Committee (1st Day)
Relevant document: 4th Report from the Delegated Powers Committee
Clause 1: Duty to take security measures
1: Clause 1, page 1, line 11, at end insert—
“(1A) The duty under subsection (1) includes a duty to review—(a) vendors of goods or services to public telecommunications providers which are prohibited in other jurisdictions on security grounds, and(b) the reasons for such a prohibition.”
In moving Amendment 1 and speaking to Amendments 20 and 27, I first thank the noble Lords, Lord Blencathra and Lord Coaker, and the noble Baroness, Lady Northover, who have signed one or all of the amendments. This is a clear signal from across the Committee that the Bill must be strengthened to deal, first, with companies that have been banned in other jurisdictions, secondly, the need to dig deeper into the ownership and investment of companies and, thirdly, the desirability of acting in concert with our allies in Five Eyes.
These amendments sit comfortably alongside the call that we heard at Second Reading for additional parliamentary scrutiny, which the Intelligence and Security Committee has called for. At Second Reading, the noble Baroness, Lady Morgan of Cotes, said that we should focus on what other nations are doing:
“we have allies around the world and will want to be able to work with other companies and countries around the world to make sure we have that diversity of the supply chain.”—[Official Report, 29/06/21; col. 716.]
On 30 November 2020, the Secretary of State told the House of Commons:
“We must never find ourselves in this position again. Over the last few decades, countless countries across the world have become over-reliant on too few vendors”.—[Official Report, Commons, 30/11/20; col. 75.]
During our debate, the noble Lord, Lord Young of Cookham, told us:
“Other countries in the free world face the same challenges as the UK”.—[Official Report, 29/06/21; col. 718.]
The noble Baroness, Lady Stroud, urged us to work
“in close partnership with our Five Eyes allies”,
reminding us that
“We have known that Huawei is a security risk since 2013.”—[Official Report, 29/06/21; cols. 726-7.]
That should enable us to avoid what the noble Baroness, Lady Merron, described as “another costly security debacle”. My noble and gallant friend Lord Stirrup told us that we
“need to develop an approach ... that constantly monitors and rebalances this equation in the context of our complex and dynamic world.”—[Official Report, 29/06/21; col. 715.]
These amendments seek to address many of those points.
At Second Reading, noble Lords referred to companies that have caused security concerns in other jurisdictions, including Huawei, TikTok, ZTE Corporation, which the Government have named a high-risk vendor, Hytera Communications Corporation Ltd, Zhejiang Dahua Technology Company Ltd and Hangzhou Hikvision Digital Technology Company Ltd. I will return to Hikvision later. The noble Lord, Lord Fox, said that the Bill’s headline is
“a ban on the purchase of new Huawei equipment”.—[Official Report, 29/06/21; col. 711.]
Like the noble Baronesses, Lady Northover and Lady Bennett, he referred to the genocide against Uighurs in Xinjiang. I serve as vice-chair of the All-Party Parliamentary Group on Uyghurs and am a patron of the Coalition for Genocide Response. Following the House of Commons’ decision to name a genocide in Xinjiang, only last week the Foreign Affairs Committee published a damning report calling for a much stronger response from the Government. These amendments, like those to the Trade Act, which the House passed with three-figure majorities, are a modest attempt to force that stronger and effective response.
The noble Lord, Lord Blencathra, has frequently pointed to the way Chinese companies can fundamentally compromise our infrastructure and, through subsidies, asphyxiate UK industry. The one billion lateral flow tests that we have bought from the CCP are a glaring example. These amendments specifically address the telecommunications sector, but they provide a road map that could be emulated in other strategic sectors.
Finding ways to protect our strategic industries has never been more important. Last week, we learned that, in a deal estimated to be worth £63 million, the Newport Wafer Fab, the UK’s largest producer of semiconductors, has been acquired by the Chinese-owned manufacturer Nexperia. Nexperia is a Dutch firm but is owned by China’s Wingtech. Newport Wafer Fab is the UK’s largest producer of silicon chips, which are vital in products from TVs and mobile phones to cars and games consoles.
This acquisition is happening during an increasingly severe global shortage of computer chips. Kwasi Kwarteng, the Business Secretary, said that the Government are monitoring the situation closely, but do
“not consider it appropriate to intervene at the current time”.
When she comes to reply, perhaps the Minister could tell us why it is not appropriate, when the right time would be to protect a key national asset, and whether, following the Prime Minister’s subsequent expression of concern, the acquisition is being reviewed under the National Security and Investment Act, which at Second Reading we were all told would protect key national assets from dangerous foreign takeovers.
There is a lamentable lack of strategic coherence or consistency in our approach. On one hand, we have the noble Lord, Lord Grimstone, saying that he wants to deepen trade deals with China, while the Foreign Secretary tells us that slave labour in Xinjiang is “on an industrial scale”. We have the integrated review telling us that China is a threat to the United Kingdom, but the Business Secretary telling us that it is not appropriate to do anything at the present time.
This predatory absorption of our semiconductor industry is inimical to the material interests of our technology companies and to national security. Our Committee should consider carefully what is at stake here and why these amendments are so very relevant. Have the Government examined what is happening within the same sector in other jurisdictions, for instance? What assessment has been made of the dependency of United Kingdom manufacturers on China for imports of critical technologies such as semiconductors and semiconductor devices? The applicability of these amendments, by generating a review of other practices in other regions, is of course self-evident. We are starting with telecoms, but the same lessons apply across the board.
I also want to pursue an issue which the noble Lord, Lord Fox, and I raised at Second Reading. The Minister was asked about companies that operate and own CCTV security networks. UK local authorities are reviewing contracts for CCTV equipment made by Hikvision. This is being used to enforce China’s surveillance state in Xinjiang, but it is also operating CCTV equipment the length and breadth of Britain. Is that wise? Hikvision is banned in the United States but not here. I put a simple question to the noble Baroness at Second Reading, and I put it again: why not?
Last week in its report Never Again: The UK’s Responsibility to Act on Atrocities in Xinjiang and Beyond, the Foreign Affairs Committee said:
“Cameras made by the Chinese firm Hikvision have been deployed throughout Xinjiang, and provide the primary camera technology used in the internment camps.”
The committee heard concerns that facial recognition cameras made by companies such as Hikvision operating in the UK—I repeat: operating in the UK—are collecting facial recognition data, which can then be used by the Chinese Government. Dr Hoffman, who was one of the witnesses giving evidence to the Select Committee, said that Hikvision cameras are operating “all over London”. The committee said:
“Independent reports suggest that Hikvision cameras are operating throughout the UK in areas such as Kensington and Chelsea, Guildford, and Coventry, placed in leisure centres and even schools.”
The committee concluded:
“Equipment manufactured by companies such as Hikvision and Dahua should not be permitted to operate within the UK. We recommend that the Government prohibits organisations and individuals in the UK from doing business with any companies known to be associated with the Xinjiang atrocities through the sanctions regime. The Government should prohibit UK firms and public sector bodies from conducting business with, investing in, or entering into partnerships with such Chinese firms”.
So will we? It would be good to hear from the Minister.
In parenthesis, the committee also registered concerns about
“substantial research connections between the Chinese organisations responsible for these crimes and UK universities”,
and said that,
“the role of advanced technologies in the use of oppression in Xinjiang cannot be ignored.”
At Second Reading, the Minister referred to the report into export licences. The Select Committee complains that
“the Government has not made clear when the urgent export review will be concluded. The crisis in Xinjiang is far too urgent for delay.”
Again, it would be good to hear from the noble Baroness on that specific point about export licences. Can we at least be told what plans the Government have to impose import and export controls on firms linked to China’s military-civil fusion programmes? Are we acting in concert with our allies, as these amendments require, over Hikvision? As in the US, will this Bill be used or amended to enable us to ban it?
The Select Committee also referred to our duties under the Modern Slavery Act 2015. I refer to my interests as a trustee of the Arise Foundation. The committee report says:
“the issue of forced labour in Xinjiang is pervasive, widespread,”
“In the Government’s own words, ‘no business can consider themselves immune from the risks of modern slavery’.”
