The Information Commissioner’s Office (ICO) has published an update confirming its plans to cease enforcement of certain breaches of regulation 5A of the Privacy and Electronic Communications Regulations 2003 (PECR) against public electronic communications service providers (CSPs).
Regulation 5A PECR requires CSPs to notify the ICO within 24 hours of becoming aware of a personal data breach. The ICO initially published a statement on 20 January 2023 which stated that it had decided to stop enforcing personal data breach reports made under Regulation 5A. However, the ICO removed this statement from its website the same day.
On 2 February 2023 the ICO published an update to clarify its position. This statement explains that where incidents being reported are unlikely to result in any risk to individuals’ rights and freedoms, the ICO will use its discretion not to take enforcement action against CSPs under Regulation 5C PECR if they fail to comply with the 24-hour notification requirement, provided such breaches are still notified to the ICO within 72 hours.
The ICO still expects CSPs to report incidents that are likely to adversely affect the personal data or privacy of subscribers or users to the ICO within 24 hours. Similarly, CSPs must continue to comply with their obligations under PECR to notify breaches to subscribers or users where necessary. In practice, it will sometimes be the case that the scope of an incident, and therefore the potential risk to individuals’ rights and freedoms, will not be known within 24 hours, so a risk-based decision will need to be taken as to how to approach notification where that is the case.
In its statement, the ICO explained the rationale behind these changes: As part of its ICO25 strategy, it is aiming to reduce data protection compliance burdens and costs for businesses by providing regulatory clarity, support and guidance. In addition, as the latest update explains, the ICO currently receives around 10,000 reports per year under Regulation 5A PECR. Its analysis of these reports indicates that the incidents usually only affect a small number of individuals and are due to human error, with CSPs then taking action to improve their internal systems to prevent similar errors occurring.
To read the ICO’s statement, click here.
(Co-authored with Samuel Ashford – Trainee, London)