18/10/2022
Briefing

The Draft Bill will introduce significant reforms to the Irish regulatory regime for electronic communications; in particular, by amending substantially the Communications Regulation Act 2002 (the “2002 Act”). It also designates the Commission for Communications Regulation (“ComReg”) as the competent authority for the purpose of enforcing the Code in Ireland.

The Draft Bill focuses on giving effect in Irish law to the provisions of the Code dealing with enforcement, security, dispute resolution and a number of end-user rights. It seeks to impose potentially wide-ranging obligations on network and service providers, including to mitigate security risks and report security incidents to ComReg.

Scope of the Draft Bill

The key provisions of the Draft Bill can be broadly divided into:

  • Additional obligations for providers of an electronic communications network (“ECN”) and/or an electronic communications service (“ECS”) (“Providers”), including specific measures that Providers must take to ensure their services are both safe and effective for consumers; and
  • Procedural reforms to the civil enforcement regime, including the enhancement of pre-existing powers of enforcement by introducing a system of adjudication and civil sanctions.

Obligations on Providers regarding security, consumer protections and disputes

Obligation to manage security risks

A Provider will be required to take “appropriate and proportionate technical and organisational measures” to manage any risks posed to the security of the ECN/ECS that it operates. Although the Draft Bill provides that these measures must be “state of the art” and should include the use of encryption where appropriate, it does not yet provide specific details in relation to the nature of the measures to be used.

However, the Draft Bill does provide that the Minister for the Environment, Climate and Communications (the “Minister”) can consult with ComReg and issue regulations in relation to the types of measures required to be taken by Providers in relation to their ECN/ECS and any associated facilities. It is an offence for a Provider to fail to comply with a regulation issued by the Minister and any such Provider may be liable to a fine of up to €5,000.

In addition, the Minister may consult with ComReg and issue security measure guidelines to provide practical guidance to Providers in relation to their obligation to manage such risks. In any legal proceedings before the courts, or in any enforcement action taken by ComReg or an adjudicator (see further details below) under the Draft Bill, the relevant authority will have regard to any security measure guidelines that the Minister has previously published.

Obligation to notify security incidents to ComReg/customers 

A Provider will be obliged to notify ComReg of any security incident that has had or is having a “significant impact” on the operation of its ECN/ECS without undue delay. When determining whether an incident should be regarded as “significant”, a Provider should have regard to a range of factors including the duration of the incident, the number of users affected and the geographical area affected.

As regards the obligations to notify such incidents, the Draft Bill specifies the following:

  • Where a significant security incident has occurred, the Provider must provide ComReg with all relevant details by way of a formal notification, including the factors set out above and other information regarding the nature and impact of the incident.
  • Where ComReg determines that the security breach represents a threat to the wider public, it may require that details of the incident are made publicly available.
  • In the case of a particular and significant threat of a security incident, the Provider must inform any potentially affected users of any possible protective measures or remedies that they can take.

In addition, where ComReg considers that a security incident has occurred or may occur in relation to a Provider’s ECN/ECS, the Draft Bill specifies that it may issue a security measures direction to the Provider, requiring them to take certain actions to remedy/prevent the incident.

A Provider that fails to properly notify such an incident to ComReg or any potentially affected users, or fails to comply with a ‘security measure direction’, will have committed an offence and may be liable to a fine not exceeding €5,000.

Specific protections for consumers and other end-users

The Draft Bill creates additional obligations for Providers that provide specific categories of ECS, namely internet access services or publicly available interpersonal communications services (“IAS and ICS Providers”). Although the Draft Bill states that ComReg “may” impose certain obligations on IAS and ICS Providers, it does not specify the circumstances in which ComReg can exercise this power, potentially leaving ComReg with a significant amount of discretion.

Under the terms of the Draft Bill, ComReg may:

  • Require IAS and ICS Providers to publish user-friendly and up-to-date information to their consumers/end-users in relation to the quality of their services (including whether their services are affected by any external factors such as network connectivity) as well as how they facilitate access for any end-users with disabilities.
  • Specify minimum quality-of-service standards that IAS and ICS Providers must meet when providing these services to their end-users, including in relation to customer service and complaint handling, outages and repairs, switching services, and billing and refunds.
  • Require IAS and ICS Providers to publish and maintain a publicly available customer charter outlining their compliance with the prescribed levels of service mentioned above. IAS and ICS Providers will be required to notify the public if they do not comply with these standards and ComReg may arrange an audit to ensure that the relevant provider is acting in compliance with their customer charter.  Failure to properly maintain a customer charter and/or failure to comply with any direction or audit request from ComReg in relation to the customer charter is an offence and may be subject a fine of up to €5,000.

