Administrative and Supplementary Provisions

This document covers the foundational, administrative, and supplementary provisions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). These regulations establish the legal framework within which the substantive privacy rules operate.

Why this matters for AI agents:

• Defines relationship between PECR and UK GDPR/DPA 2018
• Establishes Secretary of State’s power to create cookie exceptions
• Sets up facsimile marketing opt-out register
• Provides national security and legal exemptions
• Creates private right of action for compensation

---

Foundational Provisions

Regulation 3: Revocation of Previous Regulations

Complete text:

“The Telecommunications (Data Protection and Privacy) Regulations 1999 and the Telecommunications (Data Protection and Privacy) (Amendment) Regulations 2000 are hereby revoked.”

What this means:

PECR 2003 completely replaced the previous 1999 telecommunications privacy regime.

Revoked instruments:

• SI 1999/2093 (Telecommunications (Data Protection and Privacy) Regulations 1999)
• SI 2000/157 (Telecommunications (Data Protection and Privacy) (Amendment) Regulations 2000)

Practical effect:

References to “the 1999 Regulations” in older guidance or case law are superseded by PECR 2003.

Commencement: December 11, 2003

---

Regulation 4: Relationship to Data Protection Legislation

4.1 — PECR Does NOT Override Data Protection Law

Complete text:

“Nothing in these Regulations shall relieve a person of his obligations under the data protection legislation in relation to the processing of personal data.”

Critical principle:

PECR	Data Protection Law
Imposes ADDITIONAL requirements	Base requirements STILL apply
Sector-specific rules	General framework
Compliance with PECR ≠ GDPR compliance	Must comply with BOTH

Practical implications:

✅ Correct approach:

• Obtain cookie consent under PECR Reg 6
• ALSO comply with UK GDPR lawful basis (typically consent under Article 6(1)(a))
• ALSO comply with UK GDPR transparency (Article 13/14)

❌ Incorrect approach:

• “We have cookie consent under PECR, so we don’t need GDPR compliance”
• WRONG: PECR consent is necessary but not sufficient

4.2 — Definitions Adopted from DPA 2018

“data protection legislation” = defined in section 3 of the Data Protection Act 2018

Includes:

• UK GDPR (retained EU law)
• Data Protection Act 2018 (Parts 1-7)
• Law Enforcement Directive (LED) provisions (Part 3)
• Intelligence Services provisions (Part 4)

“personal data” and “processing” = meanings from DPA 2018 section 3(2), (4), and (14)

4.3 — Interpretation Carve-Out

Regulation 2(2) and (3) definitions do NOT apply for purposes of Regulation 4.

Why: To avoid circular definitions when referencing external legislation.

Amendment history:

• Originally referred to “Data Protection Act 1998”
• Updated May 25, 2018 to reference “Data Protection Act 2018” following GDPR implementation

---

Regulation 6A: Power to Create Cookie Exceptions

Added: June 19, 2025 (specified purposes); February 5, 2026 (full force)

Source: Data (Use and Access) Act 2025

6A.1 — Secretary of State’s Regulation-Making Power

The Secretary of State may make regulations to:

1. Add new exceptions to the cookie consent requirement in Regulation 6(1)
2. Remove existing exceptions to Regulation 6(1)
3. Alter existing exceptions to Regulation 6(1)
4. Make supplementary provisions including:
   • Consequential amendments
   • Transitional provisions
   • Saving provisions
   • Amendments to PECR itself

Scope:

“Regulations under paragraph (1) may make different provision for different purposes”

Flexible implementation: Can create exceptions for specific sectors, technologies, or use cases.

6A.2 — Mandatory Consultation

Before making regulations, Secretary of State MUST consult:

• The Information Commissioner
• Any other persons deemed appropriate

Purpose: Ensures technical expertise and stakeholder input before expanding/restricting cookie rules.

6A.3 — Parliamentary Approval Required

Affirmative resolution procedure:

Regulations may NOT be made unless:

1. Draft laid before Parliament
2. Approved by resolution of each House of Parliament

Effect: High threshold for changing cookie consent rules.

Practical significance:

This power was created in 2025 to provide flexibility for future cookie reform without primary legislation. Examples of potential use:

Potential Exception	Rationale
Fraud prevention cookies	Security necessity
Accessibility preference cookies	User benefit, low privacy impact
Carbon-efficient CDN cookies	Environmental benefit
Age verification cookies	Online Safety Act compliance

Current status: No regulations made under this power as of March 2026.

