The Privacy and Electronic Communications (EC Directive) Regulations 2003

Citation and commencementU.K.

1.  These Regulations may be cited as the Privacy and Electronic Communications (EC Directive) Regulations 2003 and shall come into force on 11th December 2003.

InterpretationU.K.

2.—(1) In these Regulations—

bill” includes an invoice, account, statement or other document of similar character and “billing” shall be construed accordingly;

call” means a connection established by means of a telephone service available to the public allowing two-way communication in real time;

communication” means any information exchanged or conveyed between a finite number of parties by means of a public electronic communications service, but does not include information conveyed as part of a programme service, except to the extent that such information can be related to the identifiable subscriber or user receiving the information;

communications provider” has the meaning given by section 405 of the Communications Act 2003 M1;

corporate subscriber” means a subscriber who is—

(a)

a company within the meaning of section 735(1) of the Companies Act 1985 M2;

(b)

a company incorporated in pursuance of a royal charter or letters patent;

(c)

a partnership in Scotland;

(d)

a corporation sole; or

(e)

any other body corporate or entity which is a legal person distinct from its members;

the Directive” means Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) M3;

electronic communications network” has the meaning given by section 32 of the Communications Act 2003 M4;

electronic communications service” has the meaning given by section 32 of the Communications Act 2003;

electronic mail” means any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service;

enactment” includes an enactment comprised in, or in an instrument made under, an Act of the Scottish Parliament;

individual” means a living individual and includes an unincorporated body of such individuals;

the Information Commissioner” and “the Commissioner” both mean the Commissioner appointed under [F1the Data Protection Act 2018];

information society service” has the meaning given in regulation 2(1) of the Electronic Commerce (EC Directive) Regulations 2002 M5;

location data” means any data processed in an electronic communications network [F2or by an electronic communications service] indicating the geographical position of the terminal equipment of a user of a public electronic communications service, including data relating to—

(f)

the latitude, longitude or altitude of the terminal equipment;

(g)

the direction of travel of the user; or

(h)

the time the location information was recorded;

OFCOM” means the Office of Communications as established by section 1 of the Office of Communications Act 2002 M6;

[F3“personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service;]

programme service” has the meaning given in section 201 of the Broadcasting Act 1990 M7;

public communications provider” means a provider of a public electronic communications network or a public electronic communications service;

public electronic communications network” has the meaning given in section 151 of the Communications Act 2003 M8;

public electronic communications service” has the meaning given in section 151 of the Communications Act 2003;

subscriber” means a person who is a party to a contract with a provider of public electronic communications services for the supply of such services;

traffic data” means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration or time of a communication;

user” means any individual using a public electronic communications service; and

value added service” means any service which requires the processing of traffic data or location data beyond that which is necessary for the transmission of a communication or the billing in respect of that communication.

(2) Expressions used in these Regulations that are not defined in paragraph (1) and are defined in the Data Protection Act 1998 shall have the same meaning as in that Act.

(3) Expressions used in these Regulations that are not defined in paragraph (1) or the Data Protection Act 1998 and are defined in the Directive shall have the same meaning as in the Directive.

(4) Any reference in these Regulations to a line shall, without prejudice to paragraph (3), be construed as including a reference to anything that performs the function of a line, and “connected”, in relation to a line, is to be construed accordingly.

Textual Amendments

F1Words in reg. 2(1) substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 292 (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g)

Marginal Citations

M12003 c. 21; for the commencement of section 405, see section 411(2) and (3) of the same Act.

M3OJ No L 201, 31.07.02, p. 37.

M4For the commencement of section 32, see article 2(1) of S.I. 2003/1900 (C. 77).

M71990 c. 42; section 201 was amended by section 148(1) of and paragraph 11 of Schedule 10 to the Broadcasting Act 1996 (c. 55).

M8For the commencement of section 151, see article 2(1) of S.I. 2003/1900 (C. 77).

Revocation of the Telecommunications (Data Protection and Privacy) Regulations 1999U.K.

3.  The Telecommunications (Data Protection and Privacy) Regulations 1999 M9 and the Telecommunications (Data Protection and Privacy) (Amendment) Regulations 2000 M10 are hereby revoked.

Relationship between these Regulations and [F4the data protection legislation ] U.K.

4.[F5(1)]  Nothing in these Regulations shall relieve a person of his obligations under [F6the data protection legislation] in relation to the processing of personal data.

[F7(2) In this regulation—

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4) and (14) of that Act).

(3) Regulation 2(2) and (3) (meaning of certain expressions) do not apply for the purposes of this regulation.]

Security of public electronic communications servicesU.K.

5.—(1) Subject to paragraph (2), a provider of a public electronic communications service (“the service provider”) shall take appropriate technical and organisational measures to safeguard the security of that service.

[F8(1A) The measures referred to in paragraph (1) shall at least—

(a)ensure that personal data can be accessed only by authorised personnel for legally authorised purposes;

(b)protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure; and

(c)ensure the implementation of a security policy with respect to the processing of personal data.]

(2) If necessary, the measures required by paragraph (1) may be taken by the service provider in conjunction with the provider of the electronic communications network by means of which the service is provided, and that network provider shall comply with any reasonable requests made by the service provider for these purposes.