This, too, is information that has been assessed in other jurisdictions and deemed to raise ethical and security issues of which we should make ourselves aware, as these amendments would require us to do. I can think of no compelling reason, other than vested interests, as to why we would not want to know what other jurisdictions are doing about these issues.
I turn again to telecoms. The argument for more concerted action was put well, in the context of Huawei, by Senator Marco Rubio, who said:
“Rejecting Huawei would not mean the UK going it alone, but joining a coalition of like-minded countries determined to ensure effective, market-based alternatives to Huawei are available.”
He is right. Have we examined this? Are we doing the same?
As long ago as 2018, the US put in place a block on ZTE, China’s second-largest maker of telecommunications equipment, because of violations of sanctions against Iran and North Korea. It has designated ZTE as a “national security threat” with government telecommunications funds banned from buying equipment from ZTE. Are we doing the same? In April, the Department of Commerce added seven Chinese supercomputing entities to the list, with Gina Raimondo, the US Secretary of Commerce, insisting that
“The Department of Commerce will use the full extent of its authorities to prevent China from leveraging U.S. technologies to support these destabilizing military modernization efforts.”
The US has gone further in examining investments, as these amendments do. Proposed new Clause 15 would require us to examine what others are doing in this respect. President Biden has issued an executive order banning US investors from trading shares in China Mobile, China Unicom and China Telecom. The list of firms in which US firms cannot invest comes to more than 60. I will not read out the full list today, but I have sent it to the Minister, who has kindly acknowledged receipt, for which I am grateful. Among those firms listed are a number specifically connected to surveillance technology including China Telecommunications Corporation, China United Network Communications Group, Hangzhou Hikvision Digital Technology, Huawei Technologies, Semiconductor Manufacturing International Corporation, China Mobile Ltd and China Telecom Corporation Ltd.
However, it is not just the US. Australia is another of our closest allies and a core member of Five Eyes, which is specifically mentioned in these amendments. In blocking a A$300 million takeover offer by China State Construction Engineering Corporation, Australia cited national security grounds. As long ago as 2016, Australia forbade a deal on the basis that China’s subsidies rendered it difficult for Australian bidders to make a competitive bid, with the Treasurer saying that it may be
“contrary to the national interest”.
In 2020, the Guardian Australia reported links between companies operating in sensitive sectors including the national science research agency and technology companies and operatives from the Chinese intelligence agencies, with one reported as having ties to the CCP’s United Front Work Department, a foreign-influence body described by President Xi Jinping as an “important magic weapon”.
Future threats to the UK’s telecommunications network may not come from as high-profile global brands as Huawei. It is vital that the UK takes into account the experiences and views of its allies when considering the risks associated with a certain vendor or operator. That is what these amendments require us to do. Co-ordination with allies bolsters UK security. Co-ordination with allies protects against threats from China. Failure to take a co-ordinated approach with key allies on telecommunications security undermines the functioning of long-standing security arrangements that protect the UK’s security interests. Recall, too, that US officials warned that the UK’s failure to ban Huawei could have jeopardised Five Eyes intelligence-sharing arrangements.
These amendments will ensure that the views of key allies will be taken into account in reviewing the threats posed by high-risk vendors. Bear in mind, too, that failure to co-ordinate with allies leads to costs—a point made by my noble friend Lord Erroll on Second Reading—and uncertainty for business. Standing together will also help us to see off the threats which the CCP makes, such as telling us that banning Huawei from the 5G network would cost Britain dearly in investment. Similar threats have been made against Germany, Australia and Sweden as they considered taking action against Huawei’s security risks.
Taking a co-ordinated approach with allies will help to protect against these threats, making it harder for the Chinese Government to single out any one country for retaliation. Earlier collective action could have prevented the later expensive U-turns. The Government’s own estimates calculate that belated Huawei decisions cost £2 billion, excluding the broader economic cost of the delayed rollout of the 5G network caused by changing policies. Belatedly and at great cost, that was the right thing to do, but let us not make the same expensive and dangerous mistakes again. The amendments seek to better protect our national interests in concert with our allies in the free world. I beg to move.
