The Information Commissioner's Office (ICO) has issued a guidance note detailing its enforcement plans for the amended Privacy and Electronic Communications Regulations (Regulations).
The amended Regulations most notably now require user consent for cookie use, with the existing browser technology that is in place being deemed not sophisticated enough to comply with the new Regulations. As a result, organisations will need to find an alternative means of obtaining user consent.
Ed Vaisey, Minister for the Department of Culture, Media and Sport previously suggested that the government was not expecting the ICO to take any enforcement action in the short term against organisations failing to comply with the requirement for consent relating to cookie use. The ICO has now officially confirmed that the Information Commissioner will not be taking enforcement action for up to 12 months, until May 2012, where organisations are working to address their use of cookies or are engaged in development work on browsers and/or other solutions. This is to allow organisations time to "get their house in order", but also recognises that technical solutions will take time to be developed, evaluated and rolled-out.
The Information Commissioner has indicated that his approach in the next 12 months to complaints made about non-compliance with the 2011 Regulations will be to provide advice to the organisation concerned on the requirements of the law and how they might comply. However, where appropriate and as May 2012 approaches, he will be requiring organisations to explain the steps they are taking to demonstrate full compliance with the Regulations by May 2012 and he is prepared to issue a warning about the future use of his enforcement powers if organisations do not make adequate preparations for compliance by May 2012. The ICO has specifically said that "Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules."
The guidance on enforcement action also details the powers of the ICO, which will enable the Commissioner to:
- impose civil monetary penalties of up to £500,000 for serious breaches of the Regulations
- audit measures taken by providers of public electronic communications services (service providers) to safeguard the security of that service and comply with the new requirements relating to notification of data breaches and recording requirements (such audits will not require the consent of the service provider)
- impose a fixed monetary penalty of up to £1000 on service providers that fail to comply with the breach notification requirements
- require a communications provider to provide information necessary to investigate the compliance of a third party with the Regulations (a third party information notice).
Monetary Penalties
The use of civil monetary penalties is intended to be limited to circumstances where:
- there has been a serious contravention of the Regulations
- the contravention was of a kind likely to cause substantial damage or substantial distress
- the contravention was deliberate or the person responsible knew or ought to have known that a contravention would occur and failed to take reasonable steps to prevent it.
The guidance suggests that monetary penalties will be imposed in limited circumstances only, and the requirement for "substantial damage or substantial distress" is unlikely to apply to any one individual, but would apply if large numbers of people were affected by the breach.
The Commissioner is intending to issue guidance on how the ICO will be exercising its powers to impose civil monetary penalties in relation to breaches of the Regulations and these are broadly expected to be in line with the current approach the ICO is taking. The revised guidance is not expected to be ready before October 2011. The ICO does not intend to impose monetary penalties until the revised guidance is published.
Audit
Although no consent would be required to audit service providers, the ICO will still seek the service providers' agreement prior to carrying out an audit and only use the power to impose a compulsory audit where it cannot be carried out with consent.
The ICO is intending to engage service providers in discussions to assist with the development of detailed guidance on the use of this audit power and does not expect to conduct any audits until this guidance is published. There is currently no estimated date for when this guidance will be ready.
It is worth noting that unlike under the Data Protection Act, the audit powers under the Regulations do not prevent the ICO from imposing civil monetary penalties for breaches discovered during an audit.
Fixed Monetary Penalties
The ICO considers that little time is needed for service providers to implement the new breach notification requirements, as they are broadly in line with the voluntary breach notification system currently in place. The Commissioner will, however, issue a more detailed guidance note on the detailed application of the breach notification requirement. A one month lead time will be allowed, after which service providers could become liable to fixed monetary penalties. The ICO has discretion whether to impose such penalty if discovered during an audit, and where multiple breaches are discovered, has discretion over imposing a single or multiple fixed monetary penalties.
Third Party Information Notices
This new power came into force on 26th May 2011 along with the Regulations.
A final point to note is that the new Regulations require communications providers to have in place procedures to deal with requests for access to users' personal data for the purposes of national security, legal requirements, and law enforcement. Information about these procedures, the number and nature of requests received, and the responses provided should be made available to the ICO on request.
A three month lead time will be permitted to allow organisations to establish the necessary procedures and so the ICO will not be using his enforcement powers in this regard until August 2011.
This briefing does not constitute legal or other professional advice and should not be relied on as such. Specific advice should be sought about your individual circumstances.