The Potential Perils of Electronic Communications
The “professional press” (both online and printed) has been so dominated this year with dire warnings about the consequences of failure to comply with the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) that it would be easy to forgive anyone for thinking that they are the only pieces of privacy-related information that matter. Whilst it is true that they are important, and whilst clearly their requirements need to be adopted and observed, they are not the only privacy game in town and firms must give thought to other forms of regulation if they are not to find themselves in breach.
Nowhere is this truer than in relation to the often-ignored Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). This is especially the case now that the Privacy and Electronic Communications Regulations (Amendment) 2018 (the 2018 Regulations) have broadened the scope of the penalties for failure to comply. The bolstering of the EU provisions from a directive to a new set of ePrivacy Regulations could place yet further privacy burdens upon businesses although some of its provisions, such as those dealing with cookie consent, could make the area of electronic privacy more logical.
What are the PECR?
The new ePrivacy regulations still lie in the future and we will look at these separately in a subsequent article. Currently we are subject to the provisions of the PECR.
The PECR is a set of regulations that sits alongside of the GDPR and DPA and which gives specific privacy rights in relation to electronic communications. In particular, this is in relation to:
- marketing calls, emails, texts and faxes;
- cookies (and similar technologies);
- the need for communications services to be kept secure; and
- issues of customer privacy such as location data, itemised billing, line identification, and directory listings.
You will see immediately that there is already considerable overlap with the provisions of the GDPR and DPA which should continue to be borne in mind in relation to all such dealings.
The PECR as it currently stands has been subject to various amendments over the years – inevitably since it is dealing with provisions that apply to an area of business that is rapidly changing. The most recent of those changes – other than the forthcoming amendment as to fines – dealt with the banning of cold calling by claims management services.
How do the provisions impact upon you and your firm?
Depending upon how your firm uses electronic services such as email and websites, the potential implications for law firms are quite extensive. We will look briefly at this under the four headings set out above.
- Marketing calls, email, texts and faxes
It generally does not apply to communications with clients and customers giving information about a current or past matter. Thus, for example, legal updates relevant to that client or information specific to the matter about which you were instructed. The fact that your firm logo or other firm information is included in the communication will also not be a factor to be taken into account. However, if the message includes any significant promotional material aimed at getting a client to purchase further, possibly unrelated, services or to renew a contract that is coming to an end, then strictly that message includes marketing material and the rules apply. It will be for your firm to decide where the line between valuable information to a client and marketing lies – and it is suggested that your firm documents that decision in case you are required to justify it to the ICO at some point in the future.
An important consideration in this is whether the marketing can be regarded as ‘solicited’ or ‘unsolicited’. In other words, has the recipient requested the information. Solicited information is information that is specifically requested and is usually fine within the provisions of the PECR. Unsolicited information is information that has not been specifically requested. This may be in breach of the PECR but need not necessarily be – for example where someone has consented to being sent information as opposed to specially requesting it.
Consent is the important factor here. For consent to be valid it must:
- be freely given, clear and specific and must relate to your firm and the type of communication you want to use (e.g. phone call, email, text).
- involve a clear positive action such as ticking a box or making a specific request (e.g. by sending an email)
- be fully understood by the person giving it that they are giving you consent.
To be on the safe side you are probably best to ask the client or prospective client or contact to specifically opt-in and confirm they are happy to receive your marketing messages. You should also make sure that you keep clear record of the consents in case you are called upon to show that they exist. Finally, bear in mind that consent can be withdrawn at any time and you must make it easy for people to withdraw consent and tell them how to do so. Be wary, however, where a current client withdraws consent that you differentiate between information they need as part of an ongoing retainer and information that is purely marketing information.
For more detailed information on electronic marketing see the ICO web site.
As the law currently stands, you must inform all users of your website if you rely on cookies, and you must clearly explain what those cookies do and why they do it. You must also get the website user’s clear consent to their use. The exception to this is in relation to those cookies that are required in order to provide an online service at someone’s request (e.g. to remember what’s in their online basket, or to ensure security in online banking).
