2015 No. 355

Electronic Communications

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2015

Made

Laid before Parliament

Coming into force

The Secretary of State, being a Minister designated1 for the purposes of section 2(2) of the European Communities Act 19722 in respect of matters relating to electronic communications, in exercise of the powers conferred by that section, makes the following Regulations:

Citation and commencement1

These Regulations may be cited as the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2015 and come into force on 6th April 2015.

Amendment of the Privacy and Electronic Communications (EC Directive) Regulations 20032

1

The Privacy and Electronic Communications (EC Directive) Regulations 20033 are amended follows.

2

After regulation 16, insert—

Emergency alerts16A

1

A relevant public communications provider (P) may, for the purpose of providing an emergency alert service, disregard the restrictions on the processing of data relating to users or subscribers set out in paragraph (2) if the conditions set out in paragraph (3) are met.

2

The restrictions are—

a

the restrictions on the processing of traffic data under regulations 7(1) and 8(2); and

b

the restrictions on the processing of location data under regulations 14(2) and 14(5).

3

The conditions are—

a

P is notified by a relevant public authority that—

i

an emergency within the meaning of section 1(1) of the Civil Contingencies Act 20044 has occurred, is occurring or is about to occur; and

ii

it is expedient to use an emergency alert service;

b

P is directed by the relevant public authority to convey a specified communication over a specified time period to users or subscribers of P’s public electronic communications network whom P considers—

i

are in one or more specified places in the United Kingdom which is or may be affected by the emergency; or

ii

have been in a specified place affected by the emergency since the emergency occurred but are no longer in the place; and

c

P complies with that direction.

4

P may, for the purpose of testing an emergency alert service, disregard the restrictions on the processing of data relating to users or subscribers set out in paragraph (2) if the conditions set out in paragraph (5) are met.

5

The conditions are—

a

P is notified by a Minister of the Crown that, in the Minister’s opinion, it is necessary to test an emergency alert service for the purpose of ensuring that the service is maintained in good working order and is an effective means of communicating with users and subscribers in an emergency;

b

the Minister gives directions as to how the test is to be conducted; and

c

P complies with the directions in sub-paragraph (b).

6

Traffic data or location data which relate to users or subscribers of a public electronic communications network and are processed in accordance with this regulation must, within 7 days of the expiry of the time period specified by the relevant public authority pursuant to paragraph (3)(b) or, as the case may be, within 48 hours of receipt of the Minister’s directions pursuant to paragraph (5)(b), be—

a

erased; or

b

i

in the case of an individual, modified so that they cease to constitute personal data of that user or subscriber; or

ii

in the case of a corporate subscriber, modified so that they cease to be data that would be personal data if that user or subscriber was an individual.

7

The processing of traffic data or location data in accordance with this regulation shall be carried out only by P or by a person acting under P’s authority.

8

For the purposes of this regulation—

a

“emergency alert service” means a service comprising one or more communications to mobile telecommunications devices over a public electronic communications network to warn, advise or inform users or subscribers in relation to an aspect or effect of an emergency which may affect or have affected them by reason of their location;

b

“relevant public authority” means—

i

a Minister of the Crown;

ii

the Scottish Ministers;

iii

the Welsh Ministers;

iv

a Northern Ireland department;

v

a chief officer of police within the meaning of section 101(1) of the Police Act 19965;

vi

the chief constable of the Police Service of Scotland;

vii

the chief constable of the Police Service of Northern Ireland;

viii

the chief constable of the British Transport Police Force;

ix

the Environment Agency;

x

the Scottish Environment Protection Agency;

xi

the Natural Resources Body for Wales;

c

“relevant public communications provider” means a person who—

i

provides a public electronic communications network;

ii

provides cellular mobile electronic communications services; and

iii

holds a wireless telegraphy licence granted under section 8 of the Wireless Telegraphy Act 20066.

3

In paragraph 8A of Schedule 1 for “In section 55A—” substitute “Except where paragraph 8AA applies, in section 55A—”.

4

After paragraph 8A of Schedule 1 insert—

8AA

In section 55A, when applied to regulations 19 to 24 of these Regulations—

a

in subsection (1)—

i

for “data controller” there shall be substituted “person”;

ii

in paragraph (a), for “of section 4(4) by the data controller” there shall be substituted “of the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003, and”; and

iii

for paragraphs (b) and (c) there shall be substituted—

b

subsection (2) or (3) applies.

b

in subsection (3)—

i

for “data controller” there shall be substituted “person”; and

ii

for paragraph (a) substitute—

a

knew or ought to have known that there was a risk that the contravention would occur, but

c

subsection (3A) shall be omitted;

d

in subsection (4), for “data controller” there shall be substituted “person”; and

e

in subsection (9), the definition of “data controller” shall be omitted.

5

After paragraph 8B of Schedule 1 insert—

8C

In section 55E, for the words “data controller” in subsection (2), there shall be substituted the word “person”.

Ed VaizeyMinister of StateDepartment for Culture, Media and Sport
EXPLANATORY NOTE

(This note is not part of the Regulations)

These Regulations make amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“the 2003 Regulations”) with two distinct purposes. This first is to make provision in connection with alert messages in the event of an emergency. The second is to lower the threshold at which the Information Commissioner may impose a monetary penalty, under the Data Protection Act 1998 as applied to the 2003 Regulations, for a serious breach of regulations 19 to 24 of the 2003 Regulations.

The 2003 Regulations implemented the provisions of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector. The 2003 Regulations were amended in 2004 (S.I. 2004/1039), 2010 (S.I. 2010/22) and in 2011 (S.I. 2011/1208), the last amendments being to implement the European legislative changes contained in provisions of Directive 2009/136/EC.

Regulation 2(2) permits certain providers of mobile electronic communications services to disregard restrictions on the processing of traffic and location data that would otherwise be imposed on them by the 2003 Regulations. The providers are only permitted to do this for the purposes of providing an emergency alert service, or testing such a service, and only when acting in accordance with directions given by a relevant public authority (as defined) or, in relation to testing, by a Minister of the Crown. Only a provider or a person acting under the provider’s authority may process the traffic and location data. The regulation places a limit on the length of time that providers may retain the traffic and location data they process, unless the data is modified in such a way that the data cannot identify an individual or corporate body. This amendment is consistent with articles 1(3) and 15(1) of Directive 2002/58/EC, which make provision in relation to activities that protect public security.

An impact assessment of the effect of regulation 2(2) will have on the costs of business and the voluntary sector is published with the Explanatory Memorandum alongside the instrument on www.legislation.gov.uk.

Regulations 2(3) and 2(4) amend Schedule 1 to the 2003 Regulations, firstly to set out the threshold for the imposition of a monetary penalty for any serious breach of the 2003 Regulations in relation to matters other than those set out in regulations 19 to 24 (regulation 2(3)) and secondly to set out the threshold at which a monetary penalty for serious breaches of regulations 19 to 24 of the 2003 Regulations may be imposed (regulation 2(4)). This is to ensure that the penalty regime for breaches is “effective, proportionate and dissuasive” as required by Article 15a of Directive 2002/58/EC, as amended by Directive 2009/136/EC.

Regulation 2(5) amends Schedule 1 to the 2003 Regulations in order to make a minor textual modification, for the purposes of the 2003 Regulations, to section 55E of the Data Protection Act 1998. This is to bring that section in line with the other sections of the Data Protection Act 1998 which were inserted into regulation 31 of the 2003 Regulations by S.I. 2011/1208.

A full impact assessment has not been produced for regulations 2(3) to 2(5) as no impact on business and the voluntary sector is foreseen.

A transposition note has been produced for these Regulations and is published with the Explanatory Memorandum alongside the instrument on www.legislation.gov.uk.