---

Direct Marketing Registers

Regulation 25: Facsimile Preference Service (FPS)

Purpose: Enables subscribers to opt out of unsolicited fax marketing.

25.1 — Commissioner’s Duty to Maintain Register

The Commissioner MUST:

• Maintain a register of fax numbers
• Keep the register up to date

Who can register:

• Subscribers (not necessarily the data controller)
• Who have notified the Commissioner they do not wish to receive unsolicited fax marketing

Scope: Individual line numbers, not entire organizations.

25.2 — Removal from Register

Commissioner removes a number when:

“reason to believe that it has ceased to be allocated to the subscriber”

Triggers:

• Line disconnection
• Subscriber change
• Notification from telecoms provider

Note: Does NOT require subscriber notification before removal.

25.3 — Access to Register

Upon request, Commissioner MUST provide register information to:

• Persons (marketers checking compliance)
• Subscribers (verifying their registration)

Conditions:

• On payment of required fee (see 25.4)
• Unless “not reasonably practicable” to provide

Form: May be electronic, paper, or other format.

25.4 — Fee Structure

Fees may be set differently for:

• Different forms of information delivery (e.g., API access vs CSV download)
• Different manners of delivery (e.g., immediate vs batch)
• Different parts of the register (e.g., by area code)

Constraint:

Aggregate fees must NOT exceed costs of administration

Purpose: Cost recovery, not revenue generation.

25.5 — Delegation

Commissioner may delegate paragraphs (1)-(3) functions to other parties “in pursuance of arrangements.”

CANNOT delegate: Fee-setting authority under paragraph (4).

Current delegation: Historically delegated to external register operators (similar to Telephone Preference Service model).

Amendment history:

• December 30, 2016: Transferred responsibilities from OFCOM to Information Commissioner

---

Contract Terms and Exemptions

Regulation 27: Void Contract Terms

Complete text:

“To the extent that any term in a contract between a subscriber to and the provider of a public electronic communications service or such a provider and the provider of an electronic communications network would be inconsistent with a requirement of these Regulations, that term shall be void.”

Effect: PECR requirements CANNOT be contracted away.

Practical examples:

Contract Term	PECR Requirement	Result
”You consent to marketing emails by using this service”	Reg 22: Requires explicit opt-in consent	Term is VOID
”We may share your traffic data for any purpose”	Reg 7: Traffic data restrictions	Term is VOID
”By registering, you consent to cookies”	Reg 6: Clear and comprehensive information required	Term is VOID
”You waive the right to complain to ICO”	Reg 31: Right to complain and enforce	Term is VOID

Application:

• Between subscriber and provider: Retail contracts (consumer/business customer agreements)
• Between provider and network provider: Wholesale agreements

Why this matters:

Larger providers cannot impose PECR-violating terms on smaller providers or end users via contractual leverage.

Comparison to UK GDPR:

• UK GDPR Article 82(3): “Controller or processor shall be exempt from liability…if it proves that it is not in any way responsible”
• Regulation 27: NO exemption for contractual terms — void regardless of fault

---

Regulation 28: National Security Exemption

28.1 — Blanket Exemption

Nothing in PECR requires a communications provider to:

• Do anything, OR
• Refrain from doing anything (including processing data)

IF:

“exemption from the requirement in question is required for the purpose of safeguarding national security”

Scope: Covers ALL PECR requirements:

• Security obligations (Reg 5)
• Cookie consent (Reg 6)
• Traffic data restrictions (Reg 7)
• Direct marketing rules (Regs 19-24)
• All other provisions

28.2 — Ministerial Certificates

A Minister of the Crown may issue a certificate certifying that:

• Exemption from any PECR requirement
• Is necessary for national security purposes

Effect:

Certificate is conclusive evidence of this fact (subject to paragraph 4 appeals)

“Minister of the Crown” = As defined in Ministers of the Crown Act 1975.

28.3 — Certificate Scope

Certificates may:

• Describe applicable circumstances in general terms
• Be issued prospectively (future effect)

Example:

“All traffic data processing by [named provider] between [date range] for purposes related to [classified operation] is exempt from Regulation 7.”

28.4-7 — Tribunal Appeals

Who may appeal:

• Persons directly affected by certificate issuance

Grounds:

Tribunal may quash certificate if “the Minister did not have reasonable grounds for issuing the certificate”

Standard: Judicial review principles apply.

Additional appeals:

If certificate describes circumstances generally:

• Other parties may appeal claiming certificate doesn’t apply to them
• Certificate presumed applicable unless Tribunal determines otherwise
• Burden on appellant to show non-applicability

Example scenario:

1. Minister issues certificate: “Traffic data processing by ISPs for national security investigations exempt from Reg 7”
2. ISP uses this for unrelated marketing purpose
3. Affected individual appeals: “Certificate doesn’t cover this scenario”
4. Tribunal determines whether certificate applies to these facts

28.8 — “The Tribunal” Defined

“The Tribunal” = Either:

• Upper Tribunal, OR
• First-tier Tribunal

Determined by: Applicable Tribunal Procedure Rules

Cross-references:

• Regulation of Investigatory Powers Act 2000 (RIPA) - relevant tribunal provisions
• Investigatory Powers Act 2016 - updates to tribunal jurisdiction

---

Regulation 29: Legal Requirements Exemption

29.1(a) — Statutory/Court Order Conflicts

PECR requirements do NOT apply when compliance would:

1. Be inconsistent with:

   • Any requirement imposed by law, OR
   • Any order of a court

2. Be likely to prejudice:

   • Prevention or detection of crime
   • Apprehension or prosecution of offenders

Examples:

Scenario	PECR Requirement	Exemption Applies?
Court order requires disclosure of traffic data	Reg 7: Traffic data restrictions	✅ YES — court order
Police request subscriber data for murder investigation	Reg 5: Security obligations	✅ YES — crime detection
Data Protection Act requires specific processing	Multiple PECR provisions	✅ YES — statutory requirement
Trading Standards request marketing records	Reg 24: Record-keeping	✅ YES — regulatory investigation

29.1(b) — Legal Proceedings and Rights

PECR requirements do NOT apply when compliance would:

1. Prejudice conduct of:

   • Actual legal proceedings
   • Contemplated legal proceedings

2. Interfere with:

   • Obtaining legal advice
   • Establishing legal rights
   • Exercising legal rights
   • Defending legal rights

Examples:

Scenario	Application
Provider needs call records for employment tribunal	✅ Exercising/defending legal rights
Company seeks legal advice on PECR compliance	✅ Obtaining legal advice
Subscriber litigation requires disclosure of billing data	✅ Establishing legal rights
Anticipated defamation claim requires traffic data	✅ Contemplated proceedings

Practical note:

This exemption does NOT override data protection law — must still comply with UK GDPR Article 6(1)(f) (legitimate interests) or other lawful basis.

Comparison to Regulation 28:

• Reg 28: National security — ministerial certificates, conclusive evidence
• Reg 29: Legal/crime — no certificates, provider judgment call (subject to challenge)

---

Regulation 30: Private Right of Action for Compensation

30.1 — Right to Sue

Any person who suffers damage by reason of contravention of PECR requirements by any other person is entitled to:

• Bring proceedings for compensation
• Against that other person
• For that damage

Standing: Broad — any person affected, not just subscribers.

“Damage” includes:

• Financial loss
• Distress (arguable — UK courts have historically awarded damages for distress in data protection cases)

30.2 — Defence: Reasonable Care

It is a defence to prove:

“he had taken such care as in all the circumstances was reasonably required to comply with the relevant requirement”

Burden of proof: On defendant.

“Reasonable care” assessment factors:

• Size and resources of organization
• Technical state of the art
• Cost of compliance measures
• Nature of requirement breached
• Consequences of breach

Examples:

Scenario	Defence Likely Succeeds?
Major telecoms provider fails to implement basic cookie consent	❌ NO — reasonable care requires basic compliance
Small startup with limited resources has minor technical issue	✅ MAYBE — depends on disproportionality
Provider breaches due to sophisticated cyber-attack despite good security	✅ MAYBE — reasonable care taken
Provider ignores well-known compliance requirements	❌ NO — wilful disregard

30.3 — Relationship to Regulation 31

“The provisions of this regulation are without prejudice to those of regulation 31.”

Meaning:

• Regulation 30: Private civil action for compensation
• Regulation 31: ICO enforcement powers (information notices, enforcement notices, monetary penalties up to £500,000)

Effect: Complainants can:

• Sue for compensation (Reg 30), AND
• Complain to ICO (Reg 31)

Both remedies available simultaneously.

