The Privacy and Electronic Communications Regulations, informally known as the Cookies Regulations, came into force in the UK in May 2011. These regulations amend the Privacy and Electronic Communications (EC Directive) Regulations 2003.
The revisions include the following:
Data security breach notification. A requirement for Member States to adopt provisions requiring providers of public communications services to notify the national regulator of any personal data breach.
Spam. A right for legal persons with a legitimate interest in combating the sending of unsolicited commercial e-mails (spam) to take legal action against "spammers" in civil proceedings.
The Commissioner will allow a lead in period of 12 months for organisations to develop ways of meeting the cookie related requirements before he will consider using his enforcement powers. This lead in period will end in May 2012.
Penalties and enforcement. Member states must provide for effective, proportionate and dissuasive penalties (including criminal sanctions) for any infringements of the national provisions adopted pursuant to the Directive.
The Regulations enhance the Information Commissioner’s enforcement powers and introduce new requirements, most notably in relation to cookies. If a serious breach has taken place, it might cause damage or distress and has been deliberate, the Commissioner has the power to:
- Impose civil monetary penalties of up to £500,000;
- Audit the measures taken by a service provider to:
- safeguard the security of that service
- comply with the new personal data breach notification and recording requirements
- Impose a fixed monetary penalty of £1,000 on a service provider that fails to comply with the new breach notification requirements; and
- Require a communications provider to provide him with information needed to investigate the compliance of any person with PECR (a third party information notice).
- Access for national security, legal requirements, law enforcement etc. The 2011 Regulations require communications providers to establish internal procedures for responding to requests for access to users’ personal data for the above purposes.
The Commissioner understands that some communications providers may not yet have the necessary internal procedures in place for responding to such requests. Establishing such procedures will take some time. The Commissioner therefore intends to allow a lead in time of three months before considering the possible use of his enforcement powers in connection with these requirements.
Similarly he would not envisage placing any demands on communications providers for the information he is entitled to under the 2011 Regulations before August 2011.