Skip to main content

Product Security and Telecommunications Infrastructure Bill (Fifth sitting)

Debated on Tuesday 22 March 2022

The Committee consisted of the following Members:

Chairs: † Caroline Nokes, Graham Stringer

† Baynes, Simon (Clwyd South) (Con)

† Bhatti, Saqib (Meriden) (Con)

Brennan, Kevin (Cardiff West) (Lab)

† Double, Steve (St Austell and Newquay) (Con)

† Edwards, Ruth (Rushcliffe) (Con)

† Elmore, Chris (Ogmore) (Lab)

† Grundy, James (Leigh) (Con)

† Hart, Sally-Ann (Hastings and Rye) (Con)

Hollern, Kate (Blackburn) (Lab)

† Long Bailey, Rebecca (Salford and Eccles) (Lab)

† Lopez, Julia (Minister for Media, Data and Digital Infrastructure)

† Mishra, Navendu (Stockport) (Lab)

† Osborne, Kate (Jarrow) (Lab)

† Randall, Tom (Gedling) (Con)

† Vara, Shailesh (North West Cambridgeshire) (Con)

† Warburton, David (Somerton and Frome) (Con)

Whitley, Mick (Birkenhead) (Lab)

Huw Yardley, Bethan Harding, Committee Clerks

† attended the Committee

Public Bill Committee

Tuesday 22 March 2022

[Caroline Nokes in the Chair]

Product Security and Telecommunications Infrastructure Bill

We are now sitting in public and proceedings are being broadcast. Before we begin, I have a few preliminary announcements. Hansard colleagues would be grateful if Members could email their speaking notes to hansardnotes@parliament.uk. Please switch electronic devices to silent. As you all know, teas and coffees are not allowed during sittings.

New Clause 1

Power for operator to upgrade or share apparatus

“(1) The electronic communications code is amended as follows.

(2) In paragraph 17, in sub-paragraph (1), for the words ‘sub-paragraphs (2) and (3)’ substitute ‘sub-paragraphs (2), (3) and (4A)’.

(3) After sub-paragraph (4) insert—

‘(4A) The third condition is that, where a site is provided by an emergency service, before the beginning of the period of 21 days, ending with the day on which the main operator begins to upgrade the electronic communications apparatus or (as the case may be) share its use, the main operator provides written notice to the site provider.’”—(Chris Elmore.)

This new clause would require operators with agreements under the code that are not subsisting agreements to provide written notice to site providers that are an emergency service before the beginning of the period of 21 days (with the 21 days ending the day the operator begins upgrading the apparatus).

Brought up, and read the First time.

I beg to move, That the clause be read a Second time.

Good morning to you, Ms Nokes, and to all members of the Committee.

The new clause is self-explanatory, but I will speak to it in the hope of persuading colleagues of its considerable merits. It would require operators with agreements under the code that are not subsisting agreements—agreements that came into force before the code was agreed—to provide written notice to site providers that are an emergency service before the beginning of the period of 21 days, ending on the day that the operator begins upgrading the apparatus.

This uncontroversial new clause would simply mandate operators to give advance notice to sites that provide and deliver emergency services, such as hospitals, for example. Due to the sensitive and life-saving nature of the work that is carried out daily in those buildings, it would make sense for providers of emergency services to be given advance notice of when work is going to be undertaken, in the hope that work will then be able to go ahead as smoothly as possible. The new clause would reduce the delay and interference for both the site owner and the operator.

Under this Government, broadband roll-out targets have been reduced time and again—from full fibre to full gigabit, and now down to 85% gigabit. The new clause would speed up the roll-out of telecommunications infrastructure, which the country needs. We hope that this constructive new clause will have cross-party support, and I urge Members on both sides of the Committee, including the Minister, to support it.

