The ICO and breach reporting under Reg 5A PECR: take two
A couple of weeks ago, the ICO published a statement saying that it had "decided to stop enforcing personal data breach reports made under Regulation 5A."
Even if the intent behind it was meant well, the announcement wasn't the best thought-through statement, and I blogged to that effect.
The ICO withdrew the statement - I can only guess that others shared similar sentiments to mine - and now it is back with a second attempt:
Update on the ICO’s change of approach to regulating communication service providers.
The sentiment is similar - reducing the regulatory burden by tinkering with enforcement of breach reporting requirements - but this statement is, IMHO, much better than the last, albeit one which still leaves a few unanswered questions.
The ICO's new approach
The ICO is maintaining the 24 hour breach reporting requirement under PECR.
But it says it will only enforce it in respect of
incidents that are likely to adversely affect the personal data or privacy of subscribers or users.
This is a change, both from the current legal position and the ICO's previously-announced stance.
The ICO goes on to say that it:
will use its discretion not to take enforcement action against CSPs ... if they fail to comply with the 24-hour notification requirement in relation to such incidents, provided that they are still notified to the ICO within 72 hours of the breach.
So, in essence, PECS providers ("CSPs" is the wrong term to use here, IMHO, for pedantic legal reasons) have a bit of breathing space: a few extra hours, to report to the ICO, still under PECR, breaches which are not likely to adversely affect the personal data or privacy of subscribers or users.
This is still PECR, not the GDPR!
Despite the reference to 72 hours, don't confuse this with the GDPR's reporting regime. There are some key differences, based on the content of this press release / announcement.
The materiality threshold applies to timeliness only, not reportability
The GDPR requires a controller to notify the ICO of a personal data breach "unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons". In other words, not all personal data breaches need to go to the ICO.
Reg 5A PECR has no such materiality threshold. A PECS provider must report all personal data breaches subject to Reg 5A to the ICO, irrespective of materiality.
What the ICO appears to have done is said "yep, carry on reporting all Reg 5A personal data breaches to us. If they're likely to adversely affect the personal data or privacy of subscribers or users, tell us within 24 hours, otherwise 72 hours".
The effect of this is that the ICO will / should still require a report under PECR of every single personal data breach, irrespective of materiality, so if the ICO's PECR breach reporting team was hoping for a bit of respite, it doesn't sound like this announcement will do that. They'll get the same number of reports, albeit some will be a few hours later than others. But the PECS provider gets a bit longer to make the report.
Within 72 hours "of the breach", or from becoming aware of the breach?
The ICO says that it is willing to overlook slightly tardy reports under PECR, for breaches which are unlikely to adversely affect the personal data or privacy of subscribers or users:
provided that they are still notified to the ICO within 72 hours of the breach.
Not within 72 hours from detection of the breach (PECR language) or becoming aware of the breach (GDPR language), but within 72 hours of the breach.
I wonder if this is poor choice of words, rather than an intentional policy decision?
I feel it must be, because otherwise it makes little sense.
The legal requirement under PECR is to notify a personal data breach to the ICO "without undue delay".
Article 2(2) of Commission Regulation (EU) No 611/2013 says:
The provider shall notify the personal data breach to the competent national authority no later than 24 hours after the detection of the personal data breach, where feasible.
If, for example, a breach happens on Monday, 10:00, and the PECS provider only becomes aware of it on Thursday, 10:00, more than 72 hours have already passed since the breach, but if the provider notified by Friday 09:59, they'd still be within the PECR 24 hour period.
My feeling is that the ICO intends the 72 hours to start from detection / becoming aware of the breach.
(And, further pedantry, perhaps, note that the UK GDPR's notification requirement says "and, where feasible, not later than 72 hours after having become aware of it" - i.e. the 72 hours is not set in stone - whereas this appears to be a fixed 72 hours.)
This is about reporting, not the underlying issue
The ICO says:
We will still take enforcement action in relation to the underlying breaches reported, where it is appropriate to do so.
This was really unclear in their last announcement, so clarity here is welcome (even if some providers might have liked the idea that the underlying breaches would have been out of scope...).
Reporting errors under Investigatory Powers Act 2016 is unaffected
The ICO has also clarified the confusing aspects of its previous announcement, about the interplay of the UK GDPR and PECR. It now says:
This requirement under PECR takes the place of UK GDPR breach reporting obligations for CSPs.
And this means that - for now, at least - the Regulation 5(9) PECR continues to apply:
This regulation does not apply in relation to any personal data breach which is to be notified to the Investigatory Powers Commissioner in accordance with a code of practice made under the Investigatory Powers Act 2016
The future of Regulation 5A PECR
Left unstated - sensibly, in my view - is what the future might hold for Regulation 5.
I suspect it is limited.
The bifurcated regime never made any sense and, as the ICO notes, simply causes unnecessary stress and work.
There is no particular reason why every single PECS-related personal data breach would be of such impact that it justified 24 hour reporting of every single one, when the EU GDPR - which covers a much broader range of potential breaches - did not require reporting of all breaches, and even those which meet the materiality threshold still don't require rigid 24 hour reporting.
Basically, this is a mess which the ePrivacy regulation should have fixed, but this instrument - mainly for international political squabbling reasons - has been delayed and delayed.
Could the UK Parliament fix it, by removing Regulation 5A PECR? I think so, although some will inevitably say "but what about adequacy?" if it does.
(There could be some interesting NIS issues here, too!)