S.I. No. 526/2008 - European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008
EUROPEAN COMMUNITIES (ELECTRONIC COMMUNICATIONS NETWORKS AND SERVICES) (DATA PROTECTION AND PRIVACY) (AMENDMENT) REGULATIONS 2008 | ||
Notice of the making of this Statutory Instrument was published in | ||
“Iris Oifigiúil” of 12th December, 2008. | ||
I, EAMON RYAN, Minister for Communications, Energy and Natural Resources, in exercise of the powers conferred on me by section 46A of the Communications Regulation Act 2002 (No. 20 of 2002) (as inserted by section 14 of the Communications Regulation (Amendment) Act 2007 (No. 22 of 2007)) and for the purpose of amending regulations made under section 3 of the European Communities Act 1972 (No. 27 of 1972) giving effect to Directive 2002/58/EC 1 of the European Parliament and of the Council of 12 July 2002, hereby make the following Regulations: | ||
Citation and commencement | ||
1. (1) These Regulations may be cited as the European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008. | ||
(2) These Regulations come into operation on the day after the date on which notice of their making is published in the Iris Oifigiúil. | ||
“Principal Regulations” defined | ||
2. In these Regulations, “the Principal Regulations” means the European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 ( S.I. No. 535 of 2003 ). | ||
Amendment of Regulation 2 of the Principal Regulations (Interpretation) | ||
3. Regulation 2 of the Principal Regulations is amended as follows: | ||
(a) in paragraph (1), by deleting the definition of “Acts”; | ||
(b) in the definition of “consent” in paragraph (1), by substituting “the Data Protection Act 1988 ” for “the Acts”; | ||
(c) in paragraph (1), by inserting the following definition after the definition of “enactment”: | ||
“ ‘enforcement notice’ means a notice served under Regulation 17(4);”; | ||
(d) in paragraph (1), by inserting the following definition after the definition of “Framework Regulations”: | ||
“ ‘information notice’ means a notice served under section 12 of the Data Protection Act 1988 ;”; | ||
(e) in paragraph (3), by substituting “the Data Protection Act 1988 ” for “the Acts”, wherever appearing. | ||
Amendment of Regulation 5 of the Principal Regulations (Confidentiality of communications) | ||
4. Regulation 5 of the Principal Regulations is amended by substituting the following paragraph for paragraph (1): | ||
“(1) A person shall not use an electronic communications network to store information, or to gain access to information stored in the terminal equipment of a subscriber or user, unless— | ||
(a) the subscriber or user is provided with clear and comprehensive information in accordance with the Data Protection Act 1988 , which— | ||
(i) is both prominently displayed and easily accessible, and | ||
(ii) includes, without limitation, the purpose of the processing, and | ||
(b) the subscriber or user is offered by the data controller the right to refuse to consent to that use.”. | ||
Revocation of Regulation 10 of the Principal Regulations (Exceptions) | ||
5. Regulation 10 of the Principal Regulations is revoked. | ||
Amendment of Regulation 12 of the Principal Regulations (Directories of subscribers) | ||
6. Regulation 12 of the Principal Regulations is amended in paragraph (5)(a) by substituting “the Data Protection Act 1988 ” for “the Acts”. | ||
Amendment of Regulation 13 of the Principal Regulations (Unsolicited communications) | ||
7. Regulation 13 of the Principal Regulations is amended as follows: | ||
(a) in paragraph (5), by substituting “Regulation 14” for “Regulation 13”; | ||
(b) by substituting the following paragraph for paragraph (7): | ||
“(7) A person who, in accordance with the Data Protection Act 1988 , the Data Protection Regulations or these Regulations, obtains from a customer the customer’s contact details for electronic mail, in the context of the sale of a product or service, shall not use those details for direct marketing unless | ||
(a) the product or service is the person’s own product or service, and | ||
(b) the product or service is of a kind similar to that supplied to the customer in the context of the sale by the person, and | ||
(c) the customer is clearly and distinctly given the opportunity to object, in an easy manner and without charge, to the use of those details | ||
(i) at the time they are collected, and | ||
(ii) if the customer has not initially refused that use, each time the person sends a message to the customer.”; | ||
(c) by substituting the following paragraphs for paragraphs (9) and (10): | ||
“(9) A person who | ||
(a) contravenes paragraph (1)(a) or (b), or (2), (3), (4), (7) or (8), or | ||
(b) fails to comply with paragraph (6)(a) or (b), | ||
commits an offence. | ||
(9A) In relation to a contravention or failure to comply referred to in paragraph (9), each unsolicited communication or electronic mail sent, or each unsolicited call made, is to be treated as a separate offence. | ||
(9B) An offence under this Regulation is triable either summarily or on indictment. | ||
