Read Bill Ministerial Extracts
Telecommunications (Security) Bill Debate
Full Debate: Read Full DebateLord Clement-Jones
Main Page: Lord Clement-Jones (Liberal Democrat - Life peer)Department Debates - View all Lord Clement-Jones's debates with the Department for Digital, Culture, Media & Sport
(3 years, 4 months ago)
Lords ChamberMy Lords, I thank the Minister for her very fair introduction to the Bill. As a former member of Huawei’s international advisory board, I am somewhat conflicted in a discussion about the principles of the Bill, especially following the various twists and turns in government policy. I very much support the 5G supply chain diversification strategy, but the questions raised by my noble friend Lord Fox and the noble Lord, Lord Young, need to be answered. How it is progressing and where any financial support is going need to be the subjects of regular report by government, given that in the short term we are faced by a stark dual-supplier market.
As my noble friend Lord Fox has indicated, however, I want to focus on, and confine myself to, a debate about the wide-ranging new powers in the Bill for the Secretary of State and Ofcom and the lack of adequate checks and balances, especially in terms of oversight, whether parliamentary, judicial or, indeed, technical, which permeates the Bill. If there are going to be these extensive new powers, we need to make sure that they are exercised properly and with due process and consultation.
The Delegated Powers Committee report referred to by the noble Lord, Lord Young, is just the tip of the iceberg. It draws the attention of the House to the proposed new Section 105E of the Communications Act 2003, which gives the Secretary of State power to issue, revise or withdraw codes of practice about security measures that should be taken by providers in the performance of their duties to prevent security compromises. There is a duty to consult with Ofcom and providers but no oversight or approval role for Parliament.
I am glad to say that the committee, in the light of the importance of the code in assessing compliance and in enforcement by Ofcom, was unconvinced by the department’s claim that this was too detailed and technical, and “not legislative”. As the committee says,
“The Bill provides for codes of practice to play a significant role–both in relation to the exercise of OFCOM’s regulatory functions and in legal proceedings - in supplementing the important duties to take security measures that the Bill imposes on providers.”
It concludes:
“In our view, it is unacceptable for codes of practice that will have the significant statutory effects provided for in this Bill to be subject to no Parliamentary scrutiny procedure.”
I differ from the committee simply in that, in my view, the procedure to be adopted must, at minimum, be the affirmative procedure. As Comms Council UK has pointed out, Section 105E is not the only proposed new section which gives the Secretary of State extensive powers; there are others. Proposed new Section 105Z1, for example, gives power for the Secretary of State to outlaw the use of individual vendors, where there is potentially no parliamentary oversight, if the Secretary of State considers it would be contrary to national security—as has been referred to by other noble Lords. Surely that is exactly where oversight by the Intelligence and Security Committee, as the noble Lord, Lord West, has so cogently said, or by the Investigatory Powers Commissioner, as the Constitution Committee has suggested, would be not only appropriate but essential. The whole area of enforcement of compliance and, under proposed new Section 105Z27, as regards power to require information and the requirement not to disclose, needs similar oversight.
Nor is there any dedicated role for judicial oversight. Unlike similar legislation, such as that under Part 8 of the Investigatory Powers Act 2016, there are no provisions for judicial oversight of the Secretary of State’s powers. This is compounded by the fact that, under Clause 13, in any appeal to the Competition Appeal Tribunal, the tribunal cannot take account of the merits of a case against the Secretary of State, the rationale for which, as the Constitution Committee says,
“is unclear and is not justified in the Explanatory Notes.”
Can the Minister make a better fist of the explanation today?
With regard to Ofcom’s new powers to ensure compliance with security duties, as set out in the proposed new Section 105M, how will these relate to Ofcom’s existing powers under Sections 3 and 6 of the Communications Act 2003? Will this duty and the new powers Ofcom is being given still be subject to good regulatory practice so that, for example, it still must have regard to the principles of transparency, accountability, proportionality and consistency, and not impose unnecessary burdens? How will this fit in with the statement to be made by Ofcom under proposed new Section 105Y? What assurance can the Minister give? Will we see a draft during the passage of the Bill?
Similar considerations apply to the new Ofcom powers to assess compliance under Clause 6 and in regard to inspection notices under Clause 19. As the council has also pointed out, there are no clear mechanisms for technical feedback or expertise to be fed in. It observes that many of the technical requirements that will be placed on its members are not in the text of the Bill but in accompanying documents which are either yet to be published or are receiving very little scrutiny.
Already it is clear that, in the draft Electronic Communications (Security Measures) Regulations, which are to be made by virtue of the proposed new Sections 105B and 105D, giving the Secretary of State power to make regulations to require telecoms companies to take “specified security measures” and “in response to security compromises”, there are real issues with regard to provisions about patches and supply chains and definitions regarding audit and monitoring of foreign network operations centres, and it is not clear that expert technical industry comments are being taken on board. What further consultations are planned? Is this not exactly where a technical advisory board and/or panel, as under the 2016 Act, is needed? Will they even be subject to the affirmative procedure in Parliament?
This lack of clarity and transparency is causing a great deal of uncertainty within the industry. Measures are being proposed that are either technically unworkable or potentially damaging to the strength and health of the UK telecoms industry. Particular concerns arise for providers whose networks are not based purely in the UK and who do not have the relationships with the department, Ofcom and the NCSC that domestic providers may have if there is no structured consultation, oversight and update process when codes are being drawn up. BT itself says:
“we believe greater clarity is needed on OFCOM’s planned approach, with safeguards introduced in the Bill to ensure operator burdens are proportionate.”
It also makes the point that the flexibility in the Bill should not be used to bring forward any deadlines for removal of equipment. What assurance can the Minister give on this?
As well as concerns about the new powers, there is also concern reflected by the Constitution Committee about the width of crucial definitions such as “security compromise” and “connected security compromise” contained in the Bill, and the consequences that flow, particularly as regards planned outages and the need to make a clear distinction between reporting on security compromises and on resilience.
I think that I have gone into enough detail at this Second Reading to amply demonstrate that we have quite an amendment job ahead of us in Committee and on Report.
Telecommunications (Security) Bill Debate
Full Debate: Read Full DebateLord Clement-Jones
Main Page: Lord Clement-Jones (Liberal Democrat - Life peer)Department Debates - View all Lord Clement-Jones's debates with the Department for Digital, Culture, Media & Sport
(3 years, 3 months ago)
Grand CommitteeMy Lords, I hope the Committee will forgive me if I move on to drier but—I hope the Committee will agree—important ground. In moving Amendment 2, I will also speak to Amendments 3, 4, 5 and 6.
Amendment 2, along with similar amendments to Clause 1 in the name of my noble friend Lord Fox and myself, seeks to narrow the scope of the definitions of “security compromise” and “connected security compromise”. As well as having concerns about oversight of the new powers of the Secretary of State, which we will debate later, there is also concern, reflected by the Constitution Committee, about the width of these crucial definitions and the consequences that flow, particularly as regards planned outages and the need to make a clear distinction between reporting on security compromises and on resilience.
I say this in the context of the impact assessment of 9 June, which stresses the large degree of uncertainty surrounding the costs to be incurred by business, amplified by the report of the Regulatory Policy Committee under its new chair. The Constitution Committee says:
“Clauses 1 and 2 impose duties on providers of a public electronic communications network or service … These include taking such measures as are appropriate and proportionate for the purposes of identifying and reducing the risk of security compromises occurring. The Bill defines security compromises, but the Explanatory Notes acknowledge this definition is broad and do not explain their intended scope. The consequences of a security compromise for providers are potentially significant, including substantial and costly duties of due diligence”—
this echoes the impact assessment. It goes on:
“The House may wish to consider whether narrowing the definition of security compromises would be appropriate.”
