“(1) In regulation 5A of the PEC Regulations (personal data breach)—

(a) in paragraph (2), after “delay” insert “and, where feasible, not later than 72 hours after having become aware of it”, and

(b) after paragraph (3) insert—

“(3A) Where notification under paragraph (2) is not made within 72 hours, it must be accompanied by reasons for the delay.”

(2) In Article 2 of Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (notification to the Information Commissioner)—

(a) in paragraph 2—

(i) in the first subparagraph, for the words from “no” to “feasible” substitute “without undue delay and, where feasible, not later than 72 hours after having becoming aware of it”, and

(ii) in the second subparagraph, after “shall” insert “, subject to paragraph 3,”, and

(b) for paragraph 3 substitute—

“3. To the extent that the information set out in Annex 1 is not available to be included in the notification, it may be provided in phases without undue further delay.””—(Sir John Whittingdale.)

This adjusts the period within which the Information Commissioner must be notified of a personal data breach. It also inserts a duty (into the PEC Regulations) to give reasons for not notifying within 72 hours and adjusts the duty (in Commission Regulation (EU) No 611/2013) to provide accompanying information.

Brought up, read the First and Second time, and added to the Bill.