Telecommunications (Security) Bill Debate
Full Debate: Read Full DebateLord Clement-Jones
Main Page: Lord Clement-Jones (Liberal Democrat - Life peer)Department Debates - View all Lord Clement-Jones's debates with the Department for Digital, Culture, Media & Sport
(3 years, 5 months ago)
Grand CommitteeMy Lords, I hope the Committee will forgive me if I move on to drier but—I hope the Committee will agree—important ground. In moving Amendment 2, I will also speak to Amendments 3, 4, 5 and 6.
Amendment 2, along with similar amendments to Clause 1 in the name of my noble friend Lord Fox and myself, seeks to narrow the scope of the definitions of “security compromise” and “connected security compromise”. As well as having concerns about oversight of the new powers of the Secretary of State, which we will debate later, there is also concern, reflected by the Constitution Committee, about the width of these crucial definitions and the consequences that flow, particularly as regards planned outages and the need to make a clear distinction between reporting on security compromises and on resilience.
I say this in the context of the impact assessment of 9 June, which stresses the large degree of uncertainty surrounding the costs to be incurred by business, amplified by the report of the Regulatory Policy Committee under its new chair. The Constitution Committee says:
“Clauses 1 and 2 impose duties on providers of a public electronic communications network or service … These include taking such measures as are appropriate and proportionate for the purposes of identifying and reducing the risk of security compromises occurring. The Bill defines security compromises, but the Explanatory Notes acknowledge this definition is broad and do not explain their intended scope. The consequences of a security compromise for providers are potentially significant, including substantial and costly duties of due diligence”—
this echoes the impact assessment. It goes on:
“The House may wish to consider whether narrowing the definition of security compromises would be appropriate.”
BT gave evidence to the Public Bill Committee in the Commons. Of course, BT is a provider which will need to comply with the provisions of the Bill, so I take the liberty of reading out much of its evidence:
“As currently defined, a ‘security compromise’ … would cover any planned network outage that may be required for maintenance or upgrading of the network, or any unplanned outages due to faults or wear and tear. These types of outages are relatively regular occurrences given the scale of our network and we always seek to minimise customer impact and restore service as quickly as possible. The duties on operators in the Bill that flow from this definition are significant—including network issues that cannot reasonably be considered as security compromises (rather resilience or availability issues) would create undue burdens on operators and potentially on OFCOM.
These outages are not the result of any unauthorised access or malicious intent, nor do they have consequences for the confidentiality of data or signals carried over the network. We do not believe it is the intention of the Bill to apply the same requirements (e.g. with respect to reporting or notification to stakeholders), or to make the same powers available to OFCOM, in relation to these types of incidents, as are intended to apply to ‘security compromises’.”
It goes on:
“The definition also seeks, we understand, to capture any compromise to the integrity of signals conveyed over a network. However, the way that this is expressed—by reference solely to compromises of the ‘confidentiality of signals’—is unclear and confusing. It could be significantly improved by making a simple amendment to refer to ‘confidentiality and integrity’.
The definition of ‘connected security compromise’ … is a simple definition referring to something that ‘occurs in relation to another public electronic communications network or a public electronic communications service’. Given the potential breadth of this definition, building some specifics on how the ‘connected’ element will be assessed in the overall Government/OFCOM guidance on ‘security compromise’ will be important.”
So a provider that will be considerably impacted by the Bill and the Constitution Committee have raised important issues about the width of these definitions. These amendments perhaps do not go as far as some providers would like, but they attempt to give greater certainty by specifying that compromises which involve security issues are covered, but not wider outages which do not have security implications. I very much hope the Government will heed both the providers and the Constitution Committee by narrowing the width of these definitions. I beg to move.
My Lords, I had the privilege of being an RAF pilot. The instructions we received as pilots in methods of security included the word “anything”. In other words, if you are flying a jet on a mission and you suspect something, “anything” is reported back, or you take remedial action. You do not try to refine that security by, in this case, reducing it or leaving any element of doubt. Thinking about it a little further, the “anything” could be technical. In this context, it could be competitive; it could be a company being taken over; it could be lack of finance; it could be fraud. Above all, it could provide a loophole. Therefore, Her Majesty’s Government are absolutely right in putting in the word “anything” and not trying to restrict it further.
I hear the noble Lord’s concerns. We will of course take back his comments and reflect on them again. However, I know that officials working on this Bill have considered these points in enormous detail and would be happy to meet the noble Lord and discuss them, if that would be helpful. We believe that our framework does not water down but balances future-proofing with the precision and specificity that the noble Lord seeks. I hope we can follow up on that in a separate meeting.
My Lords, I see a slight chink of light, perhaps, that may be opened by opened by a meeting with the Minister on this subject—because she will appreciate that none of the amendments tabled to the Bill, which we think is important, has been put down lightly, and definition is crucial.