BT gave evidence to the Public Bill Committee in the Commons. Of course, BT is a provider which will need to comply with the provisions of the Bill, so I take the liberty of reading out much of its evidence:
“As currently defined, a ‘security compromise’ … would cover any planned network outage that may be required for maintenance or upgrading of the network, or any unplanned outages due to faults or wear and tear. These types of outages are relatively regular occurrences given the scale of our network and we always seek to minimise customer impact and restore service as quickly as possible. The duties on operators in the Bill that flow from this definition are significant—including network issues that cannot reasonably be considered as security compromises (rather resilience or availability issues) would create undue burdens on operators and potentially on OFCOM.
These outages are not the result of any unauthorised access or malicious intent, nor do they have consequences for the confidentiality of data or signals carried over the network. We do not believe it is the intention of the Bill to apply the same requirements (e.g. with respect to reporting or notification to stakeholders), or to make the same powers available to OFCOM, in relation to these types of incidents, as are intended to apply to ‘security compromises’.”
It goes on:
“The definition also seeks, we understand, to capture any compromise to the integrity of signals conveyed over a network. However, the way that this is expressed—by reference solely to compromises of the ‘confidentiality of signals’—is unclear and confusing. It could be significantly improved by making a simple amendment to refer to ‘confidentiality and integrity’.
The definition of ‘connected security compromise’ … is a simple definition referring to something that ‘occurs in relation to another public electronic communications network or a public electronic communications service’. Given the potential breadth of this definition, building some specifics on how the ‘connected’ element will be assessed in the overall Government/OFCOM guidance on ‘security compromise’ will be important.”
So a provider that will be considerably impacted by the Bill and the Constitution Committee have raised important issues about the width of these definitions. These amendments perhaps do not go as far as some providers would like, but they attempt to give greater certainty by specifying that compromises which involve security issues are covered, but not wider outages which do not have security implications. I very much hope the Government will heed both the providers and the Constitution Committee by narrowing the width of these definitions. I beg to move.
My Lords, I had the privilege of being an RAF pilot. The instructions we received as pilots in methods of security included the word “anything”. In other words, if you are flying a jet on a mission and you suspect something, “anything” is reported back, or you take remedial action. You do not try to refine that security by, in this case, reducing it or leaving any element of doubt. Thinking about it a little further, the “anything” could be technical. In this context, it could be competitive; it could be a company being taken over; it could be lack of finance; it could be fraud. Above all, it could provide a loophole. Therefore, Her Majesty’s Government are absolutely right in putting in the word “anything” and not trying to restrict it further.
I hear the noble Lord’s concerns. We will of course take back his comments and reflect on them again. However, I know that officials working on this Bill have considered these points in enormous detail and would be happy to meet the noble Lord and discuss them, if that would be helpful. We believe that our framework does not water down but balances future-proofing with the precision and specificity that the noble Lord seeks. I hope we can follow up on that in a separate meeting.
My Lords, I see a slight chink of light, perhaps, that may be opened by opened by a meeting with the Minister on this subject—because she will appreciate that none of the amendments tabled to the Bill, which we think is important, has been put down lightly, and definition is crucial.
I was somewhat baffled by the noble Lord, Lord Naseby, flying in his jet—I was thinking of perhaps pressing the ejector button, but I thought better of it. The idea that there is an analogy between flying a jet and what we are talking about here was a bit baffling. The only way that I could think of the analogy for a planned outage, which is exactly what the providers are worried about being subject to under this definition of “security compromise”, is where a jet does a planned manoeuvre and everyone scrambles and treats it as an incident—so I cannot see that his analogy holds at all.
I much prefer and give thanks for the contributions of the noble Earl, Lord Erroll, the noble Lord, Lord Coaker, and my noble friend Lord Fox, who, in doubling down on the points raised about the purposes of the Bill, illustrated exactly why we seek to have a much more precise definition. The big problem is that the flexibility demanded by the Government is effectively at businesses’ cost and causes uncertainty. That is the worry about the way that the Bill is currently drafted.
The Minister talked about future-proofing and doing it more precisely, in a sense, by setting out the duties by secondary legislation—but, of course, there are great concerns about the way that the secondary legislation is to be agreed and the codes of practice. So I suppose that, if I were going to ask for a quid pro quo, if there is to be a loose definition of “security compromise”, there must be a very tight way of agreeing the codes of practice and the secondary legislation—but I wonder whether the Minister will actually agree to that trade-off, as we go through the afternoon. I would like to have all of the amendments that we have tabled for today.
I really think that, when the Minister said that this would “undermine the whole approach”, it is good to have it in her script, but that is absolutely not the case. The last thing that we are doing by trying to tighten this definition is to undermine the whole approach; we are trying to create certainty for the providers so that, when they plan outages and there are other planned events, they are not caught by a sidewind when trying to comply with the terms of the Bill. This is a practical issue.
I understand what the Minister says about resilience and, to some degree, that is the case, but there is clearly a great deal of uncertainty surrounding the providers’ interpretation of the Bill, as it currently stands—and they are the ones that will be subject to this. As I said—without wishing to repeat myself too much—the Government’s impact assessment itself makes it very clear that the costs of this exercise, of having to comply with the Bill, are extremely uncertain at this point, and there is quite a lot of concern about that.
I am sure that, if we have a meeting with the Minister in due course, we will be able to persuade her to accept these amendments, and I look forward to it. In the meantime, I beg leave to withdraw Amendment 2.
My Lords, I beg to move Amendment 7 and will speak also to Amendment 12. New Section 105B introduced by Clause 1 affords the Secretary of State the ability to make regulations that have highly onerous provisions, laying down that a provider must take specified security measures. This is under the negative procedure, which is of course a near 100% guarantee of their coming into force. There is no provision for any independent or specialist oversight of these regulations, as we will discuss later. They cover a huge range of issues in great detail, including
“Network architecture … Protection of data and network functions … Monitoring and audit … Supply chain”.
These are all in the draft regulations, along with
“Prevention of security compromise and management of security permissions … Remediation and recovery … Governance and accountability … Competency … Testing … Assistance”.
Very helpfully—in a way—to my case in the last group, the Minister said that the whole purpose of the regulations was to specify in greater detail what the duties of providers would be. But, already, particular issues have been identified in the draft regulations by providers relating to patches, audit and monitoring, supply chains, foreign network operating centres—and the list goes on. So, there is already a feeling not only that these regulations are very detailed but that they should not be subject to the negative procedure. It seems extraordinary that regulations of such importance are not to be subject to greater parliamentary scrutiny.
Noting, obviously, that the noble Baroness, Lady Merron, will be speaking to her Amendment 11, I move on to my Amendment 12. The fourth report of the Delegated Powers Committee drew the attention of the House to proposed new Section 105E of the Communications Act 2003, which gives the Secretary of State power to issue, revise or withdraw codes of practice about security measures that should be taken by providers in the performance of their duties to prevent security compromises under Sections 105A to 105D. There is a duty to consult with Ofcom and providers but no oversight or approval role for Parliament.
In her letter to us after Second Reading, the Minister of course assured us that:
“Government will consult with affected public telecoms providers and Ofcom on any codes of practice that are issued. This will ensure that we have a full understanding of the code’s impact before it is finalised. A consultation on the first code of practice will take place after the Bill receives Royal Assent.”
I am glad to say that the Delegated Powers Committee, in the light of the importance of the codes to assessing compliance and in enforcement by Ofcom, were unconvinced by the department’s claim that this was too detailed and technical and “not legislative”. As the committee said:
“The Bill provides for codes of practice to play a significant role—both in relation to the exercise of OFCOM’s regulatory functions and in legal proceedings—in supplementing the important duties to take security measures that the Bill imposes on providers.”
It concluded:
“In our view, it is unacceptable for codes of practice that will have the significant statutory effects provided for in this Bill to be subject to no Parliamentary scrutiny procedure.”
As the UK communications council said, the combined effect of the two proposed provisions that I have talked about in these two amendments amount to a near-unfettered ability for the Secretary of State to interfere in the normal operations of what is an otherwise innovative and successful industry. Amendment 7, in particular, seeks to ensure that these regulations need to be approved by Parliament by the affirmative procedure. Amendment 12 would require approval from Parliament for codes of practice under the Bill. Where I differ from the committee and, it seems, the noble Baroness, Lady Merron, is on the procedure to be adopted. In my view, at minimum, it should be by the affirmative procedure. I beg to move.