I thank the hon. Gentleman for tabling the new clause, which relates to the automatic rights for operators to upgrade and share existing apparatus. To be clear, those rights are already contained in the code, and apply only to agreements completed after the 2017 reforms to the code came into force. The new clause suggests the introduction of a 21-day notice requirement for operators that want to exercise these rights where apparatus is situated on land owned by an emergency service provider.

I very much appreciate the intention behind the new clause, and am grateful to the hon. Gentleman for briefly sharing with me last week some of the instances that he has in mind. Of course, it is important that emergency service providers are aware of work on their sites that may have an impact on their daily activities; I am sympathetic and alive to that. I have tested the issue with officials in the last week, and they suggest that in that context, it is crucial to look at the scope of the paragraph 17 rights, which authorise only activity that will have no more than a minimal adverse impact on the appearance of the apparatus and will impose no additional burden on the other party to the agreement. Clearly, the rights are therefore available only in very limited circumstances.

Of course, operators may need to upgrade and share apparatus that will have a greater impact on a site provider than paragraph 17 permits, and they should be able to do so, but in those circumstances they must obtain the site provider’s agreement or seek to have the required rights imposed by the courts. In contrast, the automatic rights in paragraph 17 are available only in very limited circumstances. The conditions in paragraph 17 specifically exclude activities that would impose an additional burden on a site provider. Activities that disrupted a site provider’s daily business, or created new health and safety risks, would be very unlikely to satisfy that requirement.

Operators that upgrade or share their apparatus in ways that go beyond the paragraph 17 rights, and which do not have a site provider’s permission or court authorisation, will be acting outside the parameters of the code. As such, they may be liable to any legal remedies or sanctions that are applicable to their actions. If an operator is in doubt as to whether the paragraph 17 conditions are satisfied, it would be sensible for it to discuss the planned works with the site provider. I am not aware of any instances in which an operator has relied on its paragraph 17 rights to carry out upgrading and sharing activities that have gone beyond the scope of what that paragraph allows, but if the hon. Gentleman is aware of occasions when that has happened, I would welcome further details and information about them.

At present, we think that the scope of activities permitted by paragraph 17 is so narrow that a specific notice regime is not required. Putting one in place would undermine the policy intention of the rights, which is to enable limited upgrading and sharing works to be carried out as quickly and efficiently as possible. I therefore hope that the hon. Gentleman will withdraw the new clause.

In the light of what the Minister has said and, crucially, her offer to hear the examples that I will provide her with, I beg to ask leave to withdraw the motion.

Clause, by leave, withdrawn.

New Clause 2

Review of the changes to the Electronic Communications code

“(1) The Secretary of State must conduct a full economic review of the effect of Schedule 1 of the Digital Economy Act 2017 (The Electronic Communications Code).

(2) The Secretary of State must prepare and publish a report on this review within two months of the passage of this Act and must lay a copy of the report before Parliament.”—(Chris Elmore.)

This new clause would require the Secretary of State to outline the economic impact of the 2017 introduction of the Electronic Communications Code.

Brought up, and read the First time.

I beg to move, That the clause be read a Second time.

This new clause would require the Secretary of State to conduct a full economic review of the effect of the electronic communications code since 2017, and to publish a report on that review’s findings. When the code was introduced in 2017, the Government promised that they would publish a review of its impact by 2022, but I am afraid to say that we are still waiting. The Committee should note that this is not a new request; we are merely holding the Government to account on promises that were made in 2017.

The review should look into issues including, but not limited to, the impact of the legislation on investment into mobile networks, the number of new sites provided, the speed of infrastructure deployment, changes in rent to site providers, and the total legal costs that have been borne by the judiciary as a result of litigation. The Department’s vague responses to parliamentary questions show that it is unsure of how much money has been saved by rent reductions since 2017. That suggests, in turn, that the Department is also unaware of how much of that money has been reinvested back into the development of telecommunications infrastructure, which was the express purpose of the legislation.