I was somewhat baffled by the noble Lord, Lord Naseby, flying in his jet—I was thinking of perhaps pressing the ejector button, but I thought better of it. The idea that there is an analogy between flying a jet and what we are talking about here was a bit baffling. The only way that I could think of the analogy for a planned outage, which is exactly what the providers are worried about being subject to under this definition of “security compromise”, is where a jet does a planned manoeuvre and everyone scrambles and treats it as an incident—so I cannot see that his analogy holds at all.
I much prefer and give thanks for the contributions of the noble Earl, Lord Erroll, the noble Lord, Lord Coaker, and my noble friend Lord Fox, who, in doubling down on the points raised about the purposes of the Bill, illustrated exactly why we seek to have a much more precise definition. The big problem is that the flexibility demanded by the Government is effectively at businesses’ cost and causes uncertainty. That is the worry about the way that the Bill is currently drafted.
The Minister talked about future-proofing and doing it more precisely, in a sense, by setting out the duties by secondary legislation—but, of course, there are great concerns about the way that the secondary legislation is to be agreed and the codes of practice. So I suppose that, if I were going to ask for a quid pro quo, if there is to be a loose definition of “security compromise”, there must be a very tight way of agreeing the codes of practice and the secondary legislation—but I wonder whether the Minister will actually agree to that trade-off, as we go through the afternoon. I would like to have all of the amendments that we have tabled for today.
I really think that, when the Minister said that this would “undermine the whole approach”, it is good to have it in her script, but that is absolutely not the case. The last thing that we are doing by trying to tighten this definition is to undermine the whole approach; we are trying to create certainty for the providers so that, when they plan outages and there are other planned events, they are not caught by a sidewind when trying to comply with the terms of the Bill. This is a practical issue.
I understand what the Minister says about resilience and, to some degree, that is the case, but there is clearly a great deal of uncertainty surrounding the providers’ interpretation of the Bill, as it currently stands—and they are the ones that will be subject to this. As I said—without wishing to repeat myself too much—the Government’s impact assessment itself makes it very clear that the costs of this exercise, of having to comply with the Bill, are extremely uncertain at this point, and there is quite a lot of concern about that.
I am sure that, if we have a meeting with the Minister in due course, we will be able to persuade her to accept these amendments, and I look forward to it. In the meantime, I beg leave to withdraw Amendment 2.
My Lords, I beg to move Amendment 7 and will speak also to Amendment 12. New Section 105B introduced by Clause 1 affords the Secretary of State the ability to make regulations that have highly onerous provisions, laying down that a provider must take specified security measures. This is under the negative procedure, which is of course a near 100% guarantee of their coming into force. There is no provision for any independent or specialist oversight of these regulations, as we will discuss later. They cover a huge range of issues in great detail, including
“Network architecture … Protection of data and network functions … Monitoring and audit … Supply chain”.
These are all in the draft regulations, along with
“Prevention of security compromise and management of security permissions … Remediation and recovery … Governance and accountability … Competency … Testing … Assistance”.
Very helpfully—in a way—to my case in the last group, the Minister said that the whole purpose of the regulations was to specify in greater detail what the duties of providers would be. But, already, particular issues have been identified in the draft regulations by providers relating to patches, audit and monitoring, supply chains, foreign network operating centres—and the list goes on. So, there is already a feeling not only that these regulations are very detailed but that they should not be subject to the negative procedure. It seems extraordinary that regulations of such importance are not to be subject to greater parliamentary scrutiny.
Noting, obviously, that the noble Baroness, Lady Merron, will be speaking to her Amendment 11, I move on to my Amendment 12. The fourth report of the Delegated Powers Committee drew the attention of the House to proposed new Section 105E of the Communications Act 2003, which gives the Secretary of State power to issue, revise or withdraw codes of practice about security measures that should be taken by providers in the performance of their duties to prevent security compromises under Sections 105A to 105D. There is a duty to consult with Ofcom and providers but no oversight or approval role for Parliament.
In her letter to us after Second Reading, the Minister of course assured us that:
“Government will consult with affected public telecoms providers and Ofcom on any codes of practice that are issued. This will ensure that we have a full understanding of the code’s impact before it is finalised. A consultation on the first code of practice will take place after the Bill receives Royal Assent.”
I am glad to say that the Delegated Powers Committee, in the light of the importance of the codes to assessing compliance and in enforcement by Ofcom, were unconvinced by the department’s claim that this was too detailed and technical and “not legislative”. As the committee said:
“The Bill provides for codes of practice to play a significant role—both in relation to the exercise of OFCOM’s regulatory functions and in legal proceedings—in supplementing the important duties to take security measures that the Bill imposes on providers.”
It concluded:
“In our view, it is unacceptable for codes of practice that will have the significant statutory effects provided for in this Bill to be subject to no Parliamentary scrutiny procedure.”
As the UK communications council said, the combined effect of the two proposed provisions that I have talked about in these two amendments amount to a near-unfettered ability for the Secretary of State to interfere in the normal operations of what is an otherwise innovative and successful industry. Amendment 7, in particular, seeks to ensure that these regulations need to be approved by Parliament by the affirmative procedure. Amendment 12 would require approval from Parliament for codes of practice under the Bill. Where I differ from the committee and, it seems, the noble Baroness, Lady Merron, is on the procedure to be adopted. In my view, at minimum, it should be by the affirmative procedure. I beg to move.
My Lords, I thank the Minister for that rather depressing reply. I also thank the noble Lord, Lord Naseby, for his support—I think we will have a fly-by in celebration. I thank too the noble Earl, Lord Erroll, my noble friend Lord Fox and the noble Baroness, Lady Merron, who raised some very interesting points, all supportive of greater scrutiny in both respects, which was very helpful. As my noble friend illustrated—the impact assessment is a mine of information—the lack of robust and specific data is one of the areas of great uncertainty, and there is the risk of running the industry by remote control without adequate scrutiny. There is great uncertainty about cost, and therefore there needs to be that level of scrutiny, and there is great concern about the role that Parliament should have.
I was fascinated by the Minister’s argumentation. It does not really matter whether a committee recommends something or not; the Government are not going to accept it. Apparently, it is not good enough to have the affirmative procedure because the committee did not recommend it; on the other hand, it is not good enough to have scrutiny of the codes of practice even though the committee did recommend it. Basically, the Government are saying, “Well, what the hell? We’re not going to agree with the committee on any basis.”
My Lords, the Grand Committee will now resume. I think we were just about concluding the remarks of the noble Lord, Lord Clement-Jones.
I might take that hint, but there is still a little bit of water to flow under the bridge.
The Minister knows that there is already a great deal of concern about both the regulations, which I have specified and gone through to some degree, and the forthcoming codes which we are assured will come out, so there is no doubt that the Government are fully aware of the providers’ concerns.
I thought the point made by the noble Baroness, Lady Merron, on the NCSC’s lack of involvement was very strong. That absolutely must be bolted into the Bill; it is fundamental in so many ways, and I do not think any of us really understands why that should not be bolted in.
I come on to the substance of what the Minister said: that using the negative procedure for the regulations was fine because we are not amending primary legislation. Do we now make a virtue of a non-Henry VIII power? Are the only powers that we think should now be subject to the affirmative procedure Henry VIII powers? We have moved some way. I am clearly getting far too long in the tooth to see those sorts of arguments being made by Ministers, especially when it is a matter of scrabbling around to keep the Bill as it is. I understand the “not invented here” principle, but it is a bit depressing to see it when the merits of a case are so strong.
The other time-old argument is “Don’t worry your pretty little heads; these are technical regulations. Parliamentarians can’t have too much oversight of a technical regulation—they might not understand it. They might get confused and lose sleep.” I do not know what the arguments are, but they are clearly bogus. We should go for the affirmative, and someone with the experience of the noble Lord, Lord Naseby—I am sorry to see he is not here—as a Deputy Speaker in the Commons knows full well that that is the appropriate form.
The words “legislative effect”, which the noble Baroness, Lady Merron, emphasised, as I do, are important in this context, and were raised by the Delegated Powers Committee. On this point about having no delay, regulations needing to be updated, and a code of practice needing to be flexible and updated, we have seen that this Government can pass Covid-19 regulations in a blink; they can do virtually anything they feel like at the drop of a hat and nobody says boo to a goose, so I do not think that is a very useful argument.
The other point the Minister made was that the code needs to be understood by its audience. Again, that is a “Don’t worry your pretty little head” argument—“Parliamentarians will not understand the code—it is not relevant to them; only the providers need to worry about it.” But providers are worried about the code, and they would be much reassured if they saw that there was proper scrutiny.
I am really sorry to say that I did not even see a chink of daylight in that group, sadly. I hope that we can move a bit further as the Bill progresses but, in the meantime, with great disappointment, I beg leave to withdraw the amendment.
My Lords, I move Amendment 8 in my name and welcome the similar Amendments 9 and 19 in the names of the noble Lords, Lord Clement-Jones and Lord Fox. The Minister will recognise some similar themes in this group to those in the previous debate. The amendments are to Clause 2, which gives the Secretary of State the powers to make regulations which require providers to take specified measures in response to a specified security compromise and where a security compromise has a specified adverse effect on the network or service. The Minister will not be surprised that the amendments seek to understand what advice the Secretary of State will receive and where that advice will come from when making these regulations.
I am sure that we have all heard concerns about how these regulations are widely shared. For example, Comms Council UK has said that this represents an
“unprecedented shift of power from Parliament to the Minister in relation to how telecoms networks operate”,
and argues that
“the Minister will be able to unilaterally make decisions that impact the technical operation and direction of technology companies, with little or no oversight or accountability.”