My Lords, I thank the Minister for that rather depressing reply. I also thank the noble Lord, Lord Naseby, for his support—I think we will have a fly-by in celebration. I thank too the noble Earl, Lord Erroll, my noble friend Lord Fox and the noble Baroness, Lady Merron, who raised some very interesting points, all supportive of greater scrutiny in both respects, which was very helpful. As my noble friend illustrated—the impact assessment is a mine of information—the lack of robust and specific data is one of the areas of great uncertainty, and there is the risk of running the industry by remote control without adequate scrutiny. There is great uncertainty about cost, and therefore there needs to be that level of scrutiny, and there is great concern about the role that Parliament should have.
I was fascinated by the Minister’s argumentation. It does not really matter whether a committee recommends something or not; the Government are not going to accept it. Apparently, it is not good enough to have the affirmative procedure because the committee did not recommend it; on the other hand, it is not good enough to have scrutiny of the codes of practice even though the committee did recommend it. Basically, the Government are saying, “Well, what the hell? We’re not going to agree with the committee on any basis.”
My Lords, the Grand Committee will now resume. I think we were just about concluding the remarks of the noble Lord, Lord Clement-Jones.
I might take that hint, but there is still a little bit of water to flow under the bridge.
The Minister knows that there is already a great deal of concern about both the regulations, which I have specified and gone through to some degree, and the forthcoming codes which we are assured will come out, so there is no doubt that the Government are fully aware of the providers’ concerns.
I thought the point made by the noble Baroness, Lady Merron, on the NCSC’s lack of involvement was very strong. That absolutely must be bolted into the Bill; it is fundamental in so many ways, and I do not think any of us really understands why that should not be bolted in.
I come on to the substance of what the Minister said: that using the negative procedure for the regulations was fine because we are not amending primary legislation. Do we now make a virtue of a non-Henry VIII power? Are the only powers that we think should now be subject to the affirmative procedure Henry VIII powers? We have moved some way. I am clearly getting far too long in the tooth to see those sorts of arguments being made by Ministers, especially when it is a matter of scrabbling around to keep the Bill as it is. I understand the “not invented here” principle, but it is a bit depressing to see it when the merits of a case are so strong.
The other time-old argument is “Don’t worry your pretty little heads; these are technical regulations. Parliamentarians can’t have too much oversight of a technical regulation—they might not understand it. They might get confused and lose sleep.” I do not know what the arguments are, but they are clearly bogus. We should go for the affirmative, and someone with the experience of the noble Lord, Lord Naseby—I am sorry to see he is not here—as a Deputy Speaker in the Commons knows full well that that is the appropriate form.
The words “legislative effect”, which the noble Baroness, Lady Merron, emphasised, as I do, are important in this context, and were raised by the Delegated Powers Committee. On this point about having no delay, regulations needing to be updated, and a code of practice needing to be flexible and updated, we have seen that this Government can pass Covid-19 regulations in a blink; they can do virtually anything they feel like at the drop of a hat and nobody says boo to a goose, so I do not think that is a very useful argument.
The other point the Minister made was that the code needs to be understood by its audience. Again, that is a “Don’t worry your pretty little head” argument—“Parliamentarians will not understand the code—it is not relevant to them; only the providers need to worry about it.” But providers are worried about the code, and they would be much reassured if they saw that there was proper scrutiny.
I am really sorry to say that I did not even see a chink of daylight in that group, sadly. I hope that we can move a bit further as the Bill progresses but, in the meantime, with great disappointment, I beg leave to withdraw the amendment.
My Lords, I move Amendment 8 in my name and welcome the similar Amendments 9 and 19 in the names of the noble Lords, Lord Clement-Jones and Lord Fox. The Minister will recognise some similar themes in this group to those in the previous debate. The amendments are to Clause 2, which gives the Secretary of State the powers to make regulations which require providers to take specified measures in response to a specified security compromise and where a security compromise has a specified adverse effect on the network or service. The Minister will not be surprised that the amendments seek to understand what advice the Secretary of State will receive and where that advice will come from when making these regulations.
I am sure that we have all heard concerns about how these regulations are widely shared. For example, Comms Council UK has said that this represents an
“unprecedented shift of power from Parliament to the Minister in relation to how telecoms networks operate”,
and argues that
“the Minister will be able to unilaterally make decisions that impact the technical operation and direction of technology companies, with little or no oversight or accountability.”
Unsurprisingly, there has been a call for technical and judicial oversight, as reflected in these amendments, just as the Investigatory Powers Act 2016 established a Technical Advisory Board to advise the Home Secretary on the reasonableness of obligations imposed on communications providers. There is precedent here to which we can usefully refer.
Other concerns were expressed in Committee in the other place. The Digital Policy Alliance is familiar to a number of parliamentarians, especially the noble Earl, Lord Erroll, who is chair of that august organisation. I am sure that he is aware of the comments of its Dr Louise Bennett, who said:
“There is no mention in the Bill of a technical advisory board focused on the provisions of the Bill, and that would be a very helpful addition.”—[Official Report, Commons, Telecommunications (Security) Bill Committee, 14/1/21; col. 49.]
I agree. Such a board would, for example, be able to point out that new types of components were coming down the track. Does the Minister feel that such a board would be a helpful addition? If not, why not?
Have the Government considered expanding the remit of the current Technical Advisory Board to cover the powers in the Bill? Amendment 19 in the name of the noble Lord, Lord Clement-Jones, gives us a useful steer on how any such new board could be constituted. Without such a board, what technical advice will the Secretary of State receive? Who will it come from, and will it be published? I look forward to the Minister’s reply.
My Lords, I am delighted to be on the same page as the noble Baroness on the insertion of a technical advisory board and judicial commissioner into the process. I note that she quoted Dr Bennett of the DPA; I am proud to be a DPA member and sitting opposite my chair. Others from the industry have made the same points. Comms Council UK has pointed out that there are no clear mechanisms for technical feedback or expertise to be fed into the drafting of the regulations and the codes of practice, which we discussed on the last group. It makes the point that many of the technical requirements that will be placed on its members are not in the text of the Bill but are in the accompanying regulations and the code, which we have heard has yet to be published. It is clear that, in these draft regulations made under Section 105B and 105D—
My Lords, the Grand Committee is resumed—third time lucky. I call the noble Lord, Lord Clement-Jones.
My Lords, I hope I am demonstrating the agility of which the Minister is so fond. As I said earlier in respect of the judicial commissioner, these amendments provide a ready-made mechanism for oversight concerning the proportionality and appropriateness of any measures in the regulations and codes. Taken together, Amendments 9 and 19, would require the Secretary of State to take into account the advice of the technical advisory board—and insert a new clause after Clause 14—and that of a judicial commissioner appointed under the 2016 Act. We have gone a little further in specifying the make-up of the technical advisory board, but we are clearly on the same page as the noble Baroness, Lady Merron, with her Amendment 8.
My Lords, I want to speak on this issue as I remember mentioning it at Second Reading. There is a person for whom I have huge respect, Dr Louise Bennett, whose extensive knowledge and sagacity I first ran into when we were talking about ID cards years ago and the whole problem of digital identity and privacy over the internet. If you really want to know about such things, read her work: she has produced a lot of work on this. I think a technical advisory board is essential: these are complex issues. The Minister said that the matters subject to regulation will be technical. I do not see how we can do this without a good technical advisory board, and it is good if we have some view of who goes on it, because it is too easy for these things to disappear off and no one thinks about them. We will keep needing cutting-edge advice and not have groupthink, and these matters are very tricky.
Between Amendments 8 and 9, I could not decide between taking “the utmost” and “full” account; there is a neat little difference in the wording. Otherwise, the point about laying it out properly is important. The other thing, which slightly goes back to our previous debate, is that we get into the whole problem of what are regulations, what is guidance, what are guidelines and what is a code of practice and the different legal stance of those different things. We have to be careful about using them as if they were interchangeable. Regulations will often give rise to a code of practice, breach of which is not necessarily an offence, but they can be linked back to a primary Act offence. We should not bandy those words around interchangeably; they are different. We need a technical advisory board and, between these amendments, we should do something about it.
I call the noble Lord, Lord Clement-Jones—sorry.
I must admit that I am somewhat baffled by the Minister’s response. The argument on the technical advisory board seems to be, “Oh, we’ve got enough technical advice, so we don’t need one”—but, clearly, it seems that there is a need for this. I quoted providers—I can go into the papers that we have received from them—as saying that real issues arise out of the regulations. These are technical and relate to things such as patches and audit and monitoring issues. There is a feeling that the department is just not listening on those issues, and what is needed is someone who is rather more dispassionate and can advise on the technical issues that are arising—perhaps, if it is seen as a conflict, someone like the noble Earl, Lord Erroll, who can genuinely advise on this kind of thing. It seems to me to be extraordinarily dismissive to say, “We’ve got enough advice. We don’t need a board of this kind”.
In the Investigatory Powers Act 2016, there is a very useful technical advisory board—it is not usable for this purpose because its function is rather different under that Act. When the Minister comes to the point about the judicial commissioners, saying, “Oh, no, they are for an entirely different purpose”, I say that, actually, if you read their function, it is four square with the kind of thing that would be useful under this Bill. They are talking about not technical issues but proportionality, appropriateness and so on—very much the kind of thing that they are dealing with under the 2016 Act.
So I am afraid that I do not buy what the Minister has to say, sadly; I just think that it is pushback based on the thinking that, “Well, the Bill’s the Bill and it’s all drafted, so we don’t really want to do very much with it by way of amendment”. That is the time-honoured government response to this kind of suggested amendment, but I believe that, constructively, both these aspects—a judicial commissioner and a technical advisory board—would make a great difference to the functioning of the Bill and would lead to much better regulations and codes of guidance at the end of the day.
I thank the Deputy Chairman and apologise for speaking across him. I am a bit intrigued by the comment of the noble Lord, Lord Parkinson, on the subject of legal enforceability. He is correct to say that, as new Section 105H states, the
“provision of a code of practice does not of itself make the provider liable to legal proceedings”
—but it would not be liable only when the provision was not in force in time or when it was not legal. However, you would not bring a legal case anyway when it was not relevant or in force, so, to all intents and purposes, where the code is in force and relevant, it is legally enforceable. Therefore, it is legally enforceable.
My Lords, in its evidence to the Bill in the Commons, BT said:
“we believe greater clarity is needed on OFCOM’s planned approach, with safeguards introduced in the Bill to ensure operator burdens are proportionate.”
Amendment 10 seeks to ensure that codes of practice are necessary and proportionate.
As regards Ofcom’s new powers to ensure compliance with security duties as set out in new Section 105M, how will these relate to Ofcom’s existing powers and duties under Sections 3 and 6 of the Communications Act 2003? Will this duty and the new powers Ofcom is being given still be subject to good regulatory practice so that, for example, it still must have regard to the principles of transparency, accountability, proportionality and consistency and not impose unnecessary burdens? How will this fit in with the statement to be made by Ofcom under new Section 105Y?
Amendments 16, 17 and 21 to Clauses 5, 6 and 19, in my name and that of my nobble friend Lord Fox, seek to ensure that the new powers for Ofcom introduced in the Bill are subject to requirements in the 2003 Act regarding carrying out and reviewing its functions. I was pleased that in her letter to noble Lords after Second Reading, the Minister explicitly said:
“When carrying out its security functions, Ofcom will remain bound by its general duties under Section 3 of the Communications Act 2003 as it is now. Section 3(3) provides a duty on Ofcom to have regard to the need for transparency, accountability and proportionality when carrying out its functions. Ofcom will also be bound by its duty under Section 6 of the Communications Act 2003 to review the burden of its regulation on public telecoms providers. If Ofcom fails to carry out its security functions in line with these duties, then it is likely to be subject to legal challenge.”
I very much appreciate those words, which are a very clear interpretation of the existing Act and the duties of Ofcom and the responsibilities it has in the way that it carries them out. Will the Minister repeat that assurance today?
My Lords, I want to say a few words on this because the key words “undue burden” stand out. It is very important that we do not put too many burdens, particularly unnecessary ones, on companies. In particular—and this is something that I have often looked at because I have done a lot of work with innovative and growing companies—you must not let large corporations stifle innovation. There is an attitude among them that regulations are for your enemies; they are a very good way of stopping up-and-coming competition. I have also noticed that departments tend to consult the companies which have significant market presence already and see them as being the people who know all about it. However, that does not take account of what is up and coming. The other thing is that they often have people on secondment from them or people who have retired from the companies and gone into the departments, so there can be some interesting biases within. With those few warnings, I think the whole undue burden issue is more important than people might think.
I thank the noble Lords, Lord Fox and Lord Clement-Jones, for these amendments, and all noble Lords who have spoken in the debate. The amendments focus on the need for the regulations and code of practice to be proportionate, and to ensure that the duties of Ofcom are carried out in a transparent and similarly proportionate way.
I turn first to Amendment 10, tabled by the noble Lord, Lord Fox. This amendment to Clause 3 seeks to ensure that codes of practice are necessary and proportionate to what they are intended to achieve, and do not place an undue burden on telecoms providers. The Bill already includes provisions in Clauses 1 and 2 to ensure that security duties placed on public telecoms providers in the primary legislation and specific security measures set out in regulations must be considered to be appropriate and proportionate by the Secretary of State. The code of practice will provide the technical guidance on the steps that public telecoms providers should take to meet their security duties. I certainly agree with the noble Baroness, Lady Merron, about the extra—and indeed extraordinary—work that providers have done over recent months to keep us all in contact during the pandemic.
To help ensure that technical guidance in the code of practice is appropriate and proportionate, Clause 3 requires the Secretary of State to publish a draft version of the code of practice before it is issued, and to consult on its contents. This public consultation will take place after the Bill has attained Royal Assent; it will enable the voices of telecoms providers of all sizes—as noble Lords rightly pointed out—the wider sector, Ofcom, and any other affected groups to be heard and taken into account before the code of practice is finalised. Subsequent versions of the code of practice, which will be revised as technology evolves and new threats emerge, will also be subject to the same process of consultation before being issued.
An impact assessment is also being conducted for proposed secondary legislation to be laid as part of the new framework, which will take into account the initial cost assessments from providers to ensure that the framework is balanced and proportionate. The precise make-up and design of each provider’s network remains a commercial decision. The Bill makes it clear that providers are responsible for the security of their own networks and services; providers also remain responsible for deciding how they recover their costs. As such, we expect the costs of ensuring adequate security to be met by individual providers.
I turn to Amendments 16, 17 and 21, tabled by the noble Lord, Lord Clement-Jones. These seek to apply Sections 3 and 6 of the Communications Act 2003 to Ofcom’s duties and powers under Clauses 5, 6 and 19 of this Bill. Section 3 of the Communications Act sets out Ofcom’s general duties; these include a duty on Ofcom to have regard to the need for transparency, accountability and proportionality when carrying out its functions. Section 6 of the Communications Act requires Ofcom to review the burden of its regulation on telecoms providers. These are all principles that we think are essential to the functioning of the new security regime created by this Bill. I am glad to repeat the reassurance given by my noble friend in her letter, which the noble Lord, Lord Clement-Jones, mentioned, that Ofcom is already bound by its general duties in Sections 3 and 6 of the Communications Act when carrying out its security function under new Section 105M, and when using any of its powers in this Bill. This will include Ofcom’s power to carry out an assessment of public telecoms providers’ compliance with their security duties under Clause 6 of this Bill, and powers for Ofcom to give inspection notices under Clause 19. As my noble friend said in her letter, if Ofcom fails to carry out its security functions in line with these duties, it could be subject to legal challenge.
The provisions in the Bill already ensure that the regulations, code of practice and duties of Ofcom are proportionate. Therefore, we do not think that these amendments are necessary, and we hope that noble Lords will be happy not to press them.
My Lords, I thank the Minister for that—he pierced through the gloom of the afternoon, giving an assurance that existing duties of Ofcom will cover the new powers.
I think we have a Pepper v Hart situation that works for the other aspects on the code of practice. It is not just the regulations and the duties and powers of Ofcom that are subject to it; the way in which the code of practice will be drawn up is covered also by the duties under Sections 3 and 6 of the existing Act. I very much hope so, and I need to take away and read what the Minister had to say.
My Lords, Amendment 13 seeks to speak up for consumers and to probe possibilities as to how we may act in their interests. After all, they are the ones who are, on an individual basis, and often in very large numbers, at the receiving end of security threats.
Amendment 13 would amend Clause 4, which places a duty on providers to take steps to inform users about security compromises or where there is a significant risk of a security compromise occurring which may adversely affect the user as a result. As we see in the clause, the provider must inform the user about the existence of the risk, the nature of the security compromise, what steps could be reasonably taken by users in response, and of course the name and contact details of a person who may provide further information. All those are welcome, and such a duty being placed on providers to report security incidents is right and proper. After all, for many years, we have heard calls from all sides to place a clearer and more comprehensive duty on providers to share information with users, who should not be kept in the dark. When they are affected by a breach, there are not just practical considerations; as we all know, such security breaches are extremely distressing and worrying, as well as compromising for those affected. It is right for them to have some sort of redress.
Let us reflect on the high-profile incidents where users have not been told of security incidents. For example, TalkTalk failed to inform 4,500 customers that their personal information, including bank account details, was stolen as part of the 2015 data breach. That was revealed only in 2019, when details were found online. I am sure that, like me, the Minister will completely understand how distressing this must have been for those people, who were not only affected but were given no opportunity by the company to do anything about it.
Clearly, we know that such behaviour by telecoms companies is unacceptable. However—and this is what the amendment seeks to assist with—Clause 4 does not give a timeframe for providers to inform consumers. This probing amendment suggests a 30-day window to do so. I understand that we have to be aware that this cannot lead to further security compromises that could result from informing the public, so that point has to be taken into account.
How quickly does the Minister think providers should inform the public of a security breach? I ask that because under Clause 4, which is very open, it could be months before users find out that their personal data has been stolen. How much worse for people to find out in that way and in that sort of timeframe?
The amendments we are debating today and the Bill we are considering are all about the protection of national security. In all that, let us remember consumers too, whose interests are key to these debates. The public have to know that their data is safe and when to take necessary steps if their privacy has been threatened in some way.
On Amendments 14 and 15, I should be interested to hear from the Minister whether an Ofcom backstop to halt providers speaking to users on security grounds already exists. Does Ofcom have the expertise already to make such a judgment, or would new experts—I use that word carefully but definitely—and new expertise be needed? I look forward not only to the Minister’s reply but to the comments of noble Lords participating in this debate.
My Lords, I shall speak to Amendments 14 and 15. I wanted to say on the last group of amendments that I entirely agree with the noble Earl, Lord Erroll, about regulation. It is entirely possible for regulation to provide certainty, to stimulate innovation and, in the context of this Bill, to ensure that we have the right framework for our providers to ensure that our security is not compromised. So there is certainly no negativity in that respect towards regulation; the question is whether it is appropriate in the circumstances and not unduly burdensome for those subject to it. That is why the question of parliamentary oversight, which has been mentioned throughout this afternoon, continues to be important, and I think that it will come up again in the next group.
This amendment is on rather a different area. I have quite a lot of sympathy with Amendment 13 in the name of the noble Baroness, Lady Merron, but this is more nuanced than the Bill provides for. I want to quote again from the evidence of BT to the Bill Committee in the Commons. It said:
“We agree with the requirements on operators to support the users of their networks in preventing or mitigating the impact of a potential security compromise … In certain cases”—
and this is a sort of “however”—
“the security of the network may be put at greater risk if potential risks are communicated to stakeholders, providing malicious actors with additional information on potential vulnerabilities in the network that they may seek to exploit. We therefore believe that the Bill should explicitly consider such scenarios and not place obligations on communications providers to inform users of risks whereby doing so it will increase the likelihood of that risk crystallising.”
That is where our first amendment is going. BT further stated that
“the Bill also confers powers on OFCOM to inform others of a security compromise or risk of a compromise, such as the Secretary of State or network users. We understand the intention of the Bill in this regard and support the principle. We believe that this would be most effective when done in conjunction with the operator in question to ensure there is clarity and agreement, where possible, on the timing, audience and messaging of such information provision. This would also ensure that this does not cut across any other obligations that an operator may have, such as market disclosures. The Bill currently does not require OFCOM to consult with the operator prior to informing third parties of a security compromise (or risk of one).”
I think these are fair points. The Government must have an answer before Ofcom is faced with that set of issues. In this light, Amendments 13 and 15 make further provision about the duty to inform users of a risk of security compromise and specify that duties to inform others of “significant risks” of security compromises must be proportionate and not in themselves increase security risks.
My Lords, I put my name down to speak to this because the problem with putting a fixed time period on having to report security breaches is that it very much depends on what the breach is. We mentioned patches earlier. If it is a vulnerability in the software—or it may be the hardware—which requires a patch to be released, you must have the time to produce it and test it as fully as possible. You do not want the hackers out there to know what the vulnerability is until you can roll out the answer to it. That is what zero-day attacks are based on. Equally—the noble Baroness is absolutely correct here—you do not want this stuff swept under a carpet to sit there unused for years. Could our technical advisory board give advice at an incident level, or something like that?
I have received a request to speak after the Minister from the noble Lord, Lord Clement-Jones.
My Lord, until the Minster replied, “nuance” was the word being used in the context of information being provided and required and so on. I am afraid that nuance was completely lost in that response. The response to Amendment 14 was that the NCSC, the Government, the Secretary of State and Ofcom know best and that is it. They have to release the information. They do not believe there are any circumstances where it should not be released. It is all there in the NCSC guidance and well, too bad—tough. That seemed to be just about the Government’s position. That is pretty extraordinary considering that the relationship with the providers is extremely important, particularly in these circumstances where there have been breaches. We have heard from noble Lords during the debate that the timing of giving the information is important but the very fact of giving the information may also be important. I am afraid that is part 1 of a rather depressing response.
Part 2 was almost worse because the amendment being put forward is the mildest possible one. Ofcom must consult the provider in question
“where reasonably practicable to do so.”
As for the idea that this is going to lead to horrendous delay, the Minister really had to scrape away to find a suitably negative response to that amendment. I am afraid that her response in both respects does not engage with the real issues and I think it is grossly unsatisfactory in the circumstances.
My Lords, we know how it is when you are on a roll. This reminds me that it is very unusual for somebody to have the opportunity to get in before the noble Lord, Lord Fox, draws breath, as the Chair did. “Very impressive footwork,” I thought to myself.
There has been a common theme this afternoon of a lack of oversight over aspects of this Bill in many respects—in particular, the regulations and codes. This lack of oversight is compounded by the fact that, under Clause 13, any appeal to the Competition Appeal Tribunal cannot take account of the merits of a case against the Secretary of State. The rationale for this, as the Constitution Committee says,
“is unclear and is not justified in the Explanatory Notes.”
I will quote the Explanatory Notes in full. Clause 13 provides that, in appeals against relevant “security-related” Ofcom decisions, the Competition Appeal Tribunal is to apply ordinary “judicial review principles”, notwithstanding any retained case law or retained general principle of “EU law”—by that they of course mean retained EU law. This means that the tribunal should not “adopt a modified approach” to proceedings, as required under retained EU law, which provides that the “merits of the case” must be “duly taken in account”.
Therefore, this provision disapplies aspects of the ongoing effect and supremacy of retained EU law, as permitted by Section 7 of the European Union (Withdrawal) Act 2018. The rationale for reducing the powers of the tribunal in respect of security matters is unclear and not justified in the Explanatory Notes. The House may wish to ask the Government to justify reducing the powers of the Competition Appeal Tribunal in respect of appeals under Clause 13. That is the motive behind this clause stand part debate.
The most authoritative judgment to date about the current standard of review is the Competition Appeal Tribunal’s TalkTalk Telecom Group plc and Vodafone Ltd v Office of Communications case. This addresses, inter alia, the standard of review on an appeal to the Competition Appeal Tribunal under Section 192 of the Communications Act. The judgment of Peter Freeman QC provides a good analysis of the context and history of the changes to the standard of review. I make no apology for quoting it at some length:
“Of particular relevance to how the Tribunal should approach this appeal are Article 4(1) of the Framework Directive and section 194A of the 2003 Act, as amended by the DEA17 … Article 4(1) provides: ‘Member States shall ensure that effective mechanisms exist at national level under which any user or undertaking providing electronic communications networks and/or services who is affected by a decision of a national regulatory authority has the right of appeal against the decision to an appeal body that is independent of the parties involved. This body, which may be a court, shall have the appropriate expertise available to it to enable it to carry out its functions. Member States”—
this is the key bit—
“shall ensure that the merits of the case are duly taken into account and that there is an effective appeal mechanism…’ … Section 194A provides: ‘The Tribunal must decide the appeal, by reference to the grounds of appeal set out in the notice of appeal, by applying the same principles as would be applied by a court on an application for judicial review.’ … The combined effect of these provisions is to require the Tribunal to apply the same principles as would apply in a judicial review case but also to ensure that the merits of the case are duly taken into account so that there is an effective appeal.”
At paragraph 139, the judgment concludes:
“Given that Article 4(1) continues to apply, it would appear that, in accordance with the Court of Appeal’s view in BT v Ofcom and the High Court’s view in Hutchison 3G, as set out helpfully by the Tribunal in the recent Virgin Media judgment, we should continue, as before, to scrutinise the Decision for procedural unfairness, illegality and unreasonableness but, in addition, we should form our own assessment of whether the Decision was ‘wrong’ after considering the merits of the case.”
“Article 4(1)” refers to the now-repealed framework directive. It should now be read as referring to Article 31(1) of the European Electronic Communications Code—the EECC. The transposition deadline of the EECC was just before the end of the transition period and iseb;normal;j therefore currently binding as part of retained EU law. The wording of the EECC is almost exactly the same as the framework directive in respect of appeals.
That is what will continue to apply across the remainder of the Communications Act for other appeals under Section 192 but is being changed by Clause 13 of the Bill, which amends Section 194A of the Communications Act in respect of security provisions. This is a very significant change to the appeals procedure in security cases. There is a single bald paragraph in the Explanatory Notes, no justification is given—as the Constitution Committee says—and neither is there any evidence of why it is necessary. What evidence does the Minister in fact have of the need to make this major change in respect of security decisions made by Ofcom? I beg to move.
My Lords, I saw this and thought that I really did not understand why the Government were doing it. I saw what the Constitution Committee had said and realised that it did not understand why it was needed. I cannot believe that you can have a proper appeal if you ignore the merits of the case. I probably have an overdeveloped sense of justice and I think that to have an appeal where you are not allowed to present half the case or whatever is not a proper appeal. In fact, what you find is that the system can use procedural things to run rings around people who have a very justifiable complaint about something. I did not like the look of it and I entirely agree with everything that the noble Lord, Lord Clement-Jones, said.
My Lords, I have heard some ministerial pushbacks but, I must say, that circularity more or less takes the biscuit: “The Government believe that we need to change the standard and therefore we have changed it.” There is very little that one can get one’s teeth into in terms of the argument. It is simply that the Government believe that JR in its unlawfully rational or unfair incarnation should apply in this set of circumstances—and that is it, whereas, for the rest of the 2003 Act, the merits version of JR continues unabated.
The Minister made a few points. I thought “merely” was rather extraordinary; it is a very important change to the way the tribunal will operate in those circumstances. Providers will not appeal against these decisions unless they are of major importance. The process of going to the Competition Appeal Tribunal is not lightly undertaken. She used the words “a smooth regulatory process”. Of course Governments always love smooth regulatory processes, but how big is the steamroller employed in these circumstances? There was also the use of “appropriate”—a splendid weasel word.
This is the end of a very entertaining afternoon so I cannot really comment heavily on the Minister’s reply. However, she really could have done better. The noble Earl, Lord Erroll, and I asked for evidence of why in these circumstances—we have all just asked why—but nothing was forthcoming: no evidence, precedent or, “We did it that way and it didn’t work”. We have just decided within the bowels of Whitehall to do this—splendid, but the Government need to do better than that, even with their current majority. However, this is the end of a splendid set of debates this afternoon and I hope for better on another occasion.
Telecommunications (Security) Bill Debate
Full Debate: Read Full DebateLord Clement-Jones
Main Page: Lord Clement-Jones (Liberal Democrat - Life peer)Department Debates - View all Lord Clement-Jones's debates with the Department for Digital, Culture, Media & Sport
(3 years ago)
Lords ChamberMy Lords, in moving Amendment 2 I will speak to Amendment 7. I add my welcome to both the Minister and the noble Lord, Lord Sharpe, in their new roles.
The Minister has now accepted in his Amendment 3 that there needs to be greater parliamentary scrutiny of codes of practice. I welcome that; I am just sad that Amendment 1 did not squeak through. However, he has not accepted the need for greater technical scrutiny of these codes. As the Minister’s predecessor, the noble Baroness, Lady Barran, said in Committee,
“the whole purpose of the regulations was to specify in greater detail what the duties of providers would be.”
Likewise, she said:
“The codes of practice will provide technical guidance to assist public telecoms providers in meeting their legal obligations.”—[Official Report, 13/7/21; cols. GC 488-93.]
However, as the industry has pointed out, there are no clear mechanisms for technical feedback or expertise to be fed into the drafting of the regulations and codes of practice.
The Minister dealt with these amendments himself in Committee. On the Clause 2 regulations, he assured us:
“Advice to the Secretary of State could”—
I emphasise “could”—
“also include relevant representations by public telecoms providers … DCMS continues routinely to engage with telecoms providers about this Bill and telecoms security more widely.”
He also said that
“Clause 3 requires that any codes of practice are finalised only after consultation with affected providers.”—[Official Report, 13/7/21; col. GC 499.]
Again, he gave no assurance of exactly with whom and how the consultation will take place, and he did not explain why he thought that a specific technical advisory board set up under this Bill was not appropriate. For that reason I have no hesitation in retabling these amendments for further consideration on Report.
As the noble Baroness, Lady Merron, pointed out in Committee, there is good precedent in the Investigatory Powers Act 2016, which
“established a Technical Advisory Board to advise the Home Secretary on the reasonableness of obligations imposed on communications providers.”—[Official Report, 13/7/21; col. GC 462.]
The judicial commissioners set up under that Act could be deployed under this Bill.
This is an opportunity for the Minister to demonstrate a much firmer and more inclusive approach to technical consultation. I hope that he will accept this amendment. I beg to move.
My Lords, I thank the noble Lord, Lord Clement-Jones, for tabling Amendments 2 and 7 again on Report. I will not take up much time discussing them, not least because the Labour Front Bench tabled similar amendments in Committee better to understand what advice the Secretary of State will receive and where it will come from when making regulations under Clause 2. As the noble Lord said, we must ensure that the Secretary of State receives advice from the best experts, not just those who support the Government.
As the former Minister, the noble Baroness, Lady Barran, focused only on the incompatibility of a similar board set up by the Investigatory Powers Act, can the Minister today simply answer this question: without such a board, where will the Secretary of State receive advice, and from whom?