The impact assessment for the previous legislation is clearly overdue, and the testimonies that we heard on Tuesday last week suggested that a review needs to take place sooner rather than later. The Minister was keen to suggest that only a small number of rent reductions were of more than 90%, but testimonies from witnesses last Tuesday suggested otherwise. The Minister also said that the number of legal cases was decreasing, but there have been over 300 since the introduction of the code, compared with just a handful prior to its introduction. Once again, we are hearing mixed messages from the Government while the message from those on the ground who have been adversely affected by the rent reductions is crystal clear.

The simple truth is that we are currently unable to make a clear and objective assessment of the effectiveness of the electronic communications code because its impact has not been reviewed. A review was promised, as I will continue to reiterate, when the legislation was first introduced; I accept that it was not this Minister who made that commitment, but it was this Government. Such a review would give us a better understanding of where we were in 2017, of where we are now in 2022, and of what we need to do to improve the situation in the future, as we increase our reliance on digital connectivity.

Technological progress and innovation will define the success of the United Kingdom in the 21st century, and any progress will be underpinned by how quickly and effectively we are able to roll out digital infrastructure projects such as 5G and gigabit-capable broadband. It is firmly in the national interest to get a better understanding of whether the changes we have made so far have been effective, and what lessons can be learned to ensure that our country thrives in the technological and digital spheres in the years ahead.

For the reasons that I have outlined, I hope that colleagues on both sides of the Committee will support the new clause and ensure simply that the Government are held to account on commitments made when the 2017 code was published.

I thank the hon. Gentleman for tabling the new clause and, again, I appreciate the intention behind it. It would require the Government to carry out a review of the 2017 legislation that updated the electronic communications code, which is the overarching legislation that the Bill amends and that we have been discussing in Committee.

I appreciate that the intention behind the new clause is to better understand the impact of the 2017 changes to the code but, unfortunately, such a review clause would have unintended consequences. We are particularly concerned that there might be a chilling effect on the market while the review is carried out, which would lead to delays not just in implementing the measures in the Bill, but in wider deployment. When the 2017 code came into force with reduced rents, a lot of cases went through the courts because operators were still on higher rents as long as negotiations were ongoing. We do not want to see a similar challenge in this case.

If a review takes place, stakeholders will likely delay entering into agreements to enable the deployment of infrastructure. Only when the review has concluded and it is clear whether further changes are to be made to the code will parties be prepared to make investment or financial commitments. That will have a profound effect on our connectivity ambitions, despite our desire to move as quickly as possible to level up the country with world-leading connectivity. It will also have an adverse impact on consumers and businesses, many of whom want to access higher speeds and the latest technologies such as 5G.

The Bill focuses on a few issues that prevented the 2017 changes from having their full impact, such as speeding up deployment while protecting the rights of landowners and site providers. Wider changes to the code will halt all progress made and will risk bringing deployment to a standstill. That would leave many homes and communities without the upgrades to connectivity that they badly need, which I am sure the hon. Member will agree would not be the desired outcome.

Let me clarify what was said in 2017 about reviewing the changes to the code. In the impact assessment that accompanied the reforms, the Government said that they would review the policy by June 2022. They did not say that they would carry out a full economic review of the impact of the reforms on the rental agreements. We have reviewed the policy. Officials have held regular meetings with stakeholders since the 2017 reforms came into force, including facilitating workshops between stakeholders to encourage more collaborative working. My predecessor, my right hon. Friend the Member for Maldon (Mr Whittingdale), held a series of roundtable meetings with stakeholders from both the operator and the site provider communities so that he could understand the situation better.

Since I have been in post, I have been testing some of the concerns of the hon. Member for Ogmore in Parliament to ensure that we are beyond some of the initial challenges that we all accept existed when the code changes were made. Regular engagement and the issues highlighted directly informed last year’s consultation, which preceded this Bill, and led to the provisions in the Bill that are needed to realise the benefits of the 2017 reforms. I hope that this gives the hon. Member reassurance that we have reviewed the policy as a whole, and I ask that he withdraw his amendment.