Unsurprisingly, there has been a call for technical and judicial oversight, as reflected in these amendments, just as the Investigatory Powers Act 2016 established a Technical Advisory Board to advise the Home Secretary on the reasonableness of obligations imposed on communications providers. There is precedent here to which we can usefully refer.
Other concerns were expressed in Committee in the other place. The Digital Policy Alliance is familiar to a number of parliamentarians, especially the noble Earl, Lord Erroll, who is chair of that august organisation. I am sure that he is aware of the comments of its Dr Louise Bennett, who said:
“There is no mention in the Bill of a technical advisory board focused on the provisions of the Bill, and that would be a very helpful addition.”—[Official Report, Commons, Telecommunications (Security) Bill Committee, 14/1/21; col. 49.]
I agree. Such a board would, for example, be able to point out that new types of components were coming down the track. Does the Minister feel that such a board would be a helpful addition? If not, why not?
Have the Government considered expanding the remit of the current Technical Advisory Board to cover the powers in the Bill? Amendment 19 in the name of the noble Lord, Lord Clement-Jones, gives us a useful steer on how any such new board could be constituted. Without such a board, what technical advice will the Secretary of State receive? Who will it come from, and will it be published? I look forward to the Minister’s reply.
My Lords, I am delighted to be on the same page as the noble Baroness on the insertion of a technical advisory board and judicial commissioner into the process. I note that she quoted Dr Bennett of the DPA; I am proud to be a DPA member and sitting opposite my chair. Others from the industry have made the same points. Comms Council UK has pointed out that there are no clear mechanisms for technical feedback or expertise to be fed into the drafting of the regulations and the codes of practice, which we discussed on the last group. It makes the point that many of the technical requirements that will be placed on its members are not in the text of the Bill but are in the accompanying regulations and the code, which we have heard has yet to be published. It is clear that, in these draft regulations made under Section 105B and 105D—
My Lords, the Grand Committee is resumed—third time lucky. I call the noble Lord, Lord Clement-Jones.
My Lords, I hope I am demonstrating the agility of which the Minister is so fond. As I said earlier in respect of the judicial commissioner, these amendments provide a ready-made mechanism for oversight concerning the proportionality and appropriateness of any measures in the regulations and codes. Taken together, Amendments 9 and 19, would require the Secretary of State to take into account the advice of the technical advisory board—and insert a new clause after Clause 14—and that of a judicial commissioner appointed under the 2016 Act. We have gone a little further in specifying the make-up of the technical advisory board, but we are clearly on the same page as the noble Baroness, Lady Merron, with her Amendment 8.
My Lords, I want to speak on this issue as I remember mentioning it at Second Reading. There is a person for whom I have huge respect, Dr Louise Bennett, whose extensive knowledge and sagacity I first ran into when we were talking about ID cards years ago and the whole problem of digital identity and privacy over the internet. If you really want to know about such things, read her work: she has produced a lot of work on this. I think a technical advisory board is essential: these are complex issues. The Minister said that the matters subject to regulation will be technical. I do not see how we can do this without a good technical advisory board, and it is good if we have some view of who goes on it, because it is too easy for these things to disappear off and no one thinks about them. We will keep needing cutting-edge advice and not have groupthink, and these matters are very tricky.
Between Amendments 8 and 9, I could not decide between taking “the utmost” and “full” account; there is a neat little difference in the wording. Otherwise, the point about laying it out properly is important. The other thing, which slightly goes back to our previous debate, is that we get into the whole problem of what are regulations, what is guidance, what are guidelines and what is a code of practice and the different legal stance of those different things. We have to be careful about using them as if they were interchangeable. Regulations will often give rise to a code of practice, breach of which is not necessarily an offence, but they can be linked back to a primary Act offence. We should not bandy those words around interchangeably; they are different. We need a technical advisory board and, between these amendments, we should do something about it.
I call the noble Lord, Lord Clement-Jones—sorry.
I must admit that I am somewhat baffled by the Minister’s response. The argument on the technical advisory board seems to be, “Oh, we’ve got enough technical advice, so we don’t need one”—but, clearly, it seems that there is a need for this. I quoted providers—I can go into the papers that we have received from them—as saying that real issues arise out of the regulations. These are technical and relate to things such as patches and audit and monitoring issues. There is a feeling that the department is just not listening on those issues, and what is needed is someone who is rather more dispassionate and can advise on the technical issues that are arising—perhaps, if it is seen as a conflict, someone like the noble Earl, Lord Erroll, who can genuinely advise on this kind of thing. It seems to me to be extraordinarily dismissive to say, “We’ve got enough advice. We don’t need a board of this kind”.
In the Investigatory Powers Act 2016, there is a very useful technical advisory board—it is not usable for this purpose because its function is rather different under that Act. When the Minister comes to the point about the judicial commissioners, saying, “Oh, no, they are for an entirely different purpose”, I say that, actually, if you read their function, it is four square with the kind of thing that would be useful under this Bill. They are talking about not technical issues but proportionality, appropriateness and so on—very much the kind of thing that they are dealing with under the 2016 Act.