(3) Where, notwithstanding the taking of measures as required by paragraph (1), there remains a significant risk to the security of the public electronic communications service, the service provider shall inform the subscribers concerned of—

(a)the nature of that risk;

(b)any appropriate measures that the subscriber may take to safeguard against that risk; and

(c)the likely costs to the subscriber involved in the taking of such measures.

(4) For the purposes of paragraph (1), a measure shall only be taken to be appropriate if, having regard to—

(a)the state of technological developments, and

(b)the cost of implementing it,

it is proportionate to the risks against which it would safeguard.

(5) Information provided for the purposes of paragraph (3) shall be provided to the subscriber free of any charge other than the cost to the subscriber of receiving or collecting the information.

[F9(6) The Information Commissioner may audit the measures taken by a provider of a public electronic communications service to safeguard the security of that service.]

[F10Personal data breachU.K.

5A.(1) In this regulation and in regulations 5B and 5C, “service provider” has the meaning given in regulation 5(1).

(2) If a personal data breach occurs, the service provider shall, without undue delay, notify that breach to the Information Commissioner.

(3) Subject to paragraph (6), if a personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user, the service provider shall also, without undue delay, notify that breach to the subscriber or user concerned.

(4) The notification referred to in paragraph (2) shall contain at least a description of—

(a)the nature of the breach;

(b)the consequences of the breach; and

(c)the measures taken or proposed to be taken by the provider to address the breach.

(5) The notification referred to the paragraph (3) shall contain at least—

(a)a description of the nature of the breach;

(b)information about contact points within the service provider’s organisation from which more information may be obtained; and

(c)recommendations of measures to allow the subscriber to mitigate the possible adverse impacts of the breach.

(6) The notification referred to in paragraph (3) is not required if the service provider has demonstrated, to the satisfaction of the Information Commissioner that—

(a)it has implemented appropriate technological protection measures which render the data unintelligible to any person who is not authorised to access it, and

(b)that those measures were applied to the data concerned in that breach.

(7) If the service provider has not notified the subscriber or user in compliance with paragraph (3), the Information Commissioner may, having considered the likely adverse effects of the breach, require it to do so.

(8) Service providers shall maintain an inventory of personal data breaches comprising —

(a)the facts surrounding the breach,

(b)the effects of that breach, and

(c)remedial action taken

which shall be sufficient to enable the Information Commissioner to verify compliance with the provisions of this regulation. The inventory shall only include information necessary for this purpose.

[F11(9) This regulation does not apply in relation to any personal data breach which is to be notified to the Investigatory Powers Commissioner in accordance with a code of practice made under the Investigatory Powers Act 2016.]

Personal data breach: auditU.K.

5B.  The Information Commissioner may audit the compliance of service providers with the provisions of regulation 5A.

Personal data breach: enforcementU.K.

5C.(1) If a service provider fails to comply with the notification requirements of regulation 5A, the Information Commissioner may issue a fixed monetary penalty notice in respect of that failure.

(2) The amount of a fixed monetary penalty under this regulation shall be £1,000.

(3) Before serving such a notice, the Information Commissioner must serve the service provider with a notice of intent.

(4) The notice of intent must—

(a)state the name and address of the service provider;

(b)state the nature of the breach;

(c)indicate the amount of the fixed monetary penalty;

(d)include a statement informing the service provider of the opportunity to discharge liability for the fixed monetary penalty;

(e)indicate the date on which the Information Commissioner proposes to serve the fixed monetary penalty notice; and

(f)inform the service provider that he may make written representations in relation to the proposal to serve a fixed monetary penalty notice within the period of 21 days from the service of the notice of intent.

(5) A service provider may discharge liability for the fixed monetary penalty if he pays to the Information Commissioner the amount of £800 within 21 days of receipt of the notice of intent.

(6) The Information Commissioner may not serve a fixed monetary penalty notice until the time within which representations may be made has expired.

(7) The fixed monetary penalty notice must state—

(a)the name and address of the service provider;

(b)details of the notice of intent served on the service provider;

(c)whether there have been any written representations;

(d)details of any early payment discounts;

(e)the grounds on which the Information Commissioner imposes the fixed monetary penalty;

(f)the date by which the fixed monetary penalty is to be paid; and

(g)details of, including the time limit for, the service provider’s right of appeal against the imposition of the fixed monetary penalty.

(8) A service provider on whom a fixed monetary penalty is served may appeal to the Tribunal against the issue of the fixed monetary penalty notice.

(9) Any sum received by the Information Commissioner by virtue of this regulation must be paid into the Consolidated Fund.

(10) In England and Wales and Northern Ireland, the penalty is recoverable—

(a)if a county court so orders, as if it were payable under an order of that court;

(b)if the High Court so orders, as if it were payable under an order of that court.

(11) In Scotland, the penalty may be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland.]

Confidentiality of communicationsU.K.

6.—(1) Subject to paragraph (4), a person shall not [F12store or] gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment—

(a)is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

[F13(b)has given his or her consent.]

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

[F14(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.]

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information—

(a)for the sole purpose of carrying out F15... the transmission of a communication over an electronic communications network; or

(b)where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

Restrictions on the processing of certain traffic dataU.K.

7.—(1) Subject to paragraphs (2) and (3), traffic data relating to subscribers or users which are processed and stored by a public communications provider shall, when no longer required for the purpose of the transmission of a communication, be—

(a)erased;

(b)in the case of an individual, modified so that they cease to constitute personal data of that subscriber or user; or

(c)in the case of a corporate subscriber, modified so that they cease to be data that would be personal data if that subscriber was an individual.

