On August 30, 2016, the First-tier Tribunal (Information Rights) (the “Tribunal”) dismissed an appeal from UK telecoms company TalkTalk Telecom Group PLC (“TalkTalk”) regarding a monetary penalty notice issued to it on February 17, 2016, by the UK Information Commissioner’s Office (“ICO”). The ICO had issued the monetary penalty notice to TalkTalk, for the amount of £1,000, for an alleged failure to report an October 2015 data breach to the ICO within the legally required time period.
The ICO’s decision to issue a monetary penalty notice was based on a telephone complaint received by TalkTalk from one of its customers on November 16, 2015. The customer then sent a letter of complaint to TalkTalk on November 18, 2015, and raised the matter with the ICO on the same day. On November 27, 2015, TalkTalk responded to a request from the ICO for further information, and stated that the incident was being investigated and that the ICO would be notified if and when TalkTalk determined that a data breach had occurred. On December 1, 2015, TalkTalk formally notified the ICO of the data breach.
The UK Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) requires internet service providers to notify a personal data breach to the ICO and the Commission Regulation No 611/2013 sets the content of that notification and requires that any such data breaches are notified to the ICO no later than 24 hours after detection of the breach, where feasible.
The issue to be decided by the Tribunal was whether TalkTalk could rightly be said to have detected the personal data breach, or to have acquired sufficient awareness of the breach to notify the ICO, when TalkTalk received the customer’s letter of complaint on November 18, 2015.
TalkTalk argued that it only “detected” or acquired sufficient awareness of the personal data breach after TalkTalk had concluded its own investigation into the complaint raised by the customer, and that it was normal practice for notification to take place within 24 hours of the conclusion of an investigation and not within 24 hours of receipt of a complaint. TalkTalk stressed that, given that it has approximately 4 million customers and receives approximately 50 such complaints a month, it could not reasonably investigate each complaint, and potentially report any data breaches to the ICO, within 24 hours of receipt of each complaint.
The ICO argued that “detection” is distinct from “conclusive confirmation,” and that detection is deemed to have occurred when TalkTalk has acquired “sufficient awareness” that a personal data breach had occurred, so as to enable it to make a meaningful notification. The ICO also argued that, given the level of detail and supporting evidence that the customer provided in the complaint letter in November, the threshold was met well before TalkTalk concluded its internal investigations.
The Tribunal upheld the ICO’s decision to issue a monetary penalty notice on the basis that all of the information that TalkTalk was required to provide to the ICO under the Notification Regulation was available to TalkTalk as a result of the customer’s November letter of complaint, and none of the information provided to the ICO appeared to derive from the investigation carried out by TalkTalk after receipt of that letter. The Tribunal was careful to distinguish these facts from the situation where a customer makes a general complaint of a suspected data breach which would require further investigation before the notification obligation under PECR crystallizes.
Although the fine in contention in the proceedings was only £1,000, the ruling is expected to provide useful guidance as to the knowledge threshold for notification under PECR and, going forward, the interpretation of the data breach notification obligation under the EU General Data Protection Regulation, which will enter into force in May 2018.