The precise information that must be provided is not specified by the PECR – it is up to your firm to make that decision. The only requirement is that it must be “clear and comprehensive” information about your purposes, including:
- the way the cookies work,
- what you use them for,
- why they are needed,
- the information they record, and
- the consequences of permitting them.
The user must give unambiguous consent to the use of the cookie on your web site – for example clicking on a link – and they must be given the option of not being subject to the cookie – although it can be explained that if they require a particular functionality then the cookie will need to be accepted.
- Communication services
Many of these provisions apply only to those who provide communication services (as opposed to those who use those services) and so are likely to be of less relevance to those in legal practice (unless, for example, they host client email addresses for the duration of a transaction).
- Customer privacy
As with communication services there is much that is of more specific application those who are communication service providers. This will include, for example, traffic data (e.g. information about the routing, duration or timing of a message) and location data (e.g. information from the network or service about the location of a phone or other device). However, note that if you send out receipt-monitored newsletters, for example, or allow clients to login to a secure area of your website, that you may be recording data of this nature and must therefore comply with the requirement of the PECR.
Finally under this heading are directories. Again, this is unlikely to impact upon most law firms but, if you do want to compile a telephone, fax or email directory or offer a directory enquiry service, you must tell individuals and give them the chance to opt out. You must also get express opt-in consent for reverse searches (e.g. using a phone number to look up a name).
As ever, if you require more information, see the ICO website for guidance.
What is the relationship between the PECR and the GDPR?
Inevitably, dealing as they do with similar or complementary areas of law, there will be an overlap between the two sets of provisions. For that reason, any compliance with one must be read in the light of compliance with the other. So, for example, if you are relying upon consent for electronic marketing then the consent obtained must comply with the requirements of the GDPR. If you are using cookies, then both the requirements of the PECR and those of the GDPR must be observed.
Bear in mind, however, that the scope of the two sets of regulations are not necessarily the same. Thus, whilst the GDPR relates to Personal Data which is information that relates to an identified or identifiable individual, the PECR applies to all information including those of companies and organisations and so the personal data requirement does not apply.
It should also be noted that the penalties currently differ under the two sets of regulations. Under PECR the Information Commissioner can impose fines of up to £500,000 whereas under the GDPR those fines can go as high as €20 million, or 4% of annual global turnover – whichever is higher.
The 2018 Regulations
Coming into effect on 17 December 2018, the 2018 Regulations increase the range of financial penalties that the ICO can inflict on those in breach of PECR provisions. For the first time this includes the power to fine not just an offending body (defined as a body corporate or Scottish partnership) but also an “officer” of that body where there has been a serious breach of regulations 19–24 (automated calling and unsolicited direct marketing) and, as section 2(3) of the 2018 Regulations provides, where the contravention:
(b) was attributable to any neglect on the part of the officer.”
That fine can be up to £500,000.
For the purposes of this section, an “officer” is defined as:
(i) a director, manager, secretary or other similar officer of the body or any person purporting to act in such capacity, or
(ii) where the affairs of the body are managed by its members, a member; or
(b) in relation to a Scottish partnership, a partner or any person purporting to act as a partner.”
What are the implications for firms?
So far as many law firms are concerned the 2018 Regulations will make little or no difference. If the offending “body” is a sole practitioner or non-Scottish partnership, then personal liability would have existed in any event.
The mischief that the 2018 Regulations are seeking to remedy is those users whom being a corporate body, flaunt the rules knowing that if they are taken to task by the ICO they can merely close down the business and set up again under a new name. However, in targeting this sector the new regulation also catches those who are managers and directors of incorporated law firms.
The advice therefore is for all of those who may be held to have been responsible to check what the firm does and how it does it, ensure that there is no breach of the provisions of the PECR and, perhaps to be on the safe side, if they have not already done so take out directors and officers liability insurance which specifically covers this point.