(2) Traffic data held by a public communications provider for purposes connected with the payment of charges by a subscriber or in respect of interconnection payments may be processed and stored by that provider until the time specified in paragraph (5).

(3) Traffic data relating to a subscriber or user may be processed and stored by a provider of a public electronic communications service if—

(a)such processing and storage are for the purpose of marketing electronic communications services, or for the provision of value added services to that subscriber or user; and

(b)the subscriber or user to whom the traffic data relate has [F16previously notified the provider that he consents] to such processing or storage; and

(c)such processing and storage are undertaken only for the duration necessary for the purposes specified in subparagraph (a).

(4) Where a user or subscriber has given his consent in accordance with paragraph (3), he shall be able to withdraw it at any time.

(5) The time referred to in paragraph (2) is the end of the period during which legal proceedings may be brought in respect of payments due or alleged to be due or, where such proceedings are brought within that period, the time when those proceedings are finally determined.

(6) Legal proceedings shall not be taken to be finally determined—

(a)until the conclusion of the ordinary period during which an appeal may be brought by either party (excluding any possibility of an extension of that period, whether by order of a court or otherwise), if no appeal is brought within that period; or

(b)if an appeal is brought, until the conclusion of that appeal.

(7) References in paragraph (6) to an appeal include references to an application for permission to appeal.

Further provisions relating to the processing of traffic data under regulation 7U.K.

8.—(1) Processing of traffic data in accordance with regulation 7(2) or (3) shall not be undertaken by a public communications provider unless the subscriber or user to whom the data relate has been provided with information regarding the types of traffic data which are to be processed and the duration of such processing and, in the case of processing in accordance with regulation 7(3), he has been provided with that information before his consent has been obtained.

(2) Processing of traffic data in accordance with regulation 7 shall be restricted to what is required for the purposes of one or more of the activities listed in paragraph (3) and shall be carried out only by the public communications provider or by a person acting under his authority.

(3) The activities referred to in paragraph (2) are activities relating to—

(a)the management of billing or traffic;

(b)customer enquiries;

(c)the prevention or detection of fraud;

(d)the marketing of electronic communications services; or

(e)the provision of a value added service.

(4) Nothing in these Regulations shall prevent the furnishing of traffic data to a person who is a competent authority for the purposes of any provision relating to the settling of disputes (by way of legal proceedings or otherwise) which is contained in, or made by virtue of, any enactment.

Itemised billing and privacyU.K.

9.—(1) At the request of a subscriber, a provider of a public electronic communications service shall provide that subscriber with bills that are not itemised.

(2) OFCOM shall have a duty, when exercising their functions under Chapter 1 of Part 2 of the Communications Act 2003, to have regard to the need to reconcile the rights of subscribers receiving itemised bills with the rights to privacy of calling users and called subscribers, including the need for sufficient alternative privacy-enhancing methods of communications or payments to be available to such users and subscribers.

Prevention of calling line identification – outgoing callsU.K.

10.—(1) This regulation applies, subject to regulations 15 and 16, to outgoing calls where a facility enabling the presentation of calling line identification is available.

(2) The provider of a public electronic communications service shall provide users originating a call by means of that service with a simple means to prevent presentation of the identity of the calling line on the connected line as respects that call.

(3) The provider of a public electronic communications service shall provide subscribers to the service, as respects their line and all calls originating from that line, with a simple means of preventing presentation of the identity of that subscriber’s line on any connected line.

(4) The measures to be provided under paragraphs (2) and (3) shall be provided free of charge.

Prevention of calling or connected line identification – incoming callsU.K.

11.—(1) This regulation applies to incoming calls.

(2) Where a facility enabling the presentation of calling line identification is available, the provider of a public electronic communications service shall provide the called subscriber with a simple means to prevent, free of charge for reasonable use of the facility, presentation of the identity of the calling line on the connected line.

(3) Where a facility enabling the presentation of calling line identification prior to the call being established is available, the provider of a public electronic communications service shall provide the called subscriber with a simple means of rejecting incoming calls where the presentation of the calling line identification has been prevented by the calling user or subscriber.

(4) Where a facility enabling the presentation of connected line identification is available, the provider of a public electronic communications service shall provide the called subscriber with a simple means to prevent, without charge, presentation of the identity of the connected line on any calling line.

(5) In this regulation “called subscriber” means the subscriber receiving a call by means of the service in question whose line is the called line (whether or not it is also the connected line).

Publication of information for the purposes of regulations 10 and 11U.K.

12.  Where a provider of a public electronic communications service provides facilities for calling or connected line identification, he shall provide information to the public regarding the availability of such facilities, including information regarding the options to be made available for the purposes of regulations 10 and 11.

Co-operation of communications providers for the purposes of regulations 10 and 11U.K.

13.  For the purposes of regulations 10 and 11, a communications provider shall comply with any reasonable requests made by the provider of the public electronic communications service by means of which facilities for calling or connected line identification are provided.

Restrictions on the processing of location dataU.K.

14.—(1) This regulation shall not apply to the processing of traffic data.

(2) Location data relating to a user or subscriber of a public electronic communications network or a public electronic communications service may only be processed—

(a)where that user or subscriber cannot be identified from such data; or

(b)where necessary for the provision of a value added service, with the consent of that user or subscriber.