Comparison to data protection legislation:

PECR Reg 30	UK GDPR Article 82
”Damage” (financial loss + distress)	“Material or non-material damage”
Defence: reasonable care	Defence: “not in any way responsible for the event”
Covers all PECR breaches	Covers data protection breaches
£500,000 max ICO penalty	£17.5M/4% global turnover max ICO penalty

---

Practical Application for AI Content Agents

Scenario 1: Cookie Consent Under PECR + GDPR

Facts:

• AI agent operates website with analytics cookies
• Uses Google Analytics to track user behavior
• Provides cookie banner with “Accept” button

Analysis:

1. PECR Regulation 6 applies:

   • ✅ Requires consent for non-essential cookies
   • Must provide “clear and comprehensive information”

2. UK GDPR ALSO applies (Reg 4):

   • ✅ Requires lawful basis (Article 6(1)(a) consent)
   • ✅ Requires transparency (Article 13)
   • ✅ Consent must be freely given, specific, informed, unambiguous (Article 4(11))

3. Both must be satisfied:

   • PECR consent alone is insufficient
   • Must meet GDPR consent standards
   • Privacy policy must cover both

Compliance checklist:

• Cookie banner provides clear, comprehensive information (PECR)
• Consent is freely given (no pre-ticked boxes) (GDPR)
• Specific consent for each cookie category (GDPR)
• Easy to withdraw consent (GDPR Article 7(3))
• Privacy policy explains data processing (GDPR Article 13)
• No access contingent on consent (GDPR Recital 42)
• Records of consent maintained (GDPR Article 7(1))

Scenario 2: Marketing Email to Business Subscribers

Facts:

• AI agent sends marketing email to business email address
• No prior consent obtained
• Soft opt-in conditions NOT met (never purchased from sender)

Analysis:

1. PECR Regulation 22 applies:

   • ❌ Requires prior consent (opt-in) OR soft opt-in
   • Soft opt-in conditions NOT satisfied
   • BREACH of Regulation 22

2. UK GDPR applies (Reg 4):

   • Business contact details are personal data if identifiable individual
   • ❌ No lawful basis for processing
   • BREACH of UK GDPR Article 6(1)

3. Recipient can:

   • Sue for compensation under Regulation 30
   • Complain to ICO (Regulation 31)
   • Request erasure under UK GDPR Article 17

Compliance approach:

• Obtain explicit opt-in consent before first marketing email
• Provide clear opt-out in every email (PECR Reg 23(4))
• Honor opt-outs within 28 days (ICO guidance)
• Keep records of consent/opt-in (GDPR Article 7(1))
• If using third-party list, verify list provider obtained proper consent

Scenario 3: National Security Certificate Issued

Facts:

• UK intelligence agency requests ISP provide traffic data without subscriber consent
• Minister of the Crown issues certificate under Regulation 28(2)
• Certificate states: “Exemption from Regulation 7 necessary for national security investigation into [classified threat]”
• Affected subscriber discovers and wants to challenge

Analysis:

1. Certificate is conclusive evidence (Reg 28.2):

   • ISP has legal basis to disclose
   • Reg 7 requirements do NOT apply

2. Subscriber can appeal to Tribunal (Reg 28.4):

   • Must show Minister “did not have reasonable grounds”
   • Judicial review standard
   • High threshold

3. Tribunal options (Reg 28.5-7):

   • Allow appeal and quash certificate
   • Dismiss appeal and uphold certificate
   • Determine certificate doesn’t apply to these circumstances

Practical considerations:

• Appeals are rare (closed material procedure likely)
• Burden on subscriber to demonstrate unreasonableness
• Ministerial discretion given significant deference on national security
• Even if certificate quashed, processing may already have occurred

Scenario 4: Fax Marketing After FPS Registration

Facts:

• Business subscriber registered with Facsimile Preference Service (Reg 25)
• Company sends unsolicited fax marketing anyway
• Subscriber never purchased from this company
• No consent provided

Analysis:

1. PECR Regulation 20 applies:

   • ❌ Prohibition on fax marketing to FPS-registered numbers
   • ❌ No consent obtained
   • ❌ No prior purchase (soft opt-in doesn’t apply)
   • CLEAR BREACH

2. Available remedies:

   • Regulation 30: Sue for compensation (damages for paper/toner costs, time wasted, distress)
   • Regulation 31: Complain to ICO (enforcement notice, potential £500,000 penalty)

