The Information Commissioner’s Office (ICO) published a statement on 20 January 2023 about the obligations of public electronic communications service providers (CSPs) under Regulation 5A of the Privacy and Electronic Communications Regulations 2003 (PECR).
Following feedback received, the ICO removed the statement from its website so it could review it in order to provide greater clarity regarding its shift in regulatory approach to CSPs, which is in line with ICO25 – our three-year strategic plan.
As part of ICO25 we are aiming to reduce data protection compliance burdens and costs for businesses by providing regulatory clarity, support and guidance, as well as focussing our resources where we can have the greatest impact. This change in approach will allow the ICO to better use resources on investigations where significant harm has been, or is likely to be, caused to individuals and where we can have the greatest impact as a proportionate regulator.
Enforcing Regulation 5A PECR
Regulation 5A PECR requires a CSP to notify the ICO within 24 hours of becoming aware of a personal data breach. If a report is not received in time, the ICO can issue a monetary fixed penalty of £1,000 to a CSP under Regulation 5C PECR. This requirement under PECR takes the place of UK GDPR breach reporting obligations for CSPs.
The ICO currently receives around 10,000 reports per year under Regulation 5A PECR. Our analysis of these reports indicates that incidents notified to us usually result from human error and only affect a small number of individuals. Typically, CSPs then take action to improve their internal systems to prevent similar errors occurring.
The ICO is mindful of the regulatory burden on CSPs in meeting the short 24-hour reporting deadline in circumstances where the incidents being reported are unlikely to result in any risk to individuals’ rights and freedoms.
Accordingly, going forward, the ICO will use its discretion not to take enforcement action against CSPs under Regulation 5C PECR if they fail to comply with the 24-hour notification requirement in relation to such incidents, provided that they are still notified to the ICO within 72 hours of the breach. The ICO may take enforcement action and impose a monetary penalty on a CSP if it fails to notify the ICO within that time period. However, we remain committed to working with CSPs to help them minimise the regulatory burden, including by keeping the impact of the ICO exercising its discretion in this way under review.
The ICO will continue to use evidence, intelligence, and insights gained from these notification reports to identify any emerging or systemic risks in the sector, and within CSPs themselves, which may require our intervention. We will still take enforcement action in relation to the underlying breaches reported, where it is appropriate to do so.
The ICO continues to expect CSPs to report incidents that are likely to adversely affect the personal data or privacy of subscribers or users to the ICO within 24 hours. Failure to do so may result in the ICO taking regulatory action under Regulation 5C PECR. Similarly, CSPs must still comply with their obligations under PECR to notify these breaches to subscribers or users, where necessary.