(3) Prior to obtaining the consent of the user or subscriber under paragraph (2)(b), the public communications provider in question must provide the following information to the user or subscriber to whom the data relate—

(a)the types of location data that will be processed;

(b)the purposes and duration of the processing of those data; and

(c)whether the data will be transmitted to a third party for the purpose of providing the value added service.

(4) A user or subscriber who has given his consent to the processing of data under paragraph (2)(b) shall—

(a)be able to withdraw such consent at any time, and

(b)in respect of each connection to the public electronic communications network in question or each transmission of a communication, be given the opportunity to withdraw such consent, using a simple means and free of charge.

(5) Processing of location data in accordance with this regulation shall—

(a)only be carried out by—

(i)the public communications provider in question;

(ii)the third party providing the value added service in question; or

(iii)a person acting under the authority of a person falling within (i) or (ii); and

(b)where the processing is carried out for the purposes of the provision of a value added service, be restricted to what is necessary for those purposes.

Tracing of malicious or nuisance callsU.K.

15.—(1) A communications provider may override anything done to prevent the presentation of the identity of a calling line where—

(a)a subscriber has requested the tracing of malicious or nuisance calls received on his line; and

(b)the provider is satisfied that such action is necessary and expedient for the purposes of tracing such calls.

(2) Any term of a contract for the provision of public electronic communications services which relates to such prevention shall have effect subject to the provisions of paragraph (1).

(3) Nothing in these Regulations shall prevent a communications provider, for the purposes of any action relating to the tracing of malicious or nuisance calls, from storing and making available to a person with a legitimate interest data containing the identity of a calling subscriber which were obtained while paragraph (1) applied.

Emergency callsU.K.

16.—(1) For the purposes of this regulation, “emergency calls” means calls to either the national emergency call number 999 or the single European emergency call number 112.

(2) In order to facilitate responses to emergency calls—

(a)all such calls shall be excluded from the requirements of regulation 10;

(b)no person shall be entitled to prevent the presentation on the connected line of the identity of the calling line; and

(c)the restriction on the processing of location data under regulation 14(2) shall be disregarded.

[F17Emergency alertsU.K.

16A.(1) A relevant public communications provider (P) may, for the purpose of providing an emergency alert service, disregard the restrictions on the processing of data relating to users or subscribers set out in paragraph (2) if the conditions set out in paragraph (3) are met.

(2) The restrictions are—

(a)the restrictions on the processing of traffic data under regulations 7(1) and 8(2); and

(b)the restrictions on the processing of location data under regulations 14(2) and 14(5).

(3) The conditions are—

(a)P is notified by a relevant public authority that—

(i)an emergency within the meaning of section 1(1) of the Civil Contingencies Act 2004 has occurred, is occurring or is about to occur; and

(ii)it is expedient to use an emergency alert service;

(b)P is directed by the relevant public authority to convey a specified communication over a specified time period to users or subscribers of P’s public electronic communications network whom P considers—

(i)are in one or more specified places in the United Kingdom which is or may be affected by the emergency; or

(ii)have been in a specified place affected by the emergency since the emergency occurred but are no longer in the place; and

(c)P complies with that direction.

(4) P may, for the purpose of testing an emergency alert service, disregard the restrictions on the processing of data relating to users or subscribers set out in paragraph (2) if the conditions set out in paragraph (5) are met.

(5) The conditions are—

(a)P is notified by a Minister of the Crown that, in the Minister’s opinion, it is necessary to test an emergency alert service for the purpose of ensuring that the service is maintained in good working order and is an effective means of communicating with users and subscribers in an emergency;

(b)the Minister gives directions as to how the test is to be conducted; and

(c)P complies with the directions in sub-paragraph (b).

(6) Traffic data or location data which relate to users or subscribers of a public electronic communications network and are processed in accordance with this regulation must, within 7 days of the expiry of the time period specified by the relevant public authority pursuant to paragraph (3)(b) or, as the case may be, within 48 hours of receipt of the Minister’s directions pursuant to paragraph (5)(b), be—

(a)erased; or

(b)(i)in the case of an individual, modified so that they cease to constitute personal data of that user or subscriber; or

(ii)in the case of a corporate subscriber, modified so that they cease to be data that would be personal data if that user or subscriber was an individual.

(7) The processing of traffic data or location data in accordance with this regulation shall be carried out only by P or by a person acting under P’s authority.

(8) For the purposes of this regulation—

(a)“emergency alert service” means a service comprising one or more communications to mobile telecommunications devices over a public electronic communications network to warn, advise or inform users or subscribers in relation to an aspect or effect of an emergency which may affect or have affected them by reason of their location;

(b)“relevant public authority” means—

(i)a Minister of the Crown;

(ii)the Scottish Ministers;

(iii)the Welsh Ministers;

(iv)a Northern Ireland department;

(v)a chief officer of police within the meaning of section 101(1) of the Police Act 1996;

(vi)the chief constable of the Police Service of Scotland;

(vii)the chief constable of the Police Service of Northern Ireland;

(viii)the chief constable of the British Transport Police Force;

(ix)the Environment Agency;

(x)the Scottish Environment Protection Agency;

(xi)the Natural Resources Body for Wales;

(c)“relevant public communications provider” means a person who—

(i)provides a public electronic communications network;

(ii)provides cellular mobile electronic communications services; and

(iii)holds a wireless telegraphy licence granted under section 8 of the Wireless Telegraphy Act 2006.]

