On 20 January 2023, the ICO published a statement on the obligations of public electronic communications service providers (CSPs) under Regulation 5A of the Privacy and Electronic Communications Regulations 2003 (PECR).

Following feedback, the ICO has removed the statement from its website to amend it to provide greater clarity regarding its shift in regulatory approach to CSPs, which is in line with ICO25, the ICO’s three-year strategic plan.

As part of ICO25 the ICO says that it is aiming to reduce data protection compliance burdens and costs for businesses by providing regulatory clarity, support and guidance, as well as focusing its resources to have the greatest impact. This change in approach will, the ICO says, allow it to better use resources on investigations where significant harm has been, or is likely to be, caused to individuals and where it can have the greatest impact as a proportionate regulator.

Regulation 5A of the PECR requires a CSP to notify the ICO within 24 hours of becoming aware of a personal data breach. This requirement replaces the UK GDPR breach reporting obligations for CSPs. If a report is not received within this timeframe, the ICO can issue a CSP with a fixed penalty of £1,000.

The ICO says that it currently receives around 10,000 reports per year under Regulation 5A of the PECR. Its analysis of these reports indicates that incidents notified to it usually result from human error and only affect a small number of individuals. Typically, CSPs then take action to improve their internal systems to prevent similar errors occurring.

The ICO is mindful of the regulatory burden on CSPs in meeting the short 24-hour reporting deadline in circumstances where the incidents being reported are unlikely to result in any risk to individuals’ rights and freedoms. Accordingly, in future, the ICO will use its discretion not to take enforcement action against CSPs under Regulation 5C if they fail to comply with the 24-hour notification requirement in relation to such incidents, provided that they are still notified to the ICO within 72 hours of the breach. The ICO may take enforcement action and impose a monetary penalty on a CSP if it fails to notify the ICO within that timeframe.

The ICO says that it remains committed to working with CSPs to help them minimise the regulatory burden, including by keeping the impact of the ICO exercising its discretion in this way under review.

The ICO will continue to use evidence, intelligence, and insights gained from these notification reports to identify any emerging or systemic risks in the sector, and within CSPs themselves, which may require intervention. It says that it will still take enforcement action in relation to the underlying breaches reported where it is appropriate to do so.

The ICO continues to expect CSPs to report incidents that are likely to adversely affect the personal data or privacy of subscribers or users to the ICO within 24 hours. Failure to do so may result in the ICO taking regulatory action under Regulation 5C PECR. Similarly, CSPs must still comply with their obligations under the PECR to notify these breaches to subscribers or users, where necessary. To read the ICO’s update in full, click here.