3. Company cannot claim:

   • “We didn’t know they were registered” — strict liability, should have checked
   • “Reasonable care defence” — checking FPS register is basic compliance

Compliance for marketers:

• Check FPS register BEFORE sending fax marketing
• Pay fee for register access (Reg 25.3)
• Maintain suppression list
• Update suppression list regularly
• Keep records of FPS checks

Scenario 5: Court Order vs PECR Compliance

Facts:

• Court orders telecommunications provider to disclose traffic data
• Data relates to criminal investigation
• Regulation 7 normally prohibits this processing
• Provider concerned about PECR breach

Analysis:

1. Regulation 29.1(a) applies:

   • ✅ Compliance with Reg 7 “inconsistent with” court order
   • ✅ Likely to assist crime detection/prosecution
   • EXEMPTION APPLIES

2. Provider should:

   • Comply with court order
   • Document reliance on Reg 29 exemption
   • Still comply with data protection law (Reg 4)

3. No liability under PECR:

   • Regulation 30 compensation claim would fail
   • Defence: compliance with court order required by law

Practical guidance:

• Obtain legal advice on scope of court order
• Disclose only what order requires (proportionality)
• Do not volunteer additional data
• Maintain audit trail of disclosure
• Consider notifying affected individuals (unless court order prohibits)

---

Red Flags for AI Agents

❌ “We comply with PECR so we don’t need to worry about GDPR”

• Regulation 4 makes clear: PECR does NOT relieve data protection obligations
• Must comply with BOTH regimes

❌ “Our contract says users consent to marketing by signing up”

• Regulation 27: Terms inconsistent with PECR are VOID
• Cannot contract away PECR requirements

❌ “National security exemption applies to all our processing”

• Regulation 28: Requires ministerial certificate OR genuine national security necessity
• Self-assessment alone insufficient
• Subject to Tribunal review

❌ “We don’t check FPS/TPS registers because we have consent”

• Even with consent, good practice to check preference services
• Avoids complaints and demonstrates compliance culture

❌ “Cookie consent = GDPR consent”

• While consent under both regimes must meet certain standards
• GDPR consent has additional requirements (Article 4(11))
• Must satisfy both separately

❌ “We’re not liable if we tried our best”

• Regulation 30.2: “Reasonable care” defence is context-dependent
• Basic compliance failures unlikely to be excused
• Wilful disregard definitely not excused

---

Compliance Summary

Key Takeaways for AI Agents

✅ DO:

• Recognize PECR and data protection law are cumulative
• Check FPS/TPS registers before direct marketing
• Document reliance on exemptions (national security, legal requirements)
• Preserve evidence of reasonable care for Reg 30 defence
• Understand void contract terms cannot override PECR
• Know Secretary of State may create new cookie exceptions (Reg 6A)

❌ DON’T:

• Assume PECR compliance = GDPR compliance (Regulation 4)
• Include PECR-contradicting terms in contracts (Regulation 27 voids them)
• Self-certify national security exemptions without proper authority (Regulation 28)
• Ignore court orders or statutory obligations to comply with PECR (Regulation 29)
• Neglect reasonable care in compliance (Regulation 30 liability)

Regulation 31A-31B Note

As of February 5, 2026:

• Regulations 31A (Third party information notices)
• Regulation 31B (Appeals against notices under regulation 31A)

Were OMITTED by Data (Use and Access) Act 2025, sections 115(6)-(7), 142(1).

Effect: These provisions no longer apply. The ICO’s information-gathering and enforcement powers are now governed solely by:

• Regulation 31 (existing enforcement powers)
• Data Protection Act 2018, Part 6 (general enforcement framework)
• Data (Use and Access) Act 2025 (updated procedures)

---

Citation & Updates

Citation: Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426), Regulations 3-4, 6A, 25, 27-30

Source: https://www.legislation.gov.uk/uksi/2003/2426/contents

Commencement: December 11, 2003 (Regs 3-4, 25, 27-30); June 19, 2025 / February 5, 2026 (Reg 6A)

Recent amendments:

• May 25, 2018: Regulation 4 updated to reference DPA 2018 (GDPR implementation)
• December 30, 2016: Regulation 25 transferred from OFCOM to ICO
• February 5, 2026: Regulation 6A added; Regulations 31A-31B omitted (Data (Use and Access) Act 2025)

Last reviewed: March 5, 2026