On 20 January 2023 the UK’s Information Commissioner’s Office (“ICO”) published a statement regarding the obligations then in place for public electronic communications service providers (“CSPs”) under Regulation 5A of the Privacy and Electronic Communications Regulations 2003 (“PECR”). The statement proposed the termination of the 24-hour data breach regime (which required CSPs to notify the ICO within 24 hours of becoming aware of a personal data breach). The statement is in line with the ICO25 – the ICO’s three-year plan proposal to reduce data protection compliance burdens and costs for businesses.
Following feedback received, the ICO removed the statement while it reviewed the feedback.
On 2 February 2023, the ICO issued another statement setting out its view regarding the regulatory burden on CSPs in meeting the short 24-hour reporting deadline in circumstances where the incidents being reported are unlikely to result in any risk to individuals’ rights and freedoms.
The ICO confirmed that going forward it will use its discretion not to take enforcement action and potentially issue a monetary fixed penalty of £1,000 against CSPs under Regulation 5C PECR if they do not meet the 24-hour notification requirement in relation to such incidents (i.e., when it is unlikely that the breach results in any risk to individuals’ rights and freedoms), provided however that the CSPs still notify the ICO within 72 hours of the breach. The ICO will continue the enforcement of a monetary penalty on a CSPs if they fail to notify the ICO within 72 hours.
CSPs should nevertheless continue to report incidents that are likely to adversely affect the personal data or privacy of subscribers or users to the ICO within 24 hours. The ICO may take regulatory action under Regulation 5C PECR against CSPs if they fail to do so. Additionally, CSPs should continue to comply with their obligations under PECR and notify these breaches to subscribers and/or users, where applicable.
Find the ICO statement here.
Please contact Jose Saras and Maria Constantin if you have any questions regarding the above.
The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.
This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.