My Lords, we move into the scrutiny of the Bill, which seeks to balance the need for the United Kingdom to be at the forefront in technological development and connectivity—requiring the fastest and most efficient broadband, for example—with the need to ensure that we do not inadvertently open ourselves to malicious actors or states as we do so. It is therefore appropriate that the first group of amendments seek to strengthen the security side, recognising the complexity of modern threats. The noble Lord, Lord Alton, has as ever laid out the case extremely clearly and in detail, and I look forward to the noble Baroness, Lady Barran, replying as comprehensively. He has long made sure that in the Lords we delve deeply into these issues as we challenge the Government and hold Ministers to account.
These are sensible amendments intended to set the Bill in the context of what our allies are doing, drawing from their knowledge and experience and, as the noble Lord said, most importantly, working together. They propose actions that should be happening anyway but which we know can be easily set aside or overlooked as Governments address many pressing issues. Amendment 1 includes a duty to review telecoms vendors
“which are prohibited in other jurisdictions on security grounds”.
It is important that we both learn from other jurisdictions and act together. We have seen how China, for example, seeks to pick off states, as in its recent threat to ban Australian beef on the basis of what it had judged to be interference in its internal affairs. We also saw the Foreign Minister of New Zealand at first indicate that her country should go its own way in relation to China, clearly worried about China’s possible actions, before stepping back from that position in recognition of the fact that we really are stronger together.
There are clear risks. We see Canadian citizens used as pawns in a wider concern about Huawei. As China becomes ever more dominant economically, and under its current leadership, resistance to its positions will become ever more difficult. We have been unable even slightly to hold it back in relation to Hong Kong, and it is therefore vital that like-minded countries work together. Therefore, there are two reasons for seeing what other like-minded countries are doing: first, to see what risks they identify and, secondly, to decide whether we should act together, as we would hope they would act when we saw risks. We are of course in a weaker position globally as we are out of the EU, which has strength in numbers and economic power.
Amendment 20 would expand the powers to include ownership or investment, and this clarifies further where risks might be; for example, through the investment clout of certain players. This is clearly vital.
Amendment 27 would require the Secretary of State to review the UK’s security arrangements with countries banned by a Five Eyes partner and decide whether to issue a designated vendor direction or take similar action with regard to the UK’s arrangements with that company. This updates previous legislation where this risk was not so apparent as it is now, with the hugely increased economic and other associated power, for example, of China. Of course, the Five Eyes of the US, Canada, Australia, New Zealand and the UK are very much aligned on this. Certainly, the risks identified by the Five Eyes should be front and centre in our thinking. I would say that we should add in the EU. Had we still been in it, we would have had that major sphere of influence to strengthen our position further. That makes these amendments even more important.
As the noble Lord, Lord Alton, laid out, we have become very dependent on China in many areas. That is true not only in the area of the Bill but in the new green industries, for example. We need to be much more strategic than we have been in this regard up to now. As he also set out, we cannot build our business on human rights abuses even up to genocide.
I am sure the Minister will say that these amendments are not needed as all these actions will be taken, but they are tabled to make sure that they are. We know that this has not happened adequately up to now; we need to strengthen the Bill, as the noble Lord, Lord Alton, has stated. I therefore look forward to the Minister’s reply.
My Lords, I apologise to my colleagues that I was not able to speak at Second Reading. I am quite clear, as I suspect we all are, that the security of the UK’s telecoms infrastructure is vital. Sadly, we come pretty late to the scene. The expansion of 5G and full-fibre broadband should have happened years ago, so this is not before time.
I read economics at Cambridge and looked at a number of aspects of economic expansion there, particularly in relation to business sectors. It is all very well saying that we will try to prevent the supply chain to the UK network being dependent on a limited number of suppliers. That may be a good idea in theory, but I just reflect that we have a national grid which is every bit as important as 5G; we have one or two aircraft manufacturers, and we have a couple of shipyards, so I just wonder whether there are a whole lot of suppliers out there for the telecoms world—there will be others who are better qualified than me to judge that. However, it is clear that we need to identify areas of risk, and Huawei is clearly one of them.
I would just ask a couple of simple questions. The noble Baroness, Lady Northