Telecommunications (Security) Bill
Debate between Earl of Erroll and Lord Clement-JonesTuesday 13th July 2021
(3 years, 4 months ago)
Grand CommitteeRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 15-II(Rev) Second marshalled list for Grand Committee - (13 Jul 2021)
Lord Clement-Jones (LD)
My Lords, I hope I am demonstrating the agility of which the Minister is so fond. As I said earlier in respect of the judicial commissioner, these amendments provide a ready-made mechanism for oversight concerning the proportionality and appropriateness of any measures in the regulations and codes. Taken together, Amendments 9 and 19, would require the Secretary of State to take into account the advice of the technical advisory board—and insert a new clause after Clause 14—and that of a judicial commissioner appointed under the 2016 Act. We have gone a little further in specifying the make-up of the technical advisory board, but we are clearly on the same page as the noble Baroness, Lady Merron, with her Amendment 8.
The Earl of Erroll (CB)
My Lords, I want to speak on this issue as I remember mentioning it at Second Reading. There is a person for whom I have huge respect, Dr Louise Bennett, whose extensive knowledge and sagacity I first ran into when we were talking about ID cards years ago and the whole problem of digital identity and privacy over the internet. If you really want to know about such things, read her work: she has produced a lot of work on this. I think a technical advisory board is essential: these are complex issues. The Minister said that the matters subject to regulation will be technical. I do not see how we can do this without a good technical advisory board, and it is good if we have some view of who goes on it, because it is too easy for these things to disappear off and no one thinks about them. We will keep needing cutting-edge advice and not have groupthink, and these matters are very tricky.
Between Amendments 8 and 9, I could not decide between taking “the utmost” and “full” account; there is a neat little difference in the wording. Otherwise, the point about laying it out properly is important. The other thing, which slightly goes back to our previous debate, is that we get into the whole problem of what are regulations, what is guidance, what are guidelines and what is a code of practice and the different legal stance of those different things. We have to be careful about using them as if they were interchangeable. Regulations will often give rise to a code of practice, breach of which is not necessarily an offence, but they can be linked back to a primary Act offence. We should not bandy those words around interchangeably; they are different. We need a technical advisory board and, between these amendments, we should do something about it.
Lord Clement-Jones (LD)
My Lords, in its evidence to the Bill in the Commons, BT said:
“we believe greater clarity is needed on OFCOM’s planned approach, with safeguards introduced in the Bill to ensure operator burdens are proportionate.”
Amendment 10 seeks to ensure that codes of practice are necessary and proportionate.
As regards Ofcom’s new powers to ensure compliance with security duties as set out in new Section 105M, how will these relate to Ofcom’s existing powers and duties under Sections 3 and 6 of the Communications Act 2003? Will this duty and the new powers Ofcom is being given still be subject to good regulatory practice so that, for example, it still must have regard to the principles of transparency, accountability, proportionality and consistency and not impose unnecessary burdens? How will this fit in with the statement to be made by Ofcom under new Section 105Y?
Amendments 16, 17 and 21 to Clauses 5, 6 and 19, in my name and that of my nobble friend Lord Fox, seek to ensure that the new powers for Ofcom introduced in the Bill are subject to requirements in the 2003 Act regarding carrying out and reviewing its functions. I was pleased that in her letter to noble Lords after Second Reading, the Minister explicitly said:
“When carrying out its security functions, Ofcom will remain bound by its general duties under Section 3 of the Communications Act 2003 as it is now. Section 3(3) provides a duty on Ofcom to have regard to the need for transparency, accountability and proportionality when carrying out its functions. Ofcom will also be bound by its duty under Section 6 of the Communications Act 2003 to review the burden of its regulation on public telecoms providers. If Ofcom fails to carry out its security functions in line with these duties, then it is likely to be subject to legal challenge.”
I very much appreciate those words, which are a very clear interpretation of the existing Act and the duties of Ofcom and the responsibilities it has in the way that it carries them out. Will the Minister repeat that assurance today?