Termination of automatic call forwardingU.K.

17.—(1) Where—

(a)calls originally directed to another line are being automatically forwarded to a subscriber’s line as a result of action taken by a third party, and

(b)the subscriber requests his provider of electronic communications services (“the subscriber’s provider”) to stop the forwarding of those calls,

the subscriber’s provider shall ensure, free of charge, that the forwarding is stopped without any avoidable delay.

(2) For the purposes of paragraph (1), every other communications provider shall comply with any reasonable requests made by the subscriber’s provider to assist in the prevention of that forwarding.

Directories of subscribersU.K.

18.—(1) This regulation applies in relation to a directory of subscribers, whether in printed or electronic form, which is made available to members of the public or a section of the public, including by means of a directory enquiry service.

(2) The personal data of an individual subscriber shall not be included in a directory unless that subscriber has, free of charge, been—

(a)informed by the collector of the personal data of the purposes of the directory in which his personal data are to be included, and

(b)given the opportunity to determine whether such of his personal data as are considered relevant by the producer of the directory should be included in the directory.

(3) Where personal data of an individual subscriber are to be included in a directory with facilities which enable users of that directory to obtain access to that data solely on the basis of a telephone number—

(a)the information to be provided under paragraph (2)(a) shall include information about those facilities; and

(b)for the purposes of paragraph (2)(b), the express consent of the subscriber to the inclusion of his data in a directory with such facilities must be obtained.

(4) Data relating to a corporate subscriber shall not be included in a directory where that subscriber has advised the producer of the directory that it does not want its data to be included in that directory.

(5) Where the data of an individual subscriber have been included in a directory, that subscriber shall, without charge, be able to verify, correct or withdraw those data at any time.

(6) Where a request has been made under paragraph (5) for data to be withdrawn from or corrected in a directory, that request shall be treated as having no application in relation to an edition of a directory that was produced before the producer of the directory received the request.

(7) For the purposes of paragraph (6), an edition of a directory which is revised after it was first produced shall be treated as a new edition.

(8) In this regulation, “telephone number” has the same meaning as in section 56(5) of the Communications Act 2003 M11 but does not include any number which is used as an internet domain name, an internet address or an address or identifier incorporating either an internet domain name or an internet address, including an electronic mail address.

Marginal Citations

M112003 c. 21; for the commencement of section 56(5), see article 2(1) of S.I. 2003/1900 (C. 77).

Use of automated calling systemsU.K.

19.—(1) A person shall neither transmit, nor instigate the transmission of, communications comprising recorded matter for direct marketing purposes by means of an automated calling [F18or communication] system except in the circumstances referred to in paragraph (2).

[F19(2) Those circumstances are where—

(a)the called line is that of a subscriber who has previously notified the caller that for the time being he consents to such communications being sent by, or at the instigation of, the caller on that line; and

(b)the person transmitting, or instigating the transmission of, such communications—

(i)does not prevent presentation of the identity of the calling line on the called line; or

(ii)presents the identity of a line on which he can be contacted.]

(3) A subscriber shall not permit his line to be used in contravention of paragraph (1).

(4) For the purposes of this regulation, an automated calling system is a system which is capable of—

(a)automatically initiating a sequence of calls to more than one destination in accordance with instructions stored in that system; and

(b)transmitting sounds which are not live speech for reception by persons at some or all of the destinations so called.

Use of facsimile machines for direct marketing purposesU.K.

20.—(1) A person shall neither transmit, nor instigate the transmission of, unsolicited communications for direct marketing purposes by means of a facsimile machine where the called line is that of—

(a)an individual subscriber, except in the circumstances referred to in paragraph (2);

(b)a corporate subscriber who has previously notified the caller that such communications should not be sent on that line; or

(c)a subscriber and the number allocated to that line is listed in the register kept under regulation 25.

(2) The circumstances referred to in paragraph (1)(a) are that the individual subscriber has previously notified the caller that he consents for the time being to such communications being sent by, or at the instigation of, the caller.

(3) A subscriber shall not permit his line to be used in contravention of paragraph (1).

(4) A person shall not be held to have contravened paragraph (1)(c) where the number allocated to the called line has been listed on the register for less than 28 days preceding that on which the communication is made.

(5) Where a subscriber who has caused a number allocated to a line of his to be listed in the register kept under regulation 25 has notified a caller that he does not, for the time being, object to such communications being sent on that line by that caller, such communications may be sent by that caller on that line, notwithstanding that the number allocated to that line is listed in the said register.

(6) Where a subscriber has given a caller notification pursuant to paragraph (5) in relation to a line of his—

(a)the subscriber shall be free to withdraw that notification at any time, and

(b)where such notification is withdrawn, the caller shall not send such communications on that line.

(7) The provisions of this regulation are without prejudice to the provisions of regulation 19.

[F20Calls for direct marketing purposes] U.K.

21.[F21(A1) A person shall neither use, nor instigate the use of, a public electronic communications service for the purposes of making calls (whether solicited or unsolicited) for direct marketing purposes except where that person—

(a)does not prevent presentation of the identity of the calling line on the called line; or

(b)presents the identity of a line on which he can be contacted.]