I have listened to the Minister and I accept that there are challenges with any review, but the only way in which we learn is by reviewing what we have done previously. There are some nicks in the system that are still not rectified. There is no reason why a Government review would mean that the industry would need to stop rolling out fibre broadband, improving broadband more generally, 5G roll-out or anything else. The process could be done with industry to ensure there is an efficient and effective way of reviewing, so that we can learn from what has happened and improve moving forward. I am keen to push the new clause to a vote.

Question put, That the clause be read a Second time.

New Clause 4

Requirement to consult on imposition of minimum periods of time for which products would need to receive security updates

“(1) Within three months of the date on which this Act receives Royal Assent, the Secretary of State must publish the text of draft regulations exercising the power in subsection (1) of section 1 (Power to specify security requirements) so as to provide for minimum periods of time for which relevant connectable products would need to receive security updates.

(2) The Secretary of State must consult—

(a) representatives of all relevant persons (as defined in section 7 (Relevant persons)), and

(b) any other person the Secretary of State thinks appropriate on the draft regulations.

(3) Within three months of the final date for receipt of responses to the consultation, the Secretary of State must lay before Parliament a report on the responses.”—(Chris Elmore.)

Brought up, and read the First time.

I beg to move, That the clause be read a Second time.

During the oral evidence session last Tuesday, we heard a number of concerns about part 1 of the Bill, which were outlined particularly eloquently by Madeline Carr, professor of global politics and cyber-security at University College London, who tellingly stated that she does not currently own an Alexa due to a lack of trust, and that the Bill as it currently stands would not give her sufficient confidence to go out and purchase one. Her Majesty’s Opposition value the contribution and knowledge of experts such as Professor Carr, and we have tabled new clause 4 on that basis.

The clause would require the Secretary of State to undertake a consultation on the imposition of a minimum period during which relevant connectable products would need to receive security updates. That would allow the Secretary of State to consult with academics such as Professor Carr, among others in the field, to establish the best way of making those connectable products, which have the potential to bring huge benefits to our lives, as safe as possible for as long as possible.

I presume the Minister might retort by saying that increased regulation of this sphere might stifle innovation, but that is exactly the opposite of what we heard last Tuesday. What we heard was that without strong, strategic Government intervention, there is not much desire for, or a market for, cyber-security. That is why introducing a minimum period for which connectable products would be subject to security requirements is so important: without Government intervention, increased security for British consumers will not come about.

Another reason that implementation of the new clause is so vital is that it relates to the digital divide and the ability of those who are the most financially vulnerable to have access to secure products. We do not want the less well off to be purchasing items that are subject to security updates for a much shorter period, thus making them more vulnerable to cyber-attacks than those who are more financially secure. I raised that issue on Second Reading and, dare I say it, there was some pushback from Members in the Chamber, but the issue was highlighted by Professor Carr and David Rogers, who was the lead editor during the process that is the basis for the Bill.

The party that I am deeply proud to represent was founded to represent the interests of working people, and it is ultimately my responsibility to ensure that working people across the country do not lose out with respect to the pace of technological change and as the threats facing that technology continue to increase. We acknowledge that no Bill can anticipate all threats that we will face in the future and the varying types of product that will come to the market, but we do have control over ensuring that we do our utmost in legislation to best protect the citizens of the United Kingdom. As we heard from a number of industry experts, one of the best ways to do that is to introduce a minimum period for which these products should be subject to security updates. For that reason, I hope the Committee will support the new clause.

Again, I thank the hon. Member for his suggestions, and I always appreciate the intention behind what he is trying to do. On this matter, we have been consulting with experts throughout the development of the legislation. As he will be aware, a lot of the details about how we shall regulate these products will come in secondary legislation. Here, we are taking broad powers so that, as the technology develops, we can tweak them as things change. We are also considering a wide number of products that will be in scope.