My Lords, I thank the Minister for that very helpful reply. I think he has gone as far as he can, without accepting my amendment, to try to give assurance to the industry about the nature of the consultation. I still believe that something more formal is required but I am not going to quibble about the sharing of ambition. I am sure that is right. The question is whether in practice we are going to get the result we need. The proof of the pudding will be in the eating and we will see how the regulations and the codes of practice turn out in the end. In the meantime, I beg leave to withdraw the amendment.
My Lords, a lack of oversight has been a persistent theme through the passage of this Bill. Included within that is judicial oversight and the fact that under Clause 13 any appeal to the Competition Appeal Tribunal cannot take account of the merits of a case against the Secretary of State. The rationale for this, as the Constitution Committee said in its report,
“is unclear and is not justified in the Explanatory Notes.”
It further said:
“The House may wish to ask the Government to justify reducing the powers of the Competition Appeal Tribunal in respect of appeals under clause 13.”
The clause reverses the Competition Appeal Tribunal’s TalkTalk Telecom Group plc and Vodafone Limited v Office of Communications decision, which addresses, inter alia, the standard of review on an appeal to the Competition Appeal Tribunal under Section 192 of the Communications Act.
The Minister’s predecessor, the noble Baroness, Lady Barran, said in Committee in response to the Clause 13 stand part debate:
“It merely changes the standard to which they will be reviewed. Having these cases reviewed on ordinary judicial review principles, rather than taking account of the merits of the case, aims to ensure a smooth regulatory process that focuses on fair decision-making … this should reduce any incentives for providers to litigate solely for the purpose of delaying the regulatory process.”
Note the word “merely”. This is very much for the Government’s convenience. She continued:
“It is particularly important, given that these decisions relate to the security of a provider’s network, that decisions can be addressed swiftly, and providers can get back to the important work of ensuring that their networks are secure.”
This nevertheless tries to give the impression that this is for the benefit of the providers. The noble Baroness then said that:
“Clause 13 applies to appeals only against relevant security decisions … The Government consider this approach to be appropriate to ensure that Ofcom’s regulatory decisions can only be successfully challenged when they are, broadly speaking, unlawful, irrational or procedurally unfair. By reducing providers’ incentives to litigate to delay regulatory action, the provisions in the clause contribute to Ofcom’s effectiveness as a regulator.”—[Official Report, 13/7/21; cols. GC 516-17.]
Surely in these circumstances, particularly on security, the merits of security decisions are particularly important and this is the legislative equivalent of the Government marking their own homework—or perhaps I should say making it much more difficult for it to be marked. I beg to move.
My Lords, I thank the noble Lords, Lord Clement-Jones and Lord Fox, for tabling this amendment and the noble Lord, Lord Clement-Jones, for his remarks. It certainly is key that Ofcom is able to do the job that it has been entrusted to do. On the matter of providers, I would say that their primary duty has to be to ensure that the networks are secure. We should expect no less from them. I will be very interested to hear how the Minister responds to the points that have been made in respect of this amendment.
I thank the noble Lords, Lord Clement-Jones and Lord Fox, for tabling this amendment to Clause 13. I know the noble Lord, Lord Clement-Jones, in particular, has taken a keen interest in this area, not just in this Bill but in previous ones as well. I am grateful for the way that he set out the debate again today.
Clause 13 makes provision to ensure that the Competition Appeal Tribunal applies ordinary judicial review principles to appeals against certain security decisions made by Ofcom. Under such principles, those decisions can be successfully challenged only where they are unlawful, irrational or procedurally unfair. In setting the standard of appeal in this legislation, we must find a balance between giving telecoms providers a way to challenge Ofcom’s decisions should they be unfair and ensuring that the regulatory regime is effective and efficient.
Ofcom, as an experienced telecoms regulator, believes that changing the standard of appeal to judicial review principles for certain security decisions has the potential to make the regulatory process quicker and more efficient. The Government agree. We want to avoid either Ofcom or telecoms providers spending months in court.
It was never the intention of Parliament to set the standard of appeal, as it is now, to
“duly take into account the merits of the case”,
as this was dictated by EU law. In 2017 the Government changed the standard of appeal for reviewing decisions by Ofcom from a full merits approach to ordinary judicial review principles via Section 87 of the Digital Economy Act, as the noble Lord, Lord Clement-Jones, will well remember.
However, as EU law continued to apply, the Competition Appeal Tribunal subsequently decided that it had to apply a modified approach to
“duly take into account the merits of the case”.
In essence, this has prevented the provision in the Digital Economy Act, which had been approved by Parliament, taking effect. That rather unhappy outcome would continue to be the case for certain security decisions under the Bill should this clause not stand.
To be clear, Clause 13 applies the judicial review standard only to decisions such as those relating to the issuing of an assessment notice, which should be routine and quickly handled rather than being continuously delayed. It is not being applied to decisions about penalties such as those under Section 105T. Public telecoms providers will still be able to appeal those decisions as they do now, and the tribunal will
“duly take into account the merits of the case”.
Ultimately, we want public telecoms providers to spend their time addressing the security of the network. We do not want them to attempt indefinitely to delay an Ofcom decision by bringing cases against the regulator that do not stack up. We are not breaking new ground by changing to this standard of appeal. Judicial review principles are the normal standard by which most decisions of government and public bodies are legally reviewed.
Parliament has already decided that the standard of appeal for similar decisions under the Network and Information Systems Regulations 2018 should be ordinary judicial review principles. That is consistent with our policy approach in this Bill. Therefore, the Government feel that Clause 13 should stand part of this Bill as it will contribute to the efficiency of the regime and ensure that regulatory decisions are not unduly delayed. It will also ensure legislative consistency. I hope that reassures the noble Lord and that he will be content to withdraw his objection to this clause.
My Lords, I thank the Minister for his response. I am afraid it does not particularly reassure but there will be many other occasions on which we can raise the nature of judicial review, its continual erosion, the Government’s approach to judicial review and their dislike of being challenged. This is fairly thin territory on which to be debating a very large issue in terms of the future of judicial review. I am sure that my other legal colleagues will be more than able to dispute some of those issues. There are many other fish to fry of even greater importance on this Bill so I will withdraw my amendment.
Telecommunications (Security) Bill Debate
Full Debate: Read Full DebateLord Clement-Jones
Main Page: Lord Clement-Jones (Liberal Democrat - Life peer)Department Debates - View all Lord Clement-Jones's debates with the Department for Digital, Culture, Media & Sport
(2 years, 11 months ago)
Lords ChamberMy Lords, noble Lords will recall that this Bill will create one of the toughest telecoms security regimes in the world and ensure the security and resilience of the UK’s telecommunications networks and infrastructure.
Amendment 4, which was tabled by the noble Baroness, Lady Merron, and the noble Lords, Lord Alton of Liverpool and Lord Fox, would insert a new clause into the Bill. The clause would require the Secretary of State to report on the impact of the Government’s diversification strategy on the security of telecommunication networks and services, and would allow for a debate in another place on the report.
I ask that this House do not insist on its amendment for two reasons. Our first objection to this amendment relates to the flexibility necessary for diversification. The reporting requirement, which is based on the risks as we find them today, is restrictive and premature for a market and technology that is evolving and rapidly changing. Policy work is at an early stage, and the criteria for how we measure its success is evolving in line with our policy. It would not be suitable to set out specific reporting criteria in legislation.
The diversification strategy and any reporting on its progress must be flexible so that we can focus on achieving the greatest impact. As we hope diversification to be a short-term problem, enshrining it in legislation—a long-term solution—would be counterintuitive and unnecessary. We are currently focused on diversifying radio access networks, for instance, but that may change in the future.
The Government take diversification seriously. I reassure noble Lords that mechanisms are already in place, through Parliamentary Questions and Select Committees, to thoroughly scrutinise the strategy and its progress now and in the future. This is the appropriate method of scrutiny for an evolving, time-limited strategy.
Secondly, this is principally a national security Bill intended to strengthen the security and resilience of all our telecoms networks. The Government’s 5G telecoms diversification strategy has been developed to support that objective but it is not the sole objective of the strategy. In addition, the strategy is focused on a specific subset of the telecoms supply market, not the security of public networks as a whole.