(1) A person shall neither use, nor instigate the use of, a public electronic communications service for the purposes of making unsolicited calls for direct marketing purposes where—

(a)the called line is that of a subscriber who has previously notified the caller that such calls should not for the time being be made on that line; or

(b)the number allocated to a subscriber in respect of the called line is one listed in the register kept under regulation 26.

(2) A subscriber shall not permit his line to be used in contravention of [F22paragraphs (A1) or (1)].

(3) A person shall not be held to have contravened paragraph (1)(b) where the number allocated to the called line has been listed on the register for less than 28 days preceding that on which the call is made.

(4) Where a subscriber who has caused a number allocated to a line of his to be listed in the register kept under regulation 26 has notified a caller that he does not, for the time being, object to such calls being made on that line by that caller, such calls may be made by that caller on that line, notwithstanding that the number allocated to that line is listed in the said register.

(5) Where a subscriber has given a caller notification pursuant to paragraph (4) in relation to a line of his—

(a)the subscriber shall be free to withdraw that notification at any time, and

(b)where such notification is withdrawn, the caller shall not make such calls on that line.

Use of electronic mail for direct marketing purposesU.K.

22.—(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.

(2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.

(3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—

(a)that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;

(b)the direct marketing is in respect of that person’s similar products and services only; and

(c)the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

(4) A subscriber shall not permit his line to be used in contravention of paragraph (2).

Use of electronic mail for direct marketing purposes where the identity or address of the sender is concealedU.K.

23.  A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail—

(a)where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; F23...

(b)where a valid address to which the recipient of the communication may send a request that such communications cease has not been provided;

[F24(c)where that electronic mail would contravene regulation 7 of the Electronic Commerce (EC Directive) Regulations 2002; or

(d)where that electronic mail encourages recipients to visit websites which contravene that regulation.]

Information to be provided for the purposes of regulations 19, 20 and 21U.K.

24.—(1) Where a public electronic communications service is used for the transmission of a communication for direct marketing purposes the person using, or instigating the use of, the service shall ensure that the following information is provided with that communication—

(a)in relation to a communication to which regulations 19 (automated calling systems) and 20 (facsimile machines) apply, the particulars mentioned in paragraph (2)(a) and (b);

(b)in relation to a communication to which regulation 21 (telephone calls) applies, the particulars mentioned in paragraph (2)(a) and, if the recipient of the call so requests, those mentioned in paragraph (2)(b).

(2) The particulars referred to in paragraph (1) are—

(a)the name of the person;

(b)either the address of the person or a telephone number on which he can be reached free of charge.

Register to be kept for the purposes of regulation 20U.K.

25.—(1) For the purposes of regulation 20 [F25the Commissioner] shall maintain and keep up-to-date, in printed or electronic form, a register of the numbers allocated to subscribers, in respect of particular lines, who have notified [F26the Commissioner or, prior to 30thDecember 2016, OFCOM] (notwithstanding, in the case of individual subscribers, that they enjoy the benefit of regulation 20(1)(a) and (2)) that they do not for the time being wish to receive unsolicited communications for direct marketing purposes by means of facsimile machine on the lines in question.

(2) [F25The Commissioner] shall remove a number from the register maintained under paragraph (1) where [F27the Commissioner has] reason to believe that it has ceased to be allocated to the subscriber by whom [F28the Commissioner was or, prior to 30th December 2016, OFCOM were] notified pursuant to paragraph (1).

(3) On the request of—

(a)a person wishing to send, or instigate the sending of, such communications as are mentioned in paragraph (1), or

(b)a subscriber wishing to permit the use of his line for the sending of such communications,

for information derived from the register kept under paragraph (1), [F25the Commissioner] shall, unless it is not reasonably practicable so to do, on the payment to [F29the Commissioner] of such fee as is, subject to paragraph (4), required by [F29the Commissioner], make the information requested available to that person or that subscriber.

(4) For the purposes of paragraph (3) [F25the Commissioner] may require different fees—

(a)for making available information derived from the register in different forms or manners, or

(b)for making available information derived from the whole or from different parts of the register,

but the fees required by [F29the Commissioner] shall be ones in relation to which the Secretary of State has notified [F25the Commissioner] that he is satisfied that they are designed to secure, as nearly as may be and taking one year with another, that the aggregate fees received, or reasonably expected to be received, equal the costs incurred, or reasonably expected to be incurred, by [F25the Commissioner] in discharging [F30the Commissioner’s] duties under paragraphs (1), (2) and (3).

(5) The functions of [F25the Commissioner] under paragraphs (1), (2) and (3), other than the function of determining the fees to be required for the purposes of paragraph (3), may be discharged on [F30the Commissioner’s] behalf by some other person in pursuance of arrangements made by [F25the Commissioner] with that other person.

Register to be kept for the purposes of regulation 21U.K.

26.—(1) For the purposes of regulation 21 [F31the Commissioner] shall maintain and keep up-to-date, in printed or electronic form, a register of the numbers allocated to F32... subscribers, in respect of particular lines, who have notified [F33the Commissioner or, prior to 30thDecember 2016, OFCOM] that they do not for the time being wish to receive unsolicited calls for direct marketing purposes on the lines in question.

[F34(1A) Notifications to [F31the Commissioner] made for the purposes of paragraph (1) by corporate subscribers shall be in writing.]

