The Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023 (the "Act") and the European Union (Electronic Communications Code) Regulations 2022 (the "Regulations") were commenced on 9 June 2023 via S.I. 299/2023 and 300/2023, giving ComReg enhanced regulatory powers in a number of key areas. This commencement is welcomed by the telecoms sector as it is long overdue, and long after the EECC implementation deadline of December 2020. Together, the Act and the Regulations bring a revision of the EU regulatory framework for telecoms.
Overall, the legislative package enhances the need for regulatory awareness as it strengthens ComReg’s regulatory framework, and provides for a new civil enforcement regime alongside an updated criminal enforcement procedure for the electronic communications sector.
The legislation is expected to enhance ComReg's regulatory powers in a number of ways:
New enforcement powers under the Act
- allowing ComReg itself to vigorously enforce operators' obligations (rather than depending on Court outcomes and settlements);
- establishing an enhanced alternative dispute resolution process;
- establishing a new compensation scheme that will entitle consumers to compensation for specific customer service failings on the part of their operator;
New Rules under the Act and the EECC Regulations
- ComReg can set minimum quality of service standards that operators must guarantee to their consumers, including in the form of a new "Customer Charter";
- new rules on security of electronic communications networks;
- new obligations on OTT service providers, who will come under a brand-new legal framework that was so far applicable only to traditional telecom operators;
- updates to end-user rights enjoyed by consumers of electronic communications services in the Union;
- expansion of rules governing the assignment and use of radio spectrum.
The Act makes several amendments to the Communications Regulation Act 2002, updating ComReg’s investigatory and prosecutorial powers. It also transposes additional security provisions and provide a mechanism for the Minister to specify security measures by Regulation and to make guidelines relating to network security and to provide a legislative basis to enforce the Electronic Communications Security Measures.
It is also worth noting that due to the expanded definition of an electronic communications service ("ECS") under the new legislation, a wider range of services, including OTT service providers, within fall within the remit of the Irish ePrivacy Regulations 2011. Amongst other requirements, this will mean that such service providers will need to report relevant personal data breaches to the Irish Data Protection Commission within the 24 hour time limit required under those Regulations (rather than the 72 hour limit permitted under the GDPR). In addition, there is no mitigating risk assessment under these Regulations. Accordingly, all personal data breaches will need to be notified, whether or not they present a risk to the rights and freedoms of individuals, unless measures have been implemented to render the data unintelligible to unauthorised persons.