Electronic Privacy Legislation

The GDPR contains new restrictions in relation to obtaining consent for the collection and use of personal data (see the page on “Consent” for more information). However, it is worth remembering that the GDPR isn’t the only legislation controlling the use of personal data. The Privacy and Electronic Communications Regulations 2003 (PECR) places constraints on the use of personal data for electronic marketing purposes (it does not apply to postal marketing).

As with the GDPR, PECR is changing, but unlike the GDPR, the ePrivacy Regulation is still in draft form. The ePrivacy Regulation is intended to complement the general obligations under the GDPR with specific rules applicable to electronic communications. Although it is still in draft form, it is clear that it will include provisions on cookies, online marketing, Wi-Fi / device location tracking and the use of content and metadata.

The current fines for breach of the PECR are in line with the DPA (£500,000). It is reasonable to assume that (regardless of what progress is made on the ePrivacy Regulation) the fines applicable to breach of specific electronic privacy legislation will probably align with the GDPR. That means a maximum fine of up to 4% of total global annual turnover or €20m (whichever is the higher).

It was originally intended that the ePrivacy Regulation would be implemented in May 2018 alongside the GDPR. However, it is likely that its implementation will be postponed.

For more information on the current law and the proposed changes, see: