), for paragraphs (a) and (b) there were substituted “the exercise of the rights of appeal conferred by section 162”;

(b)in subsection (2)—

(i)in paragraph (a), for “the processing of personal data” there were substituted “any activity regulated by the PEC Regulations”;

(ii)in paragraph (b), for “the processing of personal data” there were substituted “any such activity”.

InterpretationU.K.

30.  In this Schedule, “the PEC Regulations” means these Regulations.]

Regulation 36

SCHEDULE 2U.K.Transitional provisions

InterpretationU.K.

1.  In this Schedule “the 1999 Regulations” means the Telecommunications (Data Protection and Privacy) Regulations 1999 and “caller” has the same meaning as in regulation 21 of the 1999 Regulations.U.K.

DirectoriesU.K.

2.—(1) Regulation 18 of these Regulations shall not apply in relation to editions of directories first published before 11th December 2003.U.K.

(2) Where the personal data of a subscriber have been included in a directory in accordance with Part IV of the 1999 Regulations, the personal data of that subscriber may remain included in that directory provided that the subscriber—

(a)has been provided with information in accordance with regulation 18 of these Regulations; and

(b)has not requested that his data be withdrawn from that directory.

(3) Where a request has been made under subparagraph (2) for data to be withdrawn from a directory, that request shall be treated as having no application in relation to an edition of a directory that was produced before the producer of the directory received the request.

(4) For the purposes of subparagraph (3), an edition of a directory, which is revised after it was first produced, shall be treated as a new edition.

NotificationsU.K.

3.—(1) A notification of consent given to a caller by a subscriber for the purposes of regulation 22(2) of the 1999 Regulations is to have effect on and after 11th December 2003 as a notification given by that subscriber for the purposes of regulation 19(2) of these Regulations.U.K.

(2) A notification given to a caller by a corporate subscriber for the purposes of regulation 23(2)(a) of the 1999 Regulations is to have effect on and after 11th December 2003 as a notification given by that subscriber for the purposes of regulation 20(1)(b) of these Regulations.

(3) A notification of consent given to a caller by an individual subscriber for the purposes of regulation 24(2) of the 1999 Regulations is to have effect on and after 11th December 2003 as a notification given by that subscriber for the purposes of regulation 20(2) of these Regulations.

(4) A notification given to a caller by an individual subscriber for the purposes of regulation 25(2)(a) of the 1999 Regulations is to have effect on and after the 11th December 2003 as a notification given by that subscriber for the purposes of regulation 21(1) of these Regulations.

Registers kept under regulations 25 and 26U.K.

4.—(1) A notification given by a subscriber pursuant to regulation 23(4)(a) of the 1999 Regulations to the Director General of Telecommunications (or to such other person as is discharging his functions under regulation 23(4) of the 1999 Regulations on his behalf by virtue of an arrangement made under regulation 23(6) of those Regulations) is to have effect on or after 11th December 2003 as a notification given pursuant to regulation 25(1) of these Regulations.U.K.

(2) A notification given by a subscriber who is an individual pursuant to regulation 25(4)(a) of the 1999 Regulations to the Director General of Telecommunications (or to such other person as is discharging his functions under regulation 25(4) of the 1999 Regulations on his behalf by virtue of an arrangement made under regulation 25(6) of those Regulations) is to have effect on or after 11th December 2003 as a notification given pursuant to regulation 26(1) of these Regulations.

References in these Regulations to OFCOMU.K.

5.  In relation to times before an order made under section 411 M1 of the Communications Act 2003 brings any of the provisions of Part 2 of Chapter 1 of that Act into force for the purpose of conferring on OFCOM the functions contained in those provisions, references to OFCOM in these Regulations are to be treated as references to the Director General of Telecommunications.U.K.