UK fibre to the home (FTTH) investment: Data protection

The UK Data Protection Act 2018 and the UK's implementation of the General Data Protection Regulation (GDPR)

While a full overview of data protection requirements is outside the scope of this publication, the data protection implications should be given consideration to the extent that the assets involve the use (“processing”) of any form of any form of “personal data”, which is defined widely as any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier.

This will include IP addresses, post codes, etc. and so is relevant to ISPs (particularly those providing retail business-to-consumer - B2C - broadband connections). Where personal data is processed, the data protection regime will apply.

The data protection regime applies to controllers (organisations that determine the purpose and means of processing of personal data) and processors (organisations which act on behalf of controllers and process personal data in accordance with their instructions).

Key requirements include the following:

• Data security obligations.
• Regulatory reporting obligations in connection with personal data breaches (with a 72 hour notification window).
• The requirement to impose mandatory contractual terms where personal data is shared with a processor (for example, a service provider).
• The requirement to limit any processing of personal data to that which is necessary to achieve a defined purpose and export restrictions (which require certain conditions to be met prior to transferring personal data outside of the UK/EEA).
• Controllers must issue a detailed privacy notice explaining to the individuals to whom the personal data relates how the controller intends to process their personal data, and the lawful basis (or “justification”) for that processing.
• Individuals are given a framework of rights relating to their personal data, which controllers must comply with.

Data protection implications can be particularly significant where there is a requirement to access (or a risk of unauthorised access to) the data transmitted by individuals across the internet or telephone.

Fines under the data protection regime can be as high as £17.5m or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

It is therefore important that due diligence is conducted into the target company’s data protection compliance to understand the risks and potential liabilities (and what actions may be required to address non-compliance).

Privacy and Electronic Communications Regulations PECR

The relevant provisions of PECR apply specifically to organisations that provide a public electronic communications network or service. Under PECR, public electronic communications service providers (including telecoms providers) are expected to put in place measures to protect data against accidental or unlawful destruction, accidental loss or alteration.

Telecoms providers should be prepared to comply with the expectations of both Ofcom under the TSA, and the ICO in respect of PECR should they suffer a security incident or personal data breach.

Public electronic communications service providers are required to notify a personal data breach to the ICO within 24 hours of becoming aware of the breach (note that this is a shorter timescale than that applicable under the UK GDPR outlined above).

The ICO may take into account any failure to report on time when considering any wider enforcement action.

Fines under PECR are capped at £500,000, but it should be noted that, where there is a breach under PECR, there is often a breach under the data protection regime as well, which can give rise to exposure to the higher fines mentioned above.