(9C) If, in proceedings for an offence under this Regulation, the question of whether or not a subscriber consented to receiving an unsolicited communication or call is in issue, the onus of establishing that the subscriber consented to receipt of the communication or call lies on the defendant. | ||
(9D) A person found guilty of an offence under this Regulation is liable on conviction | ||
(a) if the person is tried summarily, to a fine not exceeding €5,000, or | ||
(b) if the person is a body corporate and the offence is tried on indictment, to a fine not exceeding | ||
(i) €250,000, or | ||
(ii) if 10 per cent of the turnover of the person is greater than that amount, an amount equal to that percentage, or | ||
(c) if the person is a natural person and the offence is tried on indictment, to a fine not exceeding €50,000.”. | ||
Amendment of Regulation 14 of the Principal Regulations (National Directory Database) | ||
8. Regulation 14 of the Principal Regulations is amended in paragraph (6)(a) by substituting “the Data Protection Act 1988 ” for “the Acts”. | ||
Substitution of Regulation 17 of the Principal Regulations | ||
9. The Principal Regulations are amended by substituting the following Regulations for Regulation 17: | ||
“Commissioner‘s powers of enforcement | ||
17. (1) The Commissioner may investigate, or cause to be investigated, whether any prescribed provision of these Regulations has been, is being or is likely to be contravened or not complied with in relation to a natural person. The power may be exercised either as a result of a complaint made by or on behalf of the person or on the Commissioner’s own initiative as a result of forming an opinion that there may be such a contravention. | ||
(2) Unless of the opinion that a complaint made under paragraph (1) is frivolous or vexatious, the Commissioner shall ensure that the complaint is investigated as soon as practicable after it is received, having regard to the Commissioner’s responsibilities under the Data Protection Act 1988 . | ||
(3) If, after the elapse of a reasonable time, the Commissioner is unable to bring about the amicable resolution of the matter to which a complaint relates (other than a complaint giving rise to the commission of an offence), the Commissioner shall notify the person concerned in writing of the Commissioner’s decision in relation to the matter. The notice must include a statement to the effect that, if the person is dissatisfied with the Commissioner’s decision, the person has a right to appeal to the Circuit Court under Regulation 17D against the decision within 21 days after the date on which the decision is notified to the person under this paragraph. | ||
(4) If the Commissioner is of opinion that a person has contravened or not complied with, or is contravening or not complying with, a prescribed provision of these Regulations (other than one giving rise to the commission of an offence), the Commissioner may serve on the person an enforcement notice requiring the person to take, within a specified period, such steps as are specified in the notice. | ||
(5) An enforcement notice— | ||
(a) shall specify the prescribed provision of these Regulations (if any) that, in the opinion of the Commissioner, has been, or is being, contravened or not complied with and the reasons for having formed that opinion, and | ||
(b) subject to paragraph (7), shall state that the person concerned has a right to appeal to the Circuit Court under Regulation 17D against the requirement specified in the notice within 21 days from the service of the notice on that person. | ||
(6) Subject to paragraph (7), the time specified in an enforcement notice for compliance with a specified requirement may not be expressed to expire until after the period of 21 days referred to in paragraph (5)(b). If the requirement subsequently becomes the subject of an appeal, the requirement need not be complied with (and paragraph (10) does not apply in relation to it), pending the determination or withdrawal of the appeal. | ||
(7) Paragraphs (5)(b) and (6) do not apply to an enforcement notice if the Commissioner— | ||
(a) because of special circumstances, is of the opinion that a requirement specified in an enforcement notice should be complied with without delay, and | ||
(b) includes a statement to that effect in the notice. | ||
In that case, however, the enforcement notice shall contain a statement specifying the effect of Regulation 17D (paragraphs (3) and (4) excepted) and may not require compliance with the requirement before the expiry of 7 days beginning on the date on which the notice was served. | ||
(8) As soon as practicable after complying with paragraph (4) (and in any case not later than 40 days after so complying), a data controller shall notify the blocking, rectification, erasure, destruction or statement concerned | ||
(a) to the data subject concerned, and | ||