The Earl of Erroll (CB)
My Lords, I want to say a few words on this because the key words “undue burden” stand out. It is very important that we do not put too many burdens, particularly unnecessary ones, on companies. In particular—and this is something that I have often looked at because I have done a lot of work with innovative and growing companies—you must not let large corporations stifle innovation. There is an attitude among them that regulations are for your enemies; they are a very good way of stopping up-and-coming competition. I have also noticed that departments tend to consult the companies which have significant market presence already and see them as being the people who know all about it. However, that does not take account of what is up and coming. The other thing is that they often have people on secondment from them or people who have retired from the companies and gone into the departments, so there can be some interesting biases within. With those few warnings, I think the whole undue burden issue is more important than people might think.
Lord Clement-Jones (LD)
My Lords, I shall speak to Amendments 14 and 15. I wanted to say on the last group of amendments that I entirely agree with the noble Earl, Lord Erroll, about regulation. It is entirely possible for regulation to provide certainty, to stimulate innovation and, in the context of this Bill, to ensure that we have the right framework for our providers to ensure that our security is not compromised. So there is certainly no negativity in that respect towards regulation; the question is whether it is appropriate in the circumstances and not unduly burdensome for those subject to it. That is why the question of parliamentary oversight, which has been mentioned throughout this afternoon, continues to be important, and I think that it will come up again in the next group.
This amendment is on rather a different area. I have quite a lot of sympathy with Amendment 13 in the name of the noble Baroness, Lady Merron, but this is more nuanced than the Bill provides for. I want to quote again from the evidence of BT to the Bill Committee in the Commons. It said:
“We agree with the requirements on operators to support the users of their networks in preventing or mitigating the impact of a potential security compromise … In certain cases”—
and this is a sort of “however”—
“the security of the network may be put at greater risk if potential risks are communicated to stakeholders, providing malicious actors with additional information on potential vulnerabilities in the network that they may seek to exploit. We therefore believe that the Bill should explicitly consider such scenarios and not place obligations on communications providers to inform users of risks whereby doing so it will increase the likelihood of that risk crystallising.”
That is where our first amendment is going. BT further stated that
“the Bill also confers powers on OFCOM to inform others of a security compromise or risk of a compromise, such as the Secretary of State or network users. We understand the intention of the Bill in this regard and support the principle. We believe that this would be most effective when done in conjunction with the operator in question to ensure there is clarity and agreement, where possible, on the timing, audience and messaging of such information provision. This would also ensure that this does not cut across any other obligations that an operator may have, such as market disclosures. The Bill currently does not require OFCOM to consult with the operator prior to informing third parties of a security compromise (or risk of one).”
I think these are fair points. The Government must have an answer before Ofcom is faced with that set of issues. In this light, Amendments 13 and 15 make further provision about the duty to inform users of a risk of security compromise and specify that duties to inform others of “significant risks” of security compromises must be proportionate and not in themselves increase security risks.
The Earl of Erroll (CB)
My Lords, I put my name down to speak to this because the problem with putting a fixed time period on having to report security breaches is that it very much depends on what the breach is. We mentioned patches earlier. If it is a vulnerability in the software—or it may be the hardware—which requires a patch to be released, you must have the time to produce it and test it as fully as possible. You do not want the hackers out there to know what the vulnerability is until you can roll out the answer to it. That is what zero-day attacks are based on. Equally—the noble Baroness is absolutely correct here—you do not want this stuff swept under a carpet to sit there unused for years. Could our technical advisory board give advice at an incident level, or something like that?
Lord Clement-Jones (LD)
My Lords, we know how it is when you are on a roll. This reminds me that it is very unusual for somebody to have the opportunity to get in before the noble Lord, Lord Fox, draws breath, as the Chair did. “Very impressive footwork,” I thought to myself.
There has been a common theme this afternoon of a lack of oversight over aspects of this Bill in many respects—in particular, the regulations and codes. This lack of oversight is compounded by the fact that, under Clause 13, any appeal to the Competition Appeal Tribunal cannot take account of the merits of a case against the Secretary of State. The rationale for this, as the Constitution Committee says,
“is unclear and is not justified in the Explanatory Notes.”
