Update: the ICO has simplified its statement (full text of which is at the end of this post), which now reads "The page you requested was removed.".

---

The ICO has announced a "change to regulation concerning communication service providers".

This relates to the breach reporting obligations under Regulation 5A of the Privacy and Electronic Communications Regulations 2003.

While quite possibly a statement that will be welcomed by providers of a public electronic communications service, it's rather an odd statement.

What did (does?) PECR require?

As the ICO says:

Regulation 5A requires a CSP to notify the ICO within 24 hours of any personal data breach, no matter how small, that has occurred. If a report is not received in time, the ICO can issue a fixed penalty of £1,000 to a CSP.

They are quite right that there is no materiality threshold for a report under PECR, and there is a very tight timing requirement.

Conversely, under the UK GDPR, there is a materiality threshold for notifying the ICO of a personal data breach - an obligation to notify "unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons" - and the requirement is to make that notification "without undue delay", and "where feasible" within 72 hours.

It is an area which, in my humble opinion, was ripe for consolidation, and perhaps if we had had the ePrivacy Regulation alongside the GDPR, this would have all be tied up neatly then.

But it was not.

"The ICO has decided to stop enforcing personal data breach reports made under Regulation 5A."

The ICO has said that it will no longer be enforcing personal data breach reports made under Regulation 5A PECR.

What is means by this is not clear.

Is the ICO saying that it still requires providers to report under Reg 5A PECR, but that it will not be taking action in response to those reports? In other words, it won't be enforcing the underlying breach?

This feels like it is within the ICO's gift, somewhere on the borderline of the ICO exercising its discretion as to the allocation of its resources and shirking its regulatory responsibility.

Or is the ICO saying that it no longer requires providers to report under Regulation 5A PECR, as long as the provider reports the issue under the UK GDPR, if it meets the threshold for reporting under the UK GDPR?

This feels far more questionable, legally. Parliament has imposed this reporting obligation on PECS providers, following the duty the UK had to implement the ePrivacy directive, and only Parliament can disapply this duty. The ICO does not have that power.

Or perhaps that, as long as a PECS provider notifies a personal data breach in line with the UK GDPR, the ICO will ignore any breach of PECR (but there is still a duty, and still a breach), and will not fine for non-compliance with Regulation 5A.

That feels more consistent with the ICO's powers, but it is confusing - if a provider doesn't notify after 72 hours / without undue delay (i.e. fails to meet the UK GDPR notification timescale), would they be fined under PECR for breach of Regulation 5A (which the ICO has said it won't enforce), or under the UK GDPR (which doesn't apply if the provider has to notify under PECR)?

More questions than answers!

Notifying under the GDPR instead?

The ICO's statement says:

This decision will not affect the duty of CSPs to report significant personal data breaches within 72 hours in line with UK GDPR.

I am confused by this, too.

A PECS provider has no choice but to report a personal data breach under Regulation 5A PECR, because that's what the law says.

It has neither a duty nor a choice of reporting it under the UK GDPR instead.

And, in my humble opinion, this is not a matter in which the ICO has any discretion.

If a provider has satisfied its duty under PECR to report a personal data breach to the ICO, the question of reporting under the UK GDPR does not arise: PECR trumps the UK GDPR on this point.

The UK GDPR's notification threshold?

The line

We will still expect CSPs to report high risk incidents and we will review them in line with UK GDPR.

is also rather odd.

Article 33 UK GDPR requires controllers to notify a personal data breach to the ICO "unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".

"Unlikely to result in a risk" is, to my mind, rather different to something being a "high risk incident" - that feels far closer to the threshold for communicating a personal data breach to a data subject.

The Investigatory Powers Act 2016

This is all the more confusing when one considers the interplay of the error reporting obligations under the Investigatory Powers Act 2016, and the explicit carve-out for reporting under Regulation 5A PECR if a provider has notified an error to IPCO (not ICO) under a code of practice.

Reg 5A(9) PECR says:

This regulation does not apply in relation to any personal data breach which is to be notified to the Investigatory Powers Commissioner in accordance with a code of practice made under the Investigatory Powers Act 2016.

The ICO and I have differing views as to what this bit of PECR means in terms of reporting personal data breaches under the UK GDPR, and today's statement muddies the water even further.

Happy Friday!

The ICO announcement in full

Contains public sector information licensed under the Open Government Licence v3.0.

Change to regulation concerning communication service providers

Date 20 January 2023 Type Statement

The Information Commissioner’s Office (ICO) has written to communication service providers (CSPs) about their obligations under Regulation 5A of the Privacy and Electronic Communications Regulations 2003 (PECR).

Regulation 5A requires a CSP to notify the ICO within 24 hours of any personal data breach, no matter how small, that has occurred. If a report is not received in time, the ICO can issue a fixed penalty of £1,000 to a CSP.

The ICO has decided to stop enforcing personal data breach reports made under Regulation 5A. That’s because our analysis of these reports indicates that incidents usually relate to human error involving one individual and are quickly resolved, and the providers put remedial measures in place to ensure the error does not happen again.

This decision will not affect the duty of CSPs to report significant personal data breaches within 72 hours in line with UK GDPR.

As part of ICO25 – our three-year strategic plan – we are aiming to reduce data protection compliance burdens and costs for businesses by providing regulatory clarity, support and guidance, as well as focussing our resources where we can have the greatest impact.

The change to how we regulate 5A will reduce what the ICO believes is a disproportionate burden on CSPs to report low risk incidents. The ICO currently receives notification of around 10,000 incidents per year under the regulation. We will still expect CSPs to report high risk incidents and we will review them in line with UK GDPR.

This change will also allow the ICO to better use resources on investigations where significant harm has been, or is likely to be, caused to individuals and where we can have the greatest impact as a proportionate regulator.