From debates in your Lordships’ House so far, it is clear that this amendment intends to hold the Government to account on the impact of the diversification strategy on the security of public networks. We will be happy to provide updates on the strategy’s progress through existing channels, and are encouraged by the developments that we have seen since the strategy’s launch. The amendment would extend the Bill beyond its intended national security focus and creates an inflexible reporting requirement on a strategy that, as I say, will evolve as it fulfils this important work. That is why I ask your Lordships’ House not to insist on Amendment 4.
I shall also speak to Motion B, which asks that this House do not insist on its Amendment 5, to which the Commons have disagreed for their Reason 5A. As noble Lords will recall, Amendment 5 was tabled by the noble Lords, Lord Alton of Liverpool, Lord Coaker and Lord Fox, and my noble friend Lord Blencathra. The amendment would require the Secretary of State to review decisions taken by Five Eyes partners to ban telecommunications vendors on security grounds. In particular, it would require the Secretary of State to review the UK’s security arrangements with that vendor and consider whether to issue a designated vendor direction or take similar action in the UK.
As I said on Report, I welcome the intention of the amendment. It demonstrates that noble Lords across the House take the security of this country and its people incredibly seriously. However, while we support the spirit of the amendment, we cannot accept it for four reasons.
First, this amendment is unnecessary as the Bill already allows the Secretary of State to consider the policies of Five Eyes countries. Clause 16 includes a non-exhaustive list of factors that the Secretary of State may take into consideration when issuing designation notices regarding high-risk vendors. That list illustrates the kinds of factors we will be considering proactively and on an ongoing basis as part of our national security work. A decision by a Five Eyes partner or indeed any other international partner to ban a vendor on security grounds could be considered as part of that process. The amendment asks the Government to do something that has been part of the Bill from the outset. We believe that our existing approach is the right way to continually consider the decisions of all our international allies and partners.
Secondly, the amendment is unnecessary because we are already committed to a close and enduring partnership with the Five Eyes countries. We engage with our partners regularly and, where relevant, consider their actions when developing our own policies. The Five Eyes intelligence and security agencies maintain close co-operation, which includes frequent dialogue between the National Cyber Security Centre and its international partners. This dialogue includes the sharing of technical expertise on the security of telecoms networks and managing the risks posed by high-risk vendors. Engaging with our partners in this way is at the very core of our national security work.
In another place, members of the Intelligence and Security Committee agreed that the amendment was not necessary as the existing intelligence relationship with the Five Eyes, and other international parties, is strong. The chairman of the Intelligence and Security Committee, Dr Julian Lewis, said:
“We looked at Lords amendment 5 and we understood the temptation to flag up the importance of the Five Eyes relationship. We agreed ... whenever a serious objection is raised on security grounds by one of the Five Eyes partners, we take that with the utmost seriousness.”—[Official Report, Commons, 8/11/21; col. 119.]
The chairman of the DCMS Select Committee, Julian Knight MP, agreed and said that
“any Government worth their salt would take very seriously the approach of our closest security partners.”—[Official Report, Commons, 8/11/21; col. 117.]
Our third reason is that naming individual countries in legislation would be restrictive to the development of wider international relations and set an unhelpful precedent on national security legislation. The Five Eyes alliance was not created through legislation and it has not required legislation for us to develop and strengthen that relationship in the past. Moreover, we need to consider the policies of a wide range of countries, including those of our European neighbours such as France and Germany, and those of other nations such as Japan, South Korea and India, to name but a few. It is highly unusual to refer to specific countries in legislation in this way, and the amendment would set an unhelpful precedent for future legislation.
Finally, the amendment is impractical because of the many different ways other countries operate their national security decision-making. It may not be immediately clear when a country has taken a decision to ban a vendor, particularly if it relied on sensitive intelligence. It also may not be clear why a country has taken this decision, and it may not always be based on national security grounds. So, while I welcome the intentions behind the amendment, we cannot accept it and that is why I ask that the House does not insist on Amendment 5 either. I beg to move.
My Lords, I hope my noble friend Lord Fox has given his apologies to the Minister for being unable to be here due to a Select Committee engagement. However, that does not mean that on these Benches we are any less disappointed—or indignant, as I think my noble friend Lord Fox would put it—about the Government having turned down both amendments, which my noble friend signed. The Minister is developing a fine turn of phrase in turning down amendments that appear perfectly sensible. On Report he talked about sharing the ambition and warmly welcoming the intent and then said that they did not quite fit the Bill and the Government could not accept these amendments. It is rather baffling since both are built very firmly on the Government’s expressed intentions —indeed, ambitions—set out in the integrated review. That was very clear in our debates on Report. It seems that the Government’s motives are much more firmly based on resistance to scrutiny and the idea that, somehow, they would be constrained in their work on diversification by having to report, in the case of Lords Amendment 4. However, the words he used were:
“legislating for a reporting requirement would be limiting and inflexible.”—[Official Report, 19/10/21; col. 86.]
Having reread the debate and heard again what the Minister had to say, I still cannot understand the Government’s rationale for this.
The rejection of Lords Amendment 5 is equally baffling because the Minister talks again about the limitation of the amendment to a particular set of countries. Surely, one of the reasons we are where we are, and the Government had to backtrack on their treatment of high-risk vendors, is precisely that they were not in step with their other Five Eyes allies. Therefore, the Government are not even learning from experience. We are where we are, however, and clearly we are not going to take this further, but I believe that the Government will regret not accepting both amendments.
My Lords, the matters under consideration today are about not party politics but the first duty of any Government: to ensure the security of our citizens and the United Kingdom. Following majorities in this House and considered debate in this and the other place, it is regrettable that the Government have rejected sensible amendments to this important Bill, which I still believe would have improved and enhanced our collective security. The arguments against these amendments have been somewhat wanting, generally conveying the message, throughout the passage of the Bill, that it is all being take care of—a view that this House, on all sides, has not shared.
Our extensive use of new technology throughout the pandemic shone a very bright light on the degree to which we rely on telecoms networks and our experience has reinforced how intertwined these networks are with issues of national security. So, to ensure our security, diversification is crucial and thus far an effective plan to diversify the supply chain has been absent. As I recall, we do, however, have broad agreement that we cannot have a robust and secure network with only two service providers, which is what will remain when Huawei goes. This is why we need to ensure diversity of suppliers at different points of the chain, with sufficient support for the UK’s own start-up businesses. I, too, will quote, from the debate in the other place, the words of Dr Julian Lewis MP, the chair of the Intelligence and Security Committee, who is obviously much quoted today. He said, of Lords Amendment 4:
“For the life of us, we cannot understand why the Government are opposing it. We believe it would strengthen parliamentary scrutiny and provide a valuable annual stocktake on the progress being made on the diversification strategy and how it is helping to improve national security.”—[Official Report, Commons, 8/11/21; col. 119.]
The Government have said that they are serious about protecting our telecoms security and they respect the vital role that diversification plays in achieving that. I would therefore have thought that the Government would welcome the added layer of diversification scrutiny that Lords Amendment 4 provided. It is disheartening, therefore, that the amendment is rejected by Motion A.
On Motion B, our telecoms security also depends on strengthening our international intelligence bonds and the Five Eyes provides the perfect opportunity to do so. It is therefore similarly disappointing that the Government, having promised to work with this alliance in the integrated review, have resisted introducing a requirement that the Government should automatically review vendors—and by that we meant only “review” vendors when others in the Five Eyes ban companies from their networks. This was provided for by Lords Amendment 5. Such a response, as outlined in Motion B, flies in the face of common sense and it is very disappointing to see this rejection.
I accept that on this occasion we have reached the end of the parliamentary road with the Bill. However, as time goes on and the provisions of the Bill take effect, I hope that the Minister will reflect on the debates in the House and the other place concerning the intent and practical considerations that would contribute to security improvements, as provided by Lords Amendments 4 and 5. I hope the Minister will not feel constrained when he further considers making improvements in this area.