There are only two general exemptions from PECR: a national security exemption, and a law and crime exemption (for compliance with other laws, law enforcement, or legal advice or proceedings). You should consider these exemptions on a case-by-case basis.
There is no exemption for contractual obligations.
In more detail…
- Are there any exemptions from PECR?
- How does the national security exemption work?
- How does the law and crime exemption work?
- Can we contract out of PECR?
- Is there anything else we need to think about?
Some of the rules have built-in exemptions – for example, exemptions from the cookie rules. These are covered in the section of this guide that explains those rules.
There are also two more-general exemptions that can apply to any of the rules: a national security exemption, and a law and crime exemption (in brief, for compliance with other laws, law enforcement, or legal advice or proceedings). Only communications providers can use these exemptions.
These exemptions do not automatically exempt you from all the rules. They will only apply to the extent that compliance with PECR actually conflicts with the relevant interests. If you can still comply with some of the rules in PECR, you must.
The national security exemption is in regulation 28. It exempts communications providers from any of the rules in PECR if that exemption is required (ie you reasonably need to breach that regulation) for the purpose of safeguarding national security.
A Minister of the Crown can issue a certificate stating that an exemption was, is or will be required in certain circumstances for national security reasons. A ministerial certificate is conclusive proof that the exemption applies in those circumstances. Any person directly affected by a ministerial certificate may appeal against it to the Information Rights Tribunal.
The law and crime exemption is in regulation 29. It exempts communications providers from any of the rules in PECR if complying with that rule would:
- breach a provision of another enactment;
- breach a court order;
- be likely to prejudice the prevention or detection of crime; or
- be likely to prejudice the apprehension or prosecution of offenders.
It also applies if the exemption is required (ie, you need to breach that regulation):
- for or in connection with any legal proceedings;
- to obtain legal advice; or
- to establish, exercise or defend legal rights.
No. You cannot agree to disapply PECR, and there is no exemption for contractual obligations.
Regulation 27 says any term in a contract between a service provider and a subscriber or network provider that is inconsistent with PECR will be automatically void.
If you are a communications provider, you need to set up procedures for responding to other bodies who ask for access to your customers’ personal data for national security or law enforcement reasons.
If such a request is justified, it is likely to be exempt from PECR. However, regulation 29A requires you to establish and maintain internal procedures in these circumstances. The ICO can require you to provide information about your procedures, the number of requests you have received, the legal justification for the request, and your response.