European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations, 2008

• Jurisdiction: Ireland
• Year: 2008
• Citation: IR SI 526/2008

S.I. No. 526 of 2008

EUROPEAN COMMUNITIES (ELECTRONIC COMMUNICATIONS NETWORKS AND SERVICES) (DATA PROTECTION AND PRIVACY) (AMENDMENT) REGULATIONS 2008

Notice of the making of this Statutory Instrument was published in

“Iris Oifigiúil” of 12th December, 2008.

I, EAMON RYAN, Minister for Communications, Energy and Natural Resources, in exercise of the powers conferred on me by section 46A of the Communications Regulation Act 2002 (No. 20 of 2002) (as inserted by section 14 of the Communications Regulation (Amendment) Act 2007 (No. 22 of 2007)) and for the purpose of amending regulations made under section 3 of the European Communities Act 1972 (No. 27 of 1972) giving effect to Directive 2002/58/EC 1 of the European Parliament and of the Council of 12 July 2002, hereby make the following Regulations:

Citation and commencement

1. (1) These Regulations may be cited as the European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008.

(2) These Regulations come into operation on the day after the date on which notice of their making is published in the Iris Oifigiúil.

“Principal Regulations” defined

2. In these Regulations, “the Principal Regulations” means the European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 ( S.I. No. 535 of 2003 ).

Amendment of Regulation 2 of the Principal Regulations (Interpretation)

3. Regulation 2 of the Principal Regulations is amended as follows:

(a) in paragraph (1), by deleting the definition of “Acts”;

(b) in the definition of “consent” in paragraph (1), by substituting “the Data Protection Act 1988 ” for “the Acts”;

(c) in paragraph (1), by inserting the following definition after the definition of “enactment”:

“ ‘enforcement notice’ means a notice served under Regulation 17(4);”;

(d) in paragraph (1), by inserting the following definition after the definition of “Framework Regulations”:

“ ‘information notice’ means a notice served under section 12 of the Data Protection Act 1988 ;”;

(e) in paragraph (3), by substituting “the Data Protection Act 1988 ” for “the Acts”, wherever appearing.

Amendment of Regulation 5 of the Principal Regulations (Confidentiality of communications)

4. Regulation 5 of the Principal Regulations is amended by substituting the following paragraph for paragraph (1):

“(1) A person shall not use an electronic communications network to store information, or to gain access to information stored in the terminal equipment of a subscriber or user, unless—

(a) the subscriber or user is provided with clear and comprehensive information in accordance with the Data Protection Act 1988 , which—

(i) is both prominently displayed and easily accessible, and

(ii) includes, without limitation, the purpose of the processing, and

(b) the subscriber or user is offered by the data controller the right to refuse to consent to that use.”.

Revocation of Regulation 10 of the Principal Regulations (Exceptions)

5. Regulation 10 of the Principal Regulations is revoked.

Amendment of Regulation 12 of the Principal Regulations (Directories of subscribers)

6. Regulation 12 of the Principal Regulations is amended in paragraph (5)(a) by substituting “the Data Protection Act 1988 ” for “the Acts”.

Amendment of Regulation 13 of the Principal Regulations (Unsolicited communications)

7. Regulation 13 of the Principal Regulations is amended as follows:

(a) in paragraph (5), by substituting “Regulation 14” for “Regulation 13”;

(b) by substituting the following paragraph for paragraph (7):

“(7) A person who, in accordance with the Data Protection Act 1988 , the Data Protection Regulations or these Regulations, obtains from a customer the customer’s contact details for electronic mail, in the context of the sale of a product or service, shall not use those details for direct marketing unless

(a) the product or service is the person’s own product or service, and

(b) the product or service is of a kind similar to that supplied to the customer in the context of the sale by the person, and

(c) the customer is clearly and distinctly given the opportunity to object, in an easy manner and without charge, to the use of those details

(i) at the time they are collected, and

(ii) if the customer has not initially refused that use, each time the person sends a message to the customer.”;

(c) by substituting the following paragraphs for paragraphs (9) and (10):

“(9) A person who

(a) contravenes paragraph (1)(a) or (b), or (2), (3), (4), (7) or (8), or

(b) fails to comply with paragraph (6)(a) or (b),

commits an offence.