We do not want to take specific powers at this stage, and, as I mentioned in relation to the hon. Gentleman’s amendment 6, which we debated last week, it is important that the legislation retain the flexibility to adapt to and reflect the changing threat and technological landscapes. We have consulted widely on the legislation, and will continue to do so where new requirements are appropriate, but committing the Government to working on requirements framed using terminology that may seem appropriate today could limit the security benefits of such a requirement in the future.

As I reassured the hon. Member last Thursday, we are committed to introducing security requirements based on the first three guidelines of the internationally recognised code of practice for consumer internet of things security. Those will include a requirement for manufacturers to be transparent about the time for which products will be supported with security updates. At its core, that approach demonstrates a shift towards clear transparency that can inform the consumer when purchasing a relevant device. We know that many consumers are security conscious, but, as things stand, not enough manufacturers make that information readily available to them.

Data from Which?, which the Committee heard from last week, highlights that less than 2% of assessed products had clear information on the length of time for which they would receive security updates. We are using legislation to increase the availability of information to UK consumers, so that they can make their own purchasing choices with a clear understanding of security. As consumers learn more, they will expect more, and we hope that that will drive the market approach to embedding minimum periods for security updates. Last week, the Committee heard from Which? that some consumers might be continuing to pay for their devices even after security updates are available to them. That is exactly the kind of thing we want to avoid, and we think that transparency is the key to raising consumer awareness.

As manufacturers raise the bar to the appropriate level, we anticipate that more and more will do the same as a result of that shift to transparency. Should manufacturers fail to respond in that way, the Government may, in the future, consider that there is a case for setting out a requirement for certain products to be covered by minimum security periods. That is all part of the flexible approach we are keen to take to legislation to ensure that our requirements reflect the realities of technologies and the wider market.

Additionally, I have concerns that the new clause would commit the Government to unnecessary work that would only need to be repeated following the implementation of the initial requirements, before a substantiated case for this additional requirement could be made.

For those reasons, I am not able to accept the new clause. We are taking broad powers and a lot of details will be looked at when we consider secondary legislation. We will be looking at this issue as these products develop. If we think that a requirement for the hon. Member’s minimum period comes about, we will look at the issue again. At this stage, though, I hope he will consider withdrawing his new clause.

I have listened carefully to what the Minister has said. For the record, I agree with her about increasing the availability of security information for consumers. I am concerned that the figures are so low regarding the public’s understanding of the cyber-security arrangements when buying goods, whether that be a smart toothbrush—that was an education to me a few months ago when I was being lobbied on the Bill—or what data our smart fridges hold on us. Such information is a revelation, although I should probably know better as the shadow Minister.

The new clause is about a consultation for minimum periods and I accept that there is secondary legislation linked to that. However, as the Opposition, we have an obligation, particularly following the evidence from Professor Carr, to make clear what we think should happen regarding a simple consultation by the Secretary of State on the imposition of minimum periods for purchasing; and the Committee can make that clear in a separate decision.

Question put, That the clause be read a Second time.

Question proposed, That the Chair do report the Bill, as amended, to the House.

On a point of order, Ms Nokes. I thank all Committee members for a constructive and cordial debate throughout, including in the evidence sessions. I thank the Clerks, particularly for answering my team’s never-ending questions. As new members of staff for me who have been flown into a new Bill, James Small-Edwards and Alex Williams have been superb. I thank you, Ms Nokes and Mr Stringer, for your chairpersonship across the sessions—and, of course, the Doorkeepers, who have spent all their time running through the room as I am calling for Divisions.

Question put and agreed to.

Bill, as amended, to be reported.

Committee rose.

Written evidence reported to the House

PSTIB17 Dan Patefield, Head of Programme, Cyber and National Security; and Sophie James, Head of Programme, Telecoms and Spectrum Policy, techUK (supplementary submission)

PSTIB18 Palo Alto Networks

PSTIB19 CyberUp Campaign

PSTIB20 Protect & Connect