End-user compensation scheme

The Draft Bill provides for a specified failure compensation scheme relating to those Providers providing either internet access services or number-based interpersonal communications services.

Where such a Provider fails to comply with (a) the prescribed minimum service standards set out in the Draft Bill or (b) their provider switching and number portability obligations, they will have committed a ‘specified failure’ and be obliged to create a scheme of compensation outlining the amount, means and time period in which compensation will be paid to affected end-users. The maximum amount of compensation that a Provider will generally be required to pay to an affected end-user is €5,000.

The compensation scheme must be established in a user-friendly manner and must be published on the relevant Provider’s website. The Provider must also report to ComReg annually in relation to the operation of its compensation scheme, including specific details of the compensation that has been paid each year.

Complaints and dispute resolution

The Draft Bill requires Providers to prepare, publish, keep updated and implement a code of practice for dealing with complaints and for settling disputes with end-users relating to the contractual conditions or performance of contracts (regardless of whether or not the end-users have a direct contractual relationship with the Provider). The code of practice must include all relevant details for the handling of complaints, including the first point of contact and the timeframes within which the Provider shall respond.

The Provider must inform end-users that they have a right to refer a dispute to ComReg if their complaint is not resolved within ten days and will be obliged to deliver a bi-annual report to ComReg outlining the complaints made in the preceding six months.² Failure to comply is also an offence, and may be subject to a fine of up to €5,000.

Enhanced Enforcement Regime

The Draft Bill proposes updates and enhancements to ComReg’s investigation and enforcement powers and introduces a new system of adjudication for the imposition of penalties.

Interim measures

The Draft Bill provides that ComReg may impose ‘urgent interim measures’ where it has evidence of a regulatory breach (or a substantial likelihood of such a breach occurring) that (a) represents a threat to public safety, security or health, or (b) risks creating serious economic or operational problems for other providers or users of an ECN/ECS. ComReg will serve a formal notice on the person suspected of the breach (or anticipated breach), setting out the evidence of the breach and specifying any measures that must be taken to remedy (or prevent) the breach in question.

Any interim measures will be injunctive in nature, designed to temporarily suspend or prevent a regulatory breach. Barring exceptional circumstances, a person subject to any such interim measure

Preliminary investigations by ComReg

The Draft Bill proposes that, where an authorised officer appointed by ComReg suspects on reasonable grounds that a person has committed or is committing a regulatory breach, they may issue a ‘notice of suspected non-compliance’ (a “Notice”) to the person in question (the “Notified Person”). ComReg may also publish the Notice on its website. The Notice will set out the grounds of the authorised officer’s suspicion and inform the Notified Person of their right to make submissions in response. The authorised officer will also provide the Notified Person with the materials relied upon in reaching a view on the suspected non-compliance.

Prior to commencing an investigation into the suspected breach (or during the course of this investigation provided an adjudicator has not made a final decision), the Draft Bill specifies that ComReg and the Notified Person may:

  • Enter into an agreement to resolve the issue;
  • Enter into binding commitments proposed by the Notified Person to address the breach, and the finalised commitments will be published on ComReg’s website once agreed and executed; or
  • Reach a settlement to resolve the issue, following which the authorised officer shall prepare a report setting out the relevant details (including any administrative sanctions to be imposed on the Notified Person) and the matter will be referred to adjudication on consent.

Where no such resolutions can be reached, it is proposed that the authorised officer will proceed with a detailed investigation into the suspected breach. In addition to the authorised officer’s existing powers under the 2002 Act, including the power to enter premises/vehicles and seize documents and other records as required, the Bill grants the authorised officer additional powers to:

  • Require certain individuals in a position to facilitate access to computers and other data equipment in a given premises/vehicle to assist the authorised officer in this regard; and
  • Seize any computer or other equipment as the authorised officer considers appropriate.

Following their investigation into the suspected non-compliance, the authorised officer will liaise with ComReg and either (a) close the investigation without taking any further action or (b) where they still suspect that a breach has occurred, prepare a formal ‘referral report’ and refer the matter to adjudication.

Adjudication

The Draft Bill provides that the Minister will appoint persons nominated by ComReg to form a panel of adjudicators, who will be independent in the performance of their functions and will have had no role in the preliminary investigation by ComReg.

On receipt of a notice that a matter has been referred to adjudication, the Notified Person can make written submissions on the referral report. Adjudicators have the ability to request further information, to receive submissions and to conduct oral hearings where necessary. When conducting an oral hearing, the adjudicator has powers similar to those of a High Court judge, including the ability to compel witnesses, order the procurement of documents and oversee the giving of evidence on oath. Failure to comply with these directions is an offence and may result:

  • On summary conviction, to a fine not exceeding €5,000 or a term of imprisonment not exceeding 6 months (or both); or
  • On conviction on indictment, to affine not exceeding €250,000 or a term of imprisonment not exceeding 5 years (or both).

Having considered all evidence presented during the course of this process, the adjudicator may make a decision as to whether, on the balance of probabilities, the Notified Person has committed a regulatory breach. Where the adjudicator determines that a breach has occurred, they may impose measures deemed necessary to remedy the breach, including:

  • Ordering the payment of a financial penalty where considered necessary, not exceeding: (a) in the case of a company, €5 million or 10% of the company’s annual turnover; or (b) in the case of a natural person, €500,000 or 10% of the individual’s annual income.
  • Ordering the payment of a refund and/or compensation to the end user where they have been unfairly impacted by the breach in question; and
  • Ordering the suspension or withdrawal of the Notified Person’s general authorisation, where the adjudicator considers that there have been serious or repeated breaches by the Notified Person.

All decisions of the adjudicator must be confirmed by the High Court, who will uphold the decision unless it considers it to be disproportionate, erroneous or containing a clear error of law.  A Notified Person can also appeal the adjudicator’s decision to the High Court within 28 days of the decision (though this deadline can be extended in extenuating circumstances).

Updated Regulatory Definitions

The Draft Bill will introduce or clarify a number of important definitions relevant to the new or existing obligation on Providers. Of particular relevance:

  • As under the 2002 Act, the definition of an ECS will cover “a service normally provided for remuneration via electronic communications networks … with the exception of services providing, or exercising editorial control over, content transmitted using electronic communications networks and services”, but, reflecting the provisions of the Code, the Draft Bill provides that an ECS will also encompass:
    • An ‘internet access service’, meaning “a publicly available electronic communications service that provides access to the internet, and thereby connectivity to virtually all end points of the internet, irrespective of the network technology and terminal equipment used”;² and
    • An ‘interpersonal communications service’, which covers a “service normally provided for remuneration that enables direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons”. However, where the interpersonal and interactive communication is only “a minor ancillary feature that is intrinsically linked to another service”, this will not be considered an interpersonal communications service.
  • The definition of associated facilities in the Draft Bill makes much clearer the type of infrastructure covered and comprises “associated services, physical infrastructures and other facilities or elements” associated with an ECN or an ECS which enable or support the provision of services via that network or service, or have the potential to do so, and include “buildings or entries to buildings, building wiring, antennae, towers and other supporting constructions, ducts, conduits, masts, manholes and cabinets”.
  • An associated service is defined separately as a service associated with an ECN or an ECS that “enables or supports the provision, self-provision or automated-provision of services” via that network or service, or has the potential to do so. Associated services include number translation or systems offering equivalent functionality, conditional access systems and electronic programme guides as well as other services such as identity, location and presence services.

The definitions of associated facilities and associated services are incorporated into the definition of “undertaking” in the 2002 Act, and providers of these facilities and services are subject to a number of obligations under the 2002 Act as amended by the Draft Bill.

Conclusion

Alongside the transposition of the Code, the Draft Bill proposes significant reforms to the Irish regulatory regime for telecommunications services and impose considerably higher obligations on Providers in respect of how they identify, manage and address any security or other operational issues with the ECN/ECS they provide.

In terms of how it will operate following commencement, the Draft Bill provides for a transitional phase whereby the current regulatory regime will continue to apply to certain enforcement actions initiated by ComReg prior to the new regime coming into force. However, the Draft Bill also ensures that these pre-existing investigations can be referred for adjudication where ComReg has issued a notice of non-compliance to the undertaking in question and, despite providing the undertaking with an opportunity to remedy this issue, ComReg is of the opinion that the non-compliance is ongoing.

The Draft Bill is currently working through the legislative process and may be subject to further amendments prior to its enactment (expected to be in early 2023). We will provide an updated briefing once the Draft Bill is enacted in final form.

For further information, please contact a member of the Arthur Cox Telecoms team.

[1] Directive (EU) 2018/1972.  This Directive was due to be transposed by all Member States by 21 December 2020, and its remaining provisions (i.e. those not relating to enforcement, security, dispute resolution and end-user rights) will be transposed in Ireland by way of the European Union (Electronic Communications Code) Regulations 2022 (S.I. 444 of 2022).

[2] Providers will be required to provide their first report on end-user complaints to ComReg within the first six months of this provision coming into operation.

[3] Article 2 of Regulation (EU) 2015/2120.

[4] The 2002 Act defined “associated facilities” as “those facilities associated with either or both an ECN and an ECS which enable or support the provision of services by way of that network or service, and includes conditional access systems and electroic programme guides.

This briefing contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.