Publication
Road to COP29: Our insights
The 28th Conference of the Parties on Climate Change (COP28) took place on November 30 - December 12 in Dubai.
United Kingdom | Publication | 9月 2023
There is significant interest among investment funds in investing in the roll-out and take up of fibre-to-the-home (FTTH) networks in the UK which, along with incentives from the UK government, has resulted in a boom of regional and national fibre network providers and internet service providers (ISPs), with now over 150 broadband providers in the market, according to USwitch.
Growth in the sector is in large part due to a demand for higher broadband speeds arising from a shift towards remote working and customers’ media usage, as well as a conscious push from the UK government (which has included grant funding in the form of the Building Digital UK voucher scheme).
While investment has slowed recently due to lower than anticipated uptake in customer connections, higher costs of capital and concerns regarding over-build, we are nonetheless seeing a number of new equity and debt financings, as well as a likely uptick in consolidations in the market.
Here we set out the key regulatory and data protection considerations that investors in this sector should bear in mind when investing in the UK fibre space and that should be borne in mind in the context of consolidations in the space, in the following parts:
While a full overview of data protection requirements is outside the scope of this publication, the data protection implications should be given consideration to the extent that the assets involve the use (“processing”) of any form of any form of “personal data”, which is defined widely as any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier.
This will include IP addresses, post codes, etc. and so is relevant to ISPs (particularly those providing retail business-to-consumer - B2C - broadband connections). Where personal data is processed, the data protection regime will apply.
The data protection regime applies to controllers (organisations that determine the purpose and means of processing of personal data) and processors (organisations which act on behalf of controllers and process personal data in accordance with their instructions).
Key requirements include the following:
Data protection implications can be particularly significant where there is a requirement to access (or a risk of unauthorised access to) the data transmitted by individuals across the internet or telephone.
Fines under the data protection regime can be as high as £17.5m or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
It is therefore important that due diligence is conducted into the target company’s data protection compliance to understand the risks and potential liabilities (and what actions may be required to address non-compliance).
The relevant provisions of PECR apply specifically to organisations that provide a public electronic communications network or service. Under PECR, public electronic communications service providers (including telecoms providers) are expected to put in place measures to protect data against accidental or unlawful destruction, accidental loss or alteration.
Telecoms providers should be prepared to comply with the expectations of both Ofcom under the TSA, and the ICO in respect of PECR should they suffer a security incident or personal data breach.
Public electronic communications service providers are required to notify a personal data breach to the ICO within 24 hours of becoming aware of the breach (note that this is a shorter timescale than that applicable under the UK GDPR outlined above).
The ICO may take into account any failure to report on time when considering any wider enforcement action.
Fines under PECR are capped at £500,000, but it should be noted that, where there is a breach under PECR, there is often a breach under the data protection regime as well, which can give rise to exposure to the higher fines mentioned above.
Publication
The 28th Conference of the Parties on Climate Change (COP28) took place on November 30 - December 12 in Dubai.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023