(b) if compliance materially modifies the data concerned and notification is not impossible and does not involve disproportionate effort, to any person to whom the data was disclosed during the period beginning 12 months before the date of the service of the relevant enforcement notice and ending immediately before that compliance. | ||
However, a data controller is not required to attempt to comply with subparagraph (b) if notification would be impossible or would involve disproportionate effort by the controller. | ||
(9) The Commissioner may cancel an enforcement notice and, on doing so, shall by notice in writing notify the cancellation to the person concerned. | ||
(10) A person who, without reasonable excuse, fails or refuses to comply with a requirement specified in an enforcement notice commits an offence. | ||
(11) For the purposes of this Regulation, Regulations 5, 6, 9, 12, 13 and 14 are prescribed provisions. | ||
Power to require information | ||
17A. (1) The Commissioner may serve an information notice on a person requiring the person to give to the Commissioner in writing such information in relation to matters specified in the notice as is necessary or expedient for the performance of the Commissioner’s functions. | ||
(2) An information notice shall state that the person concerned has a right to appeal to the Circuit Court under Regulation 17D against the requirement specified in the notice and that, if the right is to be exercised, it must be exercised within 21 days from the date on which the notice is served on that person. | ||
(3) A person to whom a notice is given under paragraph (1) shall, to the extent that it is possible to do so, comply with the notice within the period specified in the notice. That period may not be less than 21 days from the giving of the notice. | ||
(4) If an appeal is brought under Regulation 17D against a requirement specified in the notice, then pending the determination or withdrawal of the appeal | ||
(a) the requirement need not be complied with, and | ||
(b) paragraph (8) does not apply to a failure to comply with the requirement. | ||
(5) Paragraph (4) does not apply to an information notice if the Commissioner— | ||
(a) because of special circumstances, is of opinion that a requirement specified in the notice ought to be complied with without delay, and | ||
(b) includes in the notice a statement to that effect. | ||
In that case, the notice shall contain a statement specifying the effect of Regulation 17D (paragraphs (3) and (4) excepted) and provide that compliance with the requirement may not be required before the expiry of 7 days beginning on the date on which the notice was served. | ||
(6) No enactment or rule of law prohibiting or restricting the disclosure of information precludes a person from giving to the Commissioner information necessary or expedient for the performance or exercise of the Commissioner’s functions. | ||
(7) Paragraph (6) does not apply to information that in the opinion of the Minister for Justice, Equality and Law Reform or the Minister for Defence is, or at any time was, kept for the purpose of safeguarding the security of the State or information that is privileged from disclosure in proceedings in a court | ||
(8) A person who | ||
(a) without reasonable excuse, fails or refuses to comply with a requirement specified in an information notice, or | ||
(b) in purported compliance with such a requirement, gives information to the Commissioner that the person knows to be false or misleading in a material respect, | ||
commits an offence. | ||
Powers of authorised officers | ||
17B. (1) In this section ‘authorised officer’ means a person authorised in writing by the Commissioner under the Data Protection Act 1988 to exercise the powers conferred by section 24 of that Act or these Regulations, or both. | ||
(2) An authorised officer may, for the purpose of obtaining information that is necessary or expedient for the performance of the Commissioner’s functions under these Regulations, do all or any of the following: | ||
(a) at any reasonable time | ||
(i) enter premises that the officer reasonably believes to be occupied by a data controller or a data processor, | ||
(ii) inspect the premises and any data located on the premises (other than data consisting of information specified in Regulation 17A(7)), and | ||
(iii) inspect, examine, operate and test any data equipment located on the premises; | ||
(b) require any relevant person (data controller or data processor, or an employee of either of them) | ||
(i) to disclose to the officer any such data and produce to the officer any data material (other than data material consisting of information so specified) that is within the power or under the control of that person, and | ||
(ii) to give to the officer such information as the officer reasonably requires in relation to the data or material; | ||
(c) either on the premises or elsewhere, inspect and copy or extract information from those data, or inspect and copy or take extracts from that material; | ||
(d) require any relevant person to give to the officer such information as the officer reasonably requires in relation to | ||
