PECR – they are still around!!!

By David Hendry

PECR. They are still around!

When discussing the Privacy and Electronic Communications Regulations (2003) (as amended numerous times) the Outsourced DPO usually finds one of several reactions:

  • What? Never heard of ‘em.
  • No! That can’t possibly be right – it’s bonkers!
  • But I thought they were replaced by the GDPR.
  • I’ve never really understood them as they are so complicated.

Having recently delivered a PECR Master Class, the Outsourced DPO thought that the PECR deserved unpacking and unpicking over the next few weeks.  Don’t forget to contact us at Data Protection People if you have any questions about anything related to data protection and information security including the PECR.


It’s worth looking at the background to the PECR because it is true that it does a lot of things.

Those old enough to remember the late ‘90s and early noughties will remember the meteoric growth of platforms such as Friends Reunited which grew from a standing start in June 2000, to having 3,000 members by the end of the year and 2.5 million members 12 months later.  Heady days indeed when the most popular mobile phone was the Nokia 3310.

Legislators were concerned about the increasing capacity for automated storage and processing of data relating to subscribers and users brought about by new advanced digital technologies being introduced in public communications networks in the European Community, giving rise to specific requirements concerning the protection of personal data and privacy of the user.  Access to digital mobile networks was becoming available and affordable for a large public and it was recognised that these digital networks had large capacities and possibilities for processing personal data.  Recitals 5, 6 and 7 of the Directive sum up the mood of the time.

As a result of this landscape Directive 2002/58/EC (the e-Privacy Directive) was enacted In July 2002 providing legislation concerning the processing of personal data and the protection of privacy in the electronic communications sector.  The e-Privacy Directive recognised that the Internet was overturning traditional market structures by providing a common, global infrastructure for the delivery of a wide range of electronic communications services opening up new possibilities for users but also new risks for their personal data and privacy.

It sought to ensure respect of the fundamental rights and observe the principles recognised in particular by the Charter of fundamental rights of the European Union (Recital 2) and aimed to harmonise the various provisions of Member States to ensure an adequate level of protection of fundamental rights and freedoms (and in particular the right to privacy) regarding the processing of personal data in the electronic communications sector and to enable the free movement of such data and of electronic communication services and equipment in the European Community.

It was designed to go into more detail about the electronic communications services/sector and complement Directive 95/46/EC [the Data Protection Directive].  It also aimed to provide for protection of the legitimate interests of subscribers who are legal persons (Article 1).

Because of its broad scope, the Directive therefore covers a great deal of ground including security and confidentiality of communications, the use of calling line identification (CLI), and the publication of telephone directories, as well as regulating the use of location data, and traffic data.  It also provides a regulatory framework for the use of electronic communications services/systems for sending unsolicited communications which represents 99% of the Outsourced DPO’s work with PECR.

Unlike European Regulations which take direct effect on Member States with no enabling domestic legislation, European Directives must be implemented into domestic legislation in each of the Member States of the EU.  The e-Privacy Directive was transposed into British law in the form of the Privacy and Electronic Communications Regulations (2003) which came into force on 11th December 2003.

Unsolicited Communications

The bit of the PECR that the Outsourced DPO is most interested in is that regarding the use of the internet and electronic communications systems for direct marketing which is covered in Article 13 of the e-Privacy Directive.

The prohibition

Article 13 begins by prohibiting the use of automated calling systems (such as auto diallers – computers that plough through a database and place calls to each number in turn.  When a connection is made (i.e. someone picks up the phone), the auto dialler looks for an available agent.  If it can’t find one it drops the call leading to a “silent call” otherwise it will connect the call to an available telephone agent).  The Directive quaintly describes automated calling systems as “telephone systems that place calls without human intervention”.  The prohibition is extended to facsimile machines (fax) and electronic mail.

Electronic mail is defined as any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient which includes a wide range of use-cases including e-mail, SMS, MMS, and messaging through social media channels.

Article 13 clearly states that the use of these tools and technologies is prohibited for the purposes of direct marketing without the prior consent of the subscriber.

Subscribers and users

The term “Subscriber” is not defined in the Directive but its scope is outlined in Recitals 12 and 13 which provide that a subscriber may be a natural or a legal person (i.e. a human or an organisational entity) with a contractual relationship with service providers.  A subscriber therefore is the person with the phone contract, the Twitter or Facebook account or the LinkedIn subscription.

The e-Privacy Directive not only refers to subscribers, but also to users – a term it does define in Article 2 as, “any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service”.

The PECR therefore recognises that users may, for example, use a business email address or phone number without necessarily being the subscriber with a relationship with the service provider and is entitled to the upholding of their fundamental rights and freedoms.

Short summary

As data protection professionals, the emphasis in the Directive we need to be mindful about is that of protecting people’s right to privacy through the rapidly rising capabilities and falling costs of electronic communications systems and services and the seemingly insatiable desire of an eager public to use them.  We need to be mindful of the words of Article 2 – the Directive is meant to complement the Data Protection Directive but also to go above and beyond it.  To “particularise” data protection with regard to the electronic communications sector and electronic communications services.

Next Blog

Next week the Outsourced DPO will begin to examine the regulations around unsolicited communications for direct marketing purposes and how they have evolved into the current interpretation and implementation of the law.

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here

    Data Protection People Limited – March 2021