I will quote the Explanatory Notes in full. Clause 13 provides that, in appeals against relevant “security-related” Ofcom decisions, the Competition Appeal Tribunal is to apply ordinary “judicial review principles”, notwithstanding any retained case law or retained general principle of “EU law”—by that they of course mean retained EU law. This means that the tribunal should not “adopt a modified approach” to proceedings, as required under retained EU law, which provides that the “merits of the case” must be “duly taken in account”.
Therefore, this provision disapplies aspects of the ongoing effect and supremacy of retained EU law, as permitted by Section 7 of the European Union (Withdrawal) Act 2018. The rationale for reducing the powers of the tribunal in respect of security matters is unclear and not justified in the Explanatory Notes. The House may wish to ask the Government to justify reducing the powers of the Competition Appeal Tribunal in respect of appeals under Clause 13. That is the motive behind this clause stand part debate.
The most authoritative judgment to date about the current standard of review is the Competition Appeal Tribunal’s TalkTalk Telecom Group plc and Vodafone Ltd v Office of Communications case. This addresses, inter alia, the standard of review on an appeal to the Competition Appeal Tribunal under Section 192 of the Communications Act. The judgment of Peter Freeman QC provides a good analysis of the context and history of the changes to the standard of review. I make no apology for quoting it at some length:
“Of particular relevance to how the Tribunal should approach this appeal are Article 4(1) of the Framework Directive and section 194A of the 2003 Act, as amended by the DEA17 … Article 4(1) provides: ‘Member States shall ensure that effective mechanisms exist at national level under which any user or undertaking providing electronic communications networks and/or services who is affected by a decision of a national regulatory authority has the right of appeal against the decision to an appeal body that is independent of the parties involved. This body, which may be a court, shall have the appropriate expertise available to it to enable it to carry out its functions. Member States”—
this is the key bit—
“shall ensure that the merits of the case are duly taken into account and that there is an effective appeal mechanism…’ … Section 194A provides: ‘The Tribunal must decide the appeal, by reference to the grounds of appeal set out in the notice of appeal, by applying the same principles as would be applied by a court on an application for judicial review.’ … The combined effect of these provisions is to require the Tribunal to apply the same principles as would apply in a judicial review case but also to ensure that the merits of the case are duly taken into account so that there is an effective appeal.”
At paragraph 139, the judgment concludes:
“Given that Article 4(1) continues to apply, it would appear that, in accordance with the Court of Appeal’s view in BT v Ofcom and the High Court’s view in Hutchison 3G, as set out helpfully by the Tribunal in the recent Virgin Media judgment, we should continue, as before, to scrutinise the Decision for procedural unfairness, illegality and unreasonableness but, in addition, we should form our own assessment of whether the Decision was ‘wrong’ after considering the merits of the case.”
“Article 4(1)” refers to the now-repealed framework directive. It should now be read as referring to Article 31(1) of the European Electronic Communications Code—the EECC. The transposition deadline of the EECC was just before the end of the transition period and iseb;normal;j therefore currently binding as part of retained EU law. The wording of the EECC is almost exactly the same as the framework directive in respect of appeals.
That is what will continue to apply across the remainder of the Communications Act for other appeals under Section 192 but is being changed by Clause 13 of the Bill, which amends Section 194A of the Communications Act in respect of security provisions. This is a very significant change to the appeals procedure in security cases. There is a single bald paragraph in the Explanatory Notes, no justification is given—as the Constitution Committee says—and neither is there any evidence of why it is necessary. What evidence does the Minister in fact have of the need to make this major change in respect of security decisions made by Ofcom? I beg to move.
The Earl of Erroll (CB)
My Lords, I saw this and thought that I really did not understand why the Government were doing it. I saw what the Constitution Committee had said and realised that it did not understand why it was needed. I cannot believe that you can have a proper appeal if you ignore the merits of the case. I probably have an overdeveloped sense of justice and I think that to have an appeal where you are not allowed to present half the case or whatever is not a proper appeal. In fact, what you find is that the system can use procedural things to run rings around people who have a very justifiable complaint about something. I did not like the look of it and I entirely agree with everything that the noble Lord, Lord Clement-Jones, said.