(2) [F31The Commissioner] shall remove a number from the register maintained under paragraph (1) where [F35the Commissioner has] reason to believe that it has ceased to be allocated to the subscriber by whom [F36the Commissioner was or, prior to 30th December 2016, OFCOM were] notified pursuant to paragraph (1).

[F37(2A) Where a number allocated to a corporate subscriber is listed in the register maintained under paragraph (1), [F31the Commissioner] shall, within the period of 28 days following each anniversary of the date of that number being first listed in the register, send to the subscriber a written reminder that the number is listed in the register.]

(3) On the request of—

(a)a person wishing to make, or instigate the making of, such calls as are mentioned in paragraph (1), or

(b)a subscriber wishing to permit the use of his line for the making of such calls,

for information derived from the register kept under paragraph (1), [F31the Commissioner] shall, unless it is not reasonably practicable so to do, on the payment to [F38the Commissioner] of such fee as is, subject to paragraph (4), required by [F38the Commissioner], make the information requested available to that person or that subscriber.

(4) For the purposes of paragraph (3) [F31the Commissioner] may require different fees—

(a)for making available information derived from the register in different forms or manners, or

(b)for making available information derived from the whole or from different parts of the register,

but the fees required by [F38the Commissioner] shall be ones in relation to which the Secretary of State has notified [F31the Commissioner] that he is satisfied that they are designed to secure, as nearly as may be and taking one year with another, that the aggregate fees received, or reasonably expected to be received, equal the costs incurred, or reasonably expected to be incurred, by [F31the Commissioner] in discharging [F39the Commissioner’s] duties under paragraphs (1), (2) and (3).

(5) The functions of [F31the Commissioner] under paragraphs (1), (2) [F40, (2A)] and (3), other than the function of determining the fees to be required for the purposes of paragraph (3), may be discharged on [F39the Commissioner’s] behalf by some other person in pursuance of arrangements made by [F31the Commissioner] with that other person.

Textual Amendments

Modification of contractsU.K.

27.  To the extent that any term in a contract between a subscriber to and the provider of a public electronic communications service or such a provider and the provider of an electronic communications network would be inconsistent with a requirement of these Regulations, that term shall be void.

National securityU.K.

28.—(1) Nothing in these Regulations shall require a communications provider to do, or refrain from doing, anything (including the processing of data) if exemption from the requirement in question is required for the purpose of safeguarding national security.

(2) Subject to paragraph (4), a certificate signed by a Minister of the Crown certifying that exemption from any requirement of these Regulations is or at any time was required for the purpose of safeguarding national security shall be conclusive evidence of that fact.

(3) A certificate under paragraph (2) may identify the circumstances in which it applies by means of a general description and may be expressed to have prospective effect.

(4) Any person directly affected by the issuing of a certificate under paragraph (2) may appeal to the Tribunal against the issuing of the certificate.

(5) If, on an appeal under paragraph (4), the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Minister did not have reasonable grounds for issuing the certificate, the Tribunal may allow the appeal and quash the certificate.

(6) Where, in any proceedings under or by virtue of these Regulations, it is claimed by a communications provider that a certificate under paragraph (2) which identifies the circumstances in which it applies by means of a general description applies in the circumstances in question, any other party to the proceedings may appeal to the Tribunal on the ground that the certificate does not apply in those circumstances and, subject to any determination under paragraph (7), the certificate shall be conclusively presumed so to apply.

(7) On any appeal under paragraph (6), the Tribunal may determine that the certificate does not so apply.

(8) In this regulation—

[F41(a)“the Tribunal”, in relation to any appeal under this regulation, means—

(i)the Upper Tribunal, in any case where it is determined by or under Tribunal Procedure Rules that the Upper Tribunal is to hear the appeal; or

(ii)the First-tier Tribunal, in any other case;]

(b)Subsections (8), (9), (10) and (12) of section 28 of and Schedule 6 to that Act apply for the purposes of this regulation as they apply for the purposes of section 28;

(c)section 58 of that Act shall apply for the purposes of this regulation as if the reference in that section to the functions of the Tribunal under that Act included a reference to the functions of the Tribunal under paragraphs (4) to (7) of this regulation; and

(d)subsections (1), (2) and (5)(f) of section 67 of that Act shall apply in respect of the making of rules relating to the functions of the Tribunal under this regulation.

Textual Amendments

Legal requirements, law enforcement etc.U.K.

29.—(1) Nothing in these Regulations shall require a communications provider to do, or refrain from doing, anything (including the processing of data)—

(a)if compliance with the requirement in question—

(i)would be inconsistent with any requirement imposed by or under an enactment or by a court order; or

(ii)would be likely to prejudice the prevention or detection of crime or the apprehension or prosecution of offenders; or

(b)if exemption from the requirement in question—

(i)is required for the purposes of, or in connection with, any legal proceedings (including prospective legal proceedings);

(ii)is necessary for the purposes of obtaining legal advice; or

(iii)is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

[F4229A.(1) Where regulations 28 and 29 apply, communications providers must establish and maintain internal procedures for responding to requests for access to users’ personal data.

(2) Communications providers shall on demand provide the Information Commissioner with information about—

(a)those procedures;

(b)the number of requests received;

(c)the legal justification for the request; and

(d)the communications provider’s response.]

Proceedings for compensation for failure to comply with requirements of the RegulationsU.K.

30.—(1) A person who suffers damage by reason of any contravention of any of the requirements of these Regulations by any other person shall be entitled to bring proceedings for compensation from that other person for that damage.

