Friday 22 July 2022

Personal Data Breach Notification – it's time to scrap the unfair rules that have been imposed on Communication Service providers


In August 2013 the European Commission introduced new rules to require Communication Service Providers to report all personal data breaches, no matter how minor, to local data protection regulators within 24 hours of the incident being detected [Art 2]. Reporting delays would result in providers being subject to ICO fines. Significant breaches were also required to be reported to the impacted individuals [Art 3].

The new rules also required the European Commission to report by 2016 on the effectiveness of these new rules and their impact on providers, subscribers and individuals. On the basis of that report, the Commission would review the rules. I’m not aware that such a report was ever published, however. If it was, I can't find it

This was the European Commission’s first attempt at mandatory breach notification. The coming into force of the GDPR resulted in breach notification rules being extended to organisations in all economic sectors, although these organisations were permitted a longer time to report (within 72 hours of the incident being detected) and they were able to use their discretion not to notify data protection regulators of minor incidents. 

I’m well aware of the huge administrative burdens that these rules imposed on providers, and the awful pressure (and long hours) put on people who often worked late into the night to submit (mostly) pointless breach reports on the ICO’s breach portal every day. Yes, it gives the ICO’s enforcement staff something to do each day, but I trust that the ICO’s new strategy will recognise the futility of this mindless work, and that it can see the value in being able to redeploy staff to more significant tasks.

It’s time for a Brexit dividend. 

It’s time that organisations in all economic sectors are subjected to the same breach notification rules.

It’s time for the Data Protection and Digital Information Bill to be amended to abolish the old rules and require providers to adopt the data breach reporting rules that apply in all other sectors. 

It's time for the DCMS to admit that it was a mistake not to include this provision in the Electronic Communications (Amendment etc.) (EU Exit) Regulations 2019. It's depressing to read the draft SI's Explanatory Memorandum and learn that no formal consultation took place with providers on this specific matter. Evidently the unfair breach reporting rules are deficiencies that are 'minor in nature' - so providers should put up with them.

I say no, these unfair rules should go.

Goodbye and good riddance, Commission Regulation 611/2013!