So I am afraid that I do not buy what the Minister has to say, sadly; I just think that it is pushback based on the thinking that, “Well, the Bill’s the Bill and it’s all drafted, so we don’t really want to do very much with it by way of amendment”. That is the time-honoured government response to this kind of suggested amendment, but I believe that, constructively, both these aspects—a judicial commissioner and a technical advisory board—would make a great difference to the functioning of the Bill and would lead to much better regulations and codes of guidance at the end of the day.
I thank the Deputy Chairman and apologise for speaking across him. I am a bit intrigued by the comment of the noble Lord, Lord Parkinson, on the subject of legal enforceability. He is correct to say that, as new Section 105H states, the
“provision of a code of practice does not of itself make the provider liable to legal proceedings”
—but it would not be liable only when the provision was not in force in time or when it was not legal. However, you would not bring a legal case anyway when it was not relevant or in force, so, to all intents and purposes, where the code is in force and relevant, it is legally enforceable. Therefore, it is legally enforceable.
My Lords, in its evidence to the Bill in the Commons, BT said:
“we believe greater clarity is needed on OFCOM’s planned approach, with safeguards introduced in the Bill to ensure operator burdens are proportionate.”
Amendment 10 seeks to ensure that codes of practice are necessary and proportionate.
As regards Ofcom’s new powers to ensure compliance with security duties as set out in new Section 105M, how will these relate to Ofcom’s existing powers and duties under Sections 3 and 6 of the Communications Act 2003? Will this duty and the new powers Ofcom is being given still be subject to good regulatory practice so that, for example, it still must have regard to the principles of transparency, accountability, proportionality and consistency and not impose unnecessary burdens? How will this fit in with the statement to be made by Ofcom under new Section 105Y?
Amendments 16, 17 and 21 to Clauses 5, 6 and 19, in my name and that of my nobble friend Lord Fox, seek to ensure that the new powers for Ofcom introduced in the Bill are subject to requirements in the 2003 Act regarding carrying out and reviewing its functions. I was pleased that in her letter to noble Lords after Second Reading, the Minister explicitly said:
“When carrying out its security functions, Ofcom will remain bound by its general duties under Section 3 of the Communications Act 2003 as it is now. Section 3(3) provides a duty on Ofcom to have regard to the need for transparency, accountability and proportionality when carrying out its functions. Ofcom will also be bound by its duty under Section 6 of the Communications Act 2003 to review the burden of its regulation on public telecoms providers. If Ofcom fails to carry out its security functions in line with these duties, then it is likely to be subject to legal challenge.”
I very much appreciate those words, which are a very clear interpretation of the existing Act and the duties of Ofcom and the responsibilities it has in the way that it carries them out. Will the Minister repeat that assurance today?
My Lords, I want to say a few words on this because the key words “undue burden” stand out. It is very important that we do not put too many burdens, particularly unnecessary ones, on companies. In particular—and this is something that I have often looked at because I have done a lot of work with innovative and growing companies—you must not let large corporations stifle innovation. There is an attitude among them that regulations are for your enemies; they are a very good way of stopping up-and-coming competition. I have also noticed that departments tend to consult the companies which have significant market presence already and see them as being the people who know all about it. However, that does not take account of what is up and coming. The other thing is that they often have people on secondment from them or people who have retired from the companies and gone into the departments, so there can be some interesting biases within. With those few warnings, I think the whole undue burden issue is more important than people might think.
I thank the noble Lords, Lord Fox and Lord Clement-Jones, for these amendments, and all noble Lords who have spoken in the debate. The amendments focus on the need for the regulations and code of practice to be proportionate, and to ensure that the duties of Ofcom are carried out in a transparent and similarly proportionate way.
I turn first to Amendment 10, tabled by the noble Lord, Lord Fox. This amendment to Clause 3 seeks to ensure that codes of practice are necessary and proportionate to what they are intended to achieve, and do not place an undue burden on telecoms providers. The Bill already includes provisions in Clauses 1 and 2 to ensure that security duties placed on public telecoms providers in the primary legislation and specific security measures set out in regulations must be considered to be appropriate and proportionate by the Secretary of State. The code of practice will provide the technical guidance on the steps that public telecoms providers should take to meet their security duties. I certainly agree with the noble Baroness, Lady Merron, about the extra—and indeed extraordinary—work that providers have done over recent months to keep us all in contact during the pandemic.
To help ensure that technical guidance in the code of practice is appropriate and proportionate, Clause 3 requires the Secretary of State to publish a draft version of the code of practice before it is issued, and to consult on its contents. This public consultation will take place after the Bill has attained Royal Assent; it will enable the voices of telecoms providers of all sizes—as noble Lords rightly pointed out—the wider sector, Ofcom, and any other affected groups to be heard and taken into account before the code of practice is finalised. Subsequent versions of the code of practice, which will be revised as technology evolves and new threats emerge, will also be subject to the same process of consultation before being issued.
An impact assessment is also being conducted for proposed secondary legislation to be laid as part of the new framework, which will take into account the initial cost assessments from providers to ensure that the framework is balanced and proportionate. The precise make-up and design of each provider’s network remains a commercial decision. The Bill makes it clear that providers are responsible for the security of their own networks and services; providers also remain responsible for deciding how they recover their costs. As such, we expect the costs of ensuring adequate security to be met by individual providers.
I turn to Amendments 16, 17 and 21, tabled by the noble Lord, Lord Clement-Jones. These seek to apply Sections 3 and 6 of the Communications Act 2003 to Ofcom’s duties and powers under Clauses 5, 6 and 19 of this Bill. Section 3 of the Communications Act sets out Ofcom’s general duties; these include a duty on Ofcom to have regard to the need for transparency, accountability and proportionality when carrying out its functions. Section 6 of the Communications Act requires Ofcom to review the burden of its regulation on telecoms providers. These are all principles that we think are essential to the functioning of the new security regime created by this Bill. I am glad to repeat the reassurance given by my noble friend in her letter, which the noble Lord, Lord Clement-Jones, mentioned, that Ofcom is already bound by its general duties in Sections 3 and 6 of the Communications Act when carrying out its security function under new Section 105M, and when using any of its powers in this Bill. This will include Ofcom’s power to carry out an assessment of public telecoms providers’ compliance with their security duties under Clause 6 of this Bill, and powers for Ofcom to give inspection notices under Clause 19. As my noble friend said in her letter, if Ofcom fails to carry out its security functions in line with these duties, it could be subject to legal challenge.
The provisions in the Bill already ensure that the regulations, code of practice and duties of Ofcom are proportionate. Therefore, we do not think that these amendments are necessary, and we hope that noble Lords will be happy not to press them.
My Lords, I thank the Minister for that—he pierced through the gloom of the afternoon, giving an assurance that existing duties of Ofcom will cover the new powers.
I think we have a Pepper v Hart situation that works for the other aspects on the code of practice. It is not just the regulations and the duties and powers of Ofcom that are subject to it; the way in which the code of practice will be drawn up is covered also by the duties under Sections 3 and 6 of the existing Act. I very much hope so, and I need to take away and read what the Minister had to say.
My Lords, Amendment 13 seeks to speak up for consumers and to probe possibilities as to how we may act in their interests. After all, they are the ones who are, on an individual basis, and often in very large numbers, at the receiving end of security threats.
Amendment 13 would amend Clause 4, which places a duty on providers to take steps to inform users about security compromises or where there is a significant risk of a security compromise occurring which may adversely affect the user as a result. As we see in the clause, the provider must inform the user about the existence of the risk, the nature of the security compromise, what steps could be reasonably taken by users in response, and of course the name and contact details of a person who may provide further information. All those are welcome, and such a duty being placed on providers to report security incidents is right and proper. After all, for many years, we have heard calls from all sides to place a clearer and more comprehensive duty on providers to share information with users, who should not be kept in the dark. When they are affected by a breach, there are not just practical considerations; as we all know, such security breaches are extremely distressing and worrying, as well as compromising for those affected. It is right for them to have some sort of redress.
Let us reflect on the high-profile incidents where users have not been told of security incidents. For example, TalkTalk failed to inform 4,500 customers that their personal information, including bank account details, was stolen as part of the 2015 data breach. That was revealed only in 2019, when details were found online. I am sure that, like me, the Minister will completely understand how distressing this must have been for those people, who were not only affected but were given no opportunity by the company to do anything about it.
Clearly, we know that such behaviour by telecoms companies is unacceptable. However—and this is what the amendment seeks to assist with—Clause 4 does not give a timeframe for providers to inform consumers. This probing amendment suggests a 30-day window to do so. I understand that we have to be aware that this cannot lead to further security compromises that could result from informing the public, so that point has to be taken into account.
How quickly does the Minister think providers should inform the public of a security breach? I ask that because under Clause 4, which is very open, it could be months before users find out that their personal data has been stolen. How much worse for people to find out in that way and in that sort of timeframe?
The amendments we are debating today and the Bill we are considering are all about the protection of national security. In all that, let us remember consumers too, whose interests are key to these debates. The public have to know that their data is safe and when to take necessary steps if their privacy has been threatened in some way.
On Amendments 14 and 15, I should be interested to hear from the Minister whether an Ofcom backstop to halt providers speaking to users on security grounds already exists. Does Ofcom have the expertise already to make such a judgment, or would new experts—I use that word carefully but definitely—and new expertise be needed? I look forward not only to the Minister’s reply but to the comments of noble Lords participating in this debate.
My Lords, I shall speak to Amendments 14 and 15. I wanted to say on the last group of amendments that I entirely agree with the noble Earl, Lord Erroll, about regulation. It is entirely possible for regulation to provide certainty, to stimulate innovation and, in the context of this Bill, to ensure that we have the right framework for our providers to ensure that our security is not compromised. So there is certainly no negativity in that respect towards regulation; the question is whether it is appropriate in the circumstances and not unduly burdensome for those subject to it. That is why the question of parliamentary oversight, which has been mentioned throughout this afternoon, continues to be important, and I think that it will come up again in the next group.
This amendment is on rather a different area. I have quite a lot of sympathy with Amendment 13 in the name of the noble Baroness, Lady Merron, but this is more nuanced than the Bill provides for. I want to quote again from the evidence of BT to the Bill Committee in the Commons. It said:
“We agree with the requirements on operators to support the users of their networks in preventing or mitigating the impact of a potential security compromise … In certain cases”—
and this is a sort of “however”—
“the security of the network may be put at greater risk if potential risks are communicated to stakeholders, providing malicious actors with additional information on potential vulnerabilities in the network that they may seek to exploit. We therefore believe that the Bill should explicitly consider such scenarios and not place obligations on communications providers to inform users of risks whereby doing so it will increase the likelihood of that risk crystallising.”
That is where our first amendment is going. BT further stated that
“the Bill also confers powers on OFCOM to inform others of a security compromise or risk of a compromise, such as the Secretary of State or network users. We understand the intention of the Bill in this regard and support the principle. We believe that this would be most effective when done in conjunction with the operator in question to ensure there is clarity and agreement, where possible, on the timing, audience and messaging of such information provision. This would also ensure that this does not cut across any other obligations that an operator may have, such as market disclosures. The Bill currently does not require OFCOM to consult with the operator prior to informing third parties of a security compromise (or risk of one).”
I think these are fair points. The Government must have an answer before Ofcom is faced with that set of issues. In this light, Amendments 13 and 15 make further provision about the duty to inform users of a risk of security compromise and specify that duties to inform others of “significant risks” of security compromises must be proportionate and not in themselves increase security risks.
My Lords, I put my name down to speak to this because the problem with putting a fixed time period on having to report security breaches is that it very much depends on what the breach is. We mentioned patches earlier. If it is a vulnerability in the software—or it may be the hardware—which requires a patch to be released, you must have the time to produce it and test it as fully as possible. You do not want the hackers out there to know what the vulnerability is until you can roll out the answer to it. That is what zero-day attacks are based on. Equally—the noble Baroness is absolutely correct here—you do not want this stuff swept under a carpet to sit there unused for years. Could our technical advisory board give advice at an incident level, or something like that?
I have received a request to speak after the Minister from the noble Lord, Lord Clement-Jones.
My Lord, until the Minster replied, “nuance” was the word being used in the context of information being provided and required and so on. I am afraid that nuance was completely lost in that response. The response to Amendment 14 was that the NCSC, the Government, the Secretary of State and Ofcom know best and that is it. They have to release the information. They do not believe there are any circumstances where it should not be released. It is all there in the NCSC guidance and well, too bad—tough. That seemed to be just about the Government’s position. That is pretty extraordinary considering that the relationship with the providers is extremely important, particularly in these circumstances where there have been breaches. We have heard from noble Lords during the debate that the timing of giving the information is important but the very fact of giving the information may also be important. I am afraid that is part 1 of a rather depressing response.
Part 2 was almost worse because the amendment being put forward is the mildest possible one. Ofcom must consult the provider in question
“where reasonably practicable to do so.”
As for the idea that this is going to lead to horrendous delay, the Minister really had to scrape away to find a suitably negative response to that amendment. I am afraid that her response in both respects does not engage with the real issues and I think it is grossly unsatisfactory in the circumstances.
My Lords, we know how it is when you are on a roll. This reminds me that it is very unusual for somebody to have the opportunity to get in before the noble Lord, Lord Fox, draws breath, as the Chair did. “Very impressive footwork,” I thought to myself.
There has been a common theme this afternoon of a lack of oversight over aspects of this Bill in many respects—in particular, the regulations and codes. This lack of oversight is compounded by the fact that, under Clause 13, any appeal to the Competition Appeal Tribunal cannot take account of the merits of a case against the Secretary of State. The rationale for this, as the Constitution Committee says,
“is unclear and is not justified in the Explanatory Notes.”
I will quote the Explanatory Notes in full. Clause 13 provides that, in appeals against relevant “security-related” Ofcom decisions, the Competition Appeal Tribunal is to apply ordinary “judicial review principles”, notwithstanding any retained case law or retained general principle of “EU law”—by that they of course mean retained EU law. This means that the tribunal should not “adopt a modified approach” to proceedings, as required under retained EU law, which provides that the “merits of the case” must be “duly taken in account”.
Therefore, this provision disapplies aspects of the ongoing effect and supremacy of retained EU law, as permitted by Section 7 of the European Union (Withdrawal) Act 2018. The rationale for reducing the powers of the tribunal in respect of security matters is unclear and not justified in the Explanatory Notes. The House may wish to ask the Government to justify reducing the powers of the Competition Appeal Tribunal in respect of appeals under Clause 13. That is the motive behind this clause stand part debate.
The most authoritative judgment to date about the current standard of review is the Competition Appeal Tribunal’s TalkTalk Telecom Group plc and Vodafone Ltd v Office of Communications case. This addresses, inter alia, the standard of review on an appeal to the Competition Appeal Tribunal under Section 192 of the Communications Act. The judgment of Peter Freeman QC provides a good analysis of the context and history of the changes to the standard of review. I make no apology for quoting it at some length:
“Of particular relevance to how the Tribunal should approach this appeal are Article 4(1) of the Framework Directive and section 194A of the 2003 Act, as amended by the DEA17 … Article 4(1) provides: ‘Member States shall ensure that effective mechanisms exist at national level under which any user or undertaking providing electronic communications networks and/or services who is affected by a decision of a national regulatory authority has the right of appeal against the decision to an appeal body that is independent of the parties involved. This body, which may be a court, shall have the appropriate expertise available to it to enable it to carry out its functions. Member States”—
this is the key bit—
“shall ensure that the merits of the case are duly taken into account and that there is an effective appeal mechanism…’ … Section 194A provides: ‘The Tribunal must decide the appeal, by reference to the grounds of appeal set out in the notice of appeal, by applying the same principles as would be applied by a court on an application for judicial review.’ … The combined effect of these provisions is to require the Tribunal to apply the same principles as would apply in a judicial review case but also to ensure that the merits of the case are duly taken into account so that there is an effective appeal.”
At paragraph 139, the judgment concludes:
“Given that Article 4(1) continues to apply, it would appear that, in accordance with the Court of Appeal’s view in BT v Ofcom and the High Court’s view in Hutchison 3G, as set out helpfully by the Tribunal in the recent Virgin Media judgment, we should continue, as before, to scrutinise the Decision for procedural unfairness, illegality and unreasonableness but, in addition, we should form our own assessment of whether the Decision was ‘wrong’ after considering the merits of the case.”
“Article 4(1)” refers to the now-repealed framework directive. It should now be read as referring to Article 31(1) of the European Electronic Communications Code—the EECC. The transposition deadline of the EECC was just before the end of the transition period and iseb;normal;j therefore currently binding as part of retained EU law. The wording of the EECC is almost exactly the same as the framework directive in respect of appeals.
That is what will continue to apply across the remainder of the Communications Act for other appeals under Section 192 but is being changed by Clause 13 of the Bill, which amends Section 194A of the Communications Act in respect of security provisions. This is a very significant change to the appeals procedure in security cases. There is a single bald paragraph in the Explanatory Notes, no justification is given—as the Constitution Committee says—and neither is there any evidence of why it is necessary. What evidence does the Minister in fact have of the need to make this major change in respect of security decisions made by Ofcom? I beg to move.
My Lords, I saw this and thought that I really did not understand why the Government were doing it. I saw what the Constitution Committee had said and realised that it did not understand why it was needed. I cannot believe that you can have a proper appeal if you ignore the merits of the case. I probably have an overdeveloped sense of justice and I think that to have an appeal where you are not allowed to present half the case or whatever is not a proper appeal. In fact, what you find is that the system can use procedural things to run rings around people who have a very justifiable complaint about something. I did not like the look of it and I entirely agree with everything that the noble Lord, Lord Clement-Jones, said.
My Lords, I have heard some ministerial pushbacks but, I must say, that circularity more or less takes the biscuit: “The Government believe that we need to change the standard and therefore we have changed it.” There is very little that one can get one’s teeth into in terms of the argument. It is simply that the Government believe that JR in its unlawfully rational or unfair incarnation should apply in this set of circumstances—and that is it, whereas, for the rest of the 2003 Act, the merits version of JR continues unabated.
The Minister made a few points. I thought “merely” was rather extraordinary; it is a very important change to the way the tribunal will operate in those circumstances. Providers will not appeal against these decisions unless they are of major importance. The process of going to the Competition Appeal Tribunal is not lightly undertaken. She used the words “a smooth regulatory process”. Of course Governments always love smooth regulatory processes, but how big is the steamroller employed in these circumstances? There was also the use of “appropriate”—a splendid weasel word.
This is the end of a very entertaining afternoon so I cannot really comment heavily on the Minister’s reply. However, she really could have done better. The noble Earl, Lord Erroll, and I asked for evidence of why in these circumstances—we have all just asked why—but nothing was forthcoming: no evidence, precedent or, “We did it that way and it didn’t work”. We have just decided within the bowels of Whitehall to do this—splendid, but the Government need to do better than that, even with their current majority. However, this is the end of a splendid set of debates this afternoon and I hope for better on another occasion.