(i) the procedures employed for complying with the provisions of these Regulations and the Data Protection Act 1988 , and | ||
(ii) the sources from which those data are obtained, and | ||
(iii) the purposes for which they are kept, and | ||
(iv) the persons to whom they are disclosed, and | ||
(v) the data equipment kept on the premises. | ||
(3) A person commits an offence if the person | ||
(a) obstructs or impedes an authorised officer in the exercise of a power conferred by this Regulation, or | ||
(b) without reasonable excuse, does not comply with a requirement imposed by such an officer under this Regulation, or | ||
(c) in purported compliance with such a requirement, gives information to such an officer that the person knows to be false or misleading in a material respect. | ||
Service of notices | ||
17C. Any notice authorised by these Regulations to be served on a person by the Commissioner may be served— | ||
(a) if the person is a natural person— | ||
(i) by delivering it to the person personally, or | ||
(ii) by sending it to the person by post addressed to the person at the person’s usual or last-known place of residence or business, or | ||
(iii) by leaving it for the person at that place, | ||
(b) if the person is a body corporate or an unincorporated body of personsby sending it to the body by post to, or addressing it to and leaving it at— | ||
(i) in the case of a company, its registered office, and | ||
(ii) in any other case, the principal place of business of the body. | ||
Appeals to Circuit Court | ||
17D. (1) An appeal may be made to and heard and determined by the Circuit Court against | ||
(a) a requirement specified in an enforcement notice or an information notice, or | ||
(b) a decision of the Commissioner in relation to a complaint made under Regulation 17. | ||
(2) Such an appeal may be brought only within 21 days from the service on the person concerned of the relevant notice or the receipt by that person of the notification of the relevant decision. | ||
(3) The jurisdiction conferred on the Circuit Court by these Regulations is exercisable by the judge for the time being assigned to the circuit where the appellant ordinarily resides or carries on any profession, business or occupation or, at the option of the appellant, by a judge of that Court for the time being assigned to the Dublin Circuit. | ||
(4) Subject to paragraph (5), a decision of the Circuit Court under this Regulation or Regulation 17E is final. | ||
(5) An appeal may be brought to the High Court on a point of law against such a decision; in which case a reference in these Regulations to the determination of an appeal is to be read as including a reference to the determination of the appeal to the High Court and of any appeal from the decision of that Court. | ||
Circumstances in which person need not comply with enforcement or information notice | ||
17E. If— | ||
(a) a person appeals to the Circuit Court under Regulation 17D, and | ||
(b) the appeal is brought within the period specified in the relevant enforcement or information notice, and | ||
(c) the Commissioner has included in that notice a statement to the effect that, because of special circumstances, the Commissioner is of the opinion that the person should comply with the requirement specified in that notice urgently and that that notice should therefore have immediate effect, | ||
the Court may, on application made to it for the purpose, make an order determining that non-compliance by the person with the requirement does not constitute an offence pending determination or withdrawal of the appeal or during such other period as may be specified in the order. An order may be made under this Regulation despite any other provision of these Regulations to the contrary. | ||
Evidence in legal proceedings | ||
17F. (1) In any legal proceedings— | ||
(a) a certificate signed by the Minister for Justice, Equality and Law Reform or the Minister for Defence and stating that in the opinion of the Minister concerned personal data are, or at any time were, kept for the purpose of safeguarding the security of the State is evidence of that opinion, or | ||
(b) a certificate— | ||
(i) signed by an authorised person, and | ||
(ii) stating that, in the person’s opinion, a disclosure of personal data is required for that purpose, | ||
is evidence of that opinion. | ||
(2) A document purporting to be a certificate under subparagraph (a) or (b) of paragraph (1) and to be signed by a person specified in the relevant subparagraph is taken to be such a certificate and to be so signed unless the contrary is proved. | ||
(3) Information supplied by a person in compliance with a request made under the Data Protection Act 1988 , or a requirement imposed, or a direction of a court in proceedings, under these Regulations is not admissible in evidence against the person or the person’s spouse in proceedings for an offence under these Regulations. | ||
(4) For the purpose of paragraph (1)(b), a person is an authorised person if the person is | ||