(2) In proceedings brought against a person by virtue of this regulation it shall be a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the relevant requirement.

(3) The provisions of this regulation are without prejudice to those of regulation 31.

Enforcement – extension of Part V of the Data Protection Act 1998U.K.

31.—(1) The provisions of Part V [F43and sections 55A to 55E] of the Data Protection Act 1998 and of Schedules 6 and 9 to that Act are extended for the purposes of these Regulations and, for those purposes, shall have effect subject to the modifications set out in Schedule 1.

(2) In regulations 32 and 33, “enforcement functions” means the functions of the Information Commissioner under the provisions referred to in paragraph (1) as extended by that paragraph [F44and the functions set out in regulations 31A and 31B].

(3) The provisions of this regulation are without prejudice to those of regulation 30.

[F45Enforcement: third party information noticesU.K.

31A.(1) The Information Commissioner may require a communications provider (A) to provide information to the Information Commissioner by serving on A a notice (“a third party information notice”).

(2) The third party information notice may require A to release information held by A about another person’s use of an electronic communications network or an electronic communications service where the Information Commissioner believes that the information requested is relevant information.

(3) Relevant information is information which the Information Commissioner considers is necessary to investigate the compliance of any person with these Regulations.

(4) The notice shall set out—

(a)the information requested,

(b)the form in which the information must be provided;

(c)the time limit within which the information must be provided; and

(d)information about the rights of appeal conferred by these Regulations.

(5) The time limit referred to in paragraph (4)(c) shall not expire before the end of the period in which an appeal may be brought. If an appeal is brought, the information requested need not be provided pending the determination or withdrawal of the appeal.

(6) In an urgent case, the Commissioner may include in the notice—

(a)a statement that the case is urgent; and

(b)a statement of his reasons for reaching that conclusion,

in which case paragraph (5) shall not apply.

(7) Where paragraph (6) applies, the communications provider shall have a minimum of 7 days (beginning on the day on which the notice is served) to provide the information requested.

(8) A person shall not be required by virtue of this regulation to disclose any information in respect of—

(a)any communication between a professional legal adviser and the adviser’s client in connection with the giving of legal advice with respect to the client’s obligations, liabilities or rights under these Regulations, or

(b)any communication between a professional legal adviser and the adviser’s client, or between such an adviser or the adviser’s client and any other person, made in connection with or in contemplation of proceedings under or arising out of these Regulations (including proceedings before the Tribunal) and for the purposes of such proceedings.

Enforcement: appealsU.K.

31B.(1) A communications provider on whom a third party information notice has been served may appeal to the Tribunal against the notice.

(2) Appeals shall be determined in accordance with section 49 of and Schedule 6 to the Data Protection Act 1998 as modified by Schedule 1 to these Regulations.]

Request that the Commissioner exercise his enforcement functionsU.K.

32.  Where it is alleged that there has been a contravention of any of the requirements of these Regulations either OFCOM or a person aggrieved by the alleged contravention may request the Commissioner to exercise his enforcement functions in respect of that contravention, but those functions shall be exercisable by the Commissioner whether or not he has been so requested.

Technical advice to the CommissionerU.K.

33.  OFCOM shall comply with any reasonable request made by the Commissioner, in connection with his enforcement functions, for advice on technical and similar matters relating to electronic communications.

Amendment to the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000U.K.

34.  In regulation 3 of the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 M12, for paragraph (3), there shall be substituted—

(3) Conduct falling within paragraph (1)(a)(i) above is authorised only to the extent that Article 5 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector so permits..

Marginal Citations

Amendment to the Electronic Communications (Universal Service) Order 2003U.K.

35.—(1) In paragraphs 2(2) and 3(2) of the Schedule to the Electronic Communications (Universal Service) Order 2003 M13, for the words “Telecommunications (Data Protection and Privacy) Regulations 1999” there shall be substituted “ Privacy and Electronic Communications (EC Directive) Regulations 2003 ”.

(2) Paragraph (1) shall have effect notwithstanding the provisions of section 65 of the Communications Act 2003 M14 (which provides for the modification of the Universal Service Order made under that section).

Marginal Citations

M142003 c. 21; for the commencement of section 65, see article 2(1) of S.I. 2003/1900 (C. 77).

Transitional provisionsU.K.

36.  The provisions in Schedule 2 shall have effect.

[F46Review of implementationU.K.

37.(1) Before the end of each review period, the Secretary of State must—

(a)carry out a review of the implementation in the United Kingdom of the Directive;

(b)set out the conclusions of the review in a report; and

(c)publish the report.

(2) In carrying out the review the Secretary of State must, so far as is reasonable, have regard to how the Directive is implemented in other member States.

(3) The report must in particular—

(a)set out the objectives intended to be achieved by the implementation in the United Kingdom of the Directive;

(b)assess the extent to which those objectives are achieved; and

(c)assess whether those objectives remain appropriate and, if so, the extent to which they could be achieved with a system that imposes less regulation.

(4) “Review period” means—

(a)the period of five years beginning with the 26th May 2011; and

(b)subject to paragraph (5), each successive period of 5 years.

(5) If a report under this regulation is published before the last day of the review period to which it relates, the following review period is to being with the day on which that report is published.]

Stephen Timms,

Minister of State for Energy, E-Commerce and Postal Services,

Department of Trade and Industry