(9A) In relation to a contravention or failure to comply referred to in paragraph (9), each unsolicited communication or electronic mail sent, or each unsolicited call made, is to be treated as a separate offence.

(9B) An offence under this Regulation is triable either summarily or on indictment.

(9C) If, in proceedings for an offence under this Regulation, the question of whether or not a subscriber consented to receiving an unsolicited communication or call is in issue, the onus of establishing that the subscriber consented to receipt of the communication or call lies on the defendant.

(9D) A person found guilty of an offence under this Regulation is liable on conviction

(a) if the person is tried summarily, to a fine not exceeding €5,000, or

(b) if the person is a body corporate and the offence is tried on indictment, to a fine not exceeding

(i) €250,000, or

(ii) if 10 per cent of the turnover of the person is greater than that amount, an amount equal to that percentage, or

(c) if the person is a natural person and the offence is tried on indictment, to a fine not exceeding €50,000.”.

Amendment of Regulation 14 of the Principal Regulations (National Directory Database)

8. Regulation 14 of the Principal Regulations is amended in paragraph (6)(a) by substituting “the Data Protection Act 1988 ” for “the Acts”.

Substitution of Regulation 17 of the Principal Regulations

9. The Principal Regulations are amended by substituting the following Regulations for Regulation 17:

“Commissioner‘s powers of enforcement

17. (1) The Commissioner may investigate, or cause to be investigated, whether any prescribed provision of these Regulations has been, is being or is likely to be contravened or not complied with in relation to a natural person. The power may be exercised either as a result of a complaint made by or on behalf of the person or on the Commissioner’s own initiative as a result of forming an opinion that there may be such a contravention.

(2) Unless of the opinion that a complaint made under paragraph (1) is frivolous or vexatious, the Commissioner shall ensure that the complaint is investigated as soon as practicable after it is received, having regard to the Commissioner’s responsibilities under the Data Protection Act 1988 .

(3) If, after the elapse of a reasonable time, the Commissioner is unable to bring about the amicable resolution of the matter to which a complaint relates (other than a complaint giving rise to the commission of an offence), the Commissioner shall notify the person concerned in writing of the Commissioner’s decision in relation to the matter. The notice must include a statement to the effect that, if the person is dissatisfied with the Commissioner’s decision, the person has a right to appeal to the Circuit Court under Regulation 17D against the decision within 21 days after the date on which the decision is notified to the person under this paragraph.

(4) If the Commissioner is of opinion that a person has contravened or not complied with, or is contravening or not complying with, a prescribed provision of these Regulations (other than one giving rise to the commission of an offence), the Commissioner may serve on the person an enforcement notice requiring the person to take, within a specified period, such steps as are specified in the notice.

(5) An enforcement notice—

(a) shall specify the prescribed provision of these Regulations (if any) that, in the opinion of the Commissioner, has been, or is being, contravened or not complied with and the reasons for having formed that opinion, and

(b) subject to paragraph (7), shall state that the person concerned has a right to appeal to the Circuit Court under Regulation 17D against the requirement specified in the notice within 21 days from the service of the notice on that person.

(6) Subject to paragraph (7), the time specified in an enforcement notice for compliance with a specified requirement may not be expressed to expire until after the period of 21 days referred to in paragraph (5)(b). If the requirement subsequently becomes the subject of an appeal, the requirement need not be complied with (and paragraph (10) does not apply in relation to it), pending the determination or withdrawal of the appeal.

(7) Paragraphs (5)(b) and (6) do not apply to an enforcement notice if the Commissioner—

(a) because of special circumstances, is of the opinion that a requirement specified in an enforcement notice should be complied with without delay, and

(b) includes a statement to that effect in the notice.

In that case, however, the enforcement notice shall contain a statement specifying the effect of Regulation 17D (paragraphs (3) and (4) excepted) and may not require compliance with the requirement before the expiry of 7 days beginning on the date on which the notice was served.

(8) As soon as practicable after complying with paragraph (4) (and in any case not later than 40 days after so complying), a data controller shall notify the blocking, rectification, erasure, destruction or statement concerned

(a) to the data subject concerned, and

(b) if compliance materially modifies the data...