(a) a member of the Garda Síochána not below the rank of chief superintendent, or | ||
(b) an officer of the Permanent Defence Force who holds an army rank not below that of colonel and is designated by the Minister for Defence under section 8(a) of the Data Protection Act 1988 . | ||
Hearing of proceedings in private | ||
17G. The whole or any part of proceedings under these Regulations may, if the court thinks appropriate, be heard otherwise than in public. | ||
Offences by officers of bodies corporate | ||
17H. (1) If an offence under these Regulations | ||
(a) has been committed by a body corporate, and | ||
(b) is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of, an officer of the body, | ||
that officer commits a separate offence and is liable to be proceeded against and punished as if that person had committed the first-mentioned offence. | ||
(2) If the affairs of a body corporate are managed by its members, paragraph (1) applies to the acts and defaults of a member in connection with the member’s functions of management as if the member were a director or manager of the body corporate. | ||
(3) An officer of a body corporate may be proceeded against for an offence under paragraph (1) whether or not the body corporate has been proceeded against or been convicted of the offence committed by the body. | ||
(4) In this Regulation, ‘officer’, in relation to a body corporate, means a director, manager, secretary or other officer of the body, or a person who is purporting to act in any such capacity. | ||
Prosecution of offences | ||
17I. (1) The Commissioner may bring and prosecute proceedings for an offence under these Regulations that is to be tried summarily. | ||
(2) Paragraph (1) does not limit any other power conferred by law to prosecute an offence under these Regulations. | ||
(3) If of the opinion that the circumstances relating to a complaint investigated under Regulation 17 involve the commission of an offence under these Regulations, the Commissioner may bring and prosecute proceedings for the offence without attempting to bring about an amicable resolution of the complaint. | ||
(4) Despite section 10(4) of the Petty Sessions (Ireland) Act 1851, summary proceedings for an offence under these Regulations may be brought within 2 years after the date on which the offence is alleged to have been committed. | ||
Penalties for offences under the Regulations | ||
17J. (1) Except as provided by Regulation 13, a person found guilty of an offence under these Regulations is liable on summary conviction to a fine not exceeding €5,000. | ||
(2) If a person is convicted of an offence under these Regulations, the court may order any data material that appears to it to be connected with the commission of the offence to be forfeited or destroyed and any relevant data to be erased. | ||
(3) The court may not make such an order in relation to data material or data if it considers that some person other than the person convicted of the offence concerned might be the owner of, or have a proprietary interest in, the data unless all reasonably practicable steps have been taken | ||
(a) to notify the person of the proposed forfeiture, destruction or erasure, and | ||
(b) to give the person an opportunity to show cause why the order should not be made. | ||
Obtaining consent to obtaining, recording and rescinding consent of subscribers | ||
17K. For the purpose of Regulations 5, 6, 9, 12, 13 and 14, the Commissioner, in consultation with the Regulator, may specify the form and other requirements regarding obtaining, recording and rescinding consents of subscribers and users for the purposes of these Regulations. | ||
Power to include requirements under these Regulations in Codes of Practice under the Data Protection Act 1988 | ||
17L. The Commissioner’s functions under section 13 of the Data Protection Act 1988 extend to requirements imposed under these Regulations.”. | ||
Amendment of Regulation 23 of Principal Regulations (Amendments) | ||
10. The reference in Regulation 23(1) of the Principal Regulations to the Data Protection Acts 1988 and 2003 is to be read as, and is to be always taken to have been, a reference to the Data Protection Act 1988 (as amended by the Data Protection Act 2003). | ||
| ||
GIVEN under my Official Seal, | ||
9 December 2008 | ||
EAMON RYAN | ||
Minister for Communications, Energy and Natural Resources | ||
EXPLANATORY NOTE | ||
(This note is not part of the Instrument and does not purport to be a legal interpretation) | ||
These regulations amend the European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 ( S.I. No. 535 of 2003 ) by:— | ||
(1) increasing the penalty for a summary offence, | ||
(2) creating an indictable offence for a contravention of regulation 13 relating to unsolicited communications and providing for the penalties that may be imposed on conviction of same, | ||
(3) the amendment of regulations or part thereof relating to confidentiality of communications, unsolicited communications and enforcement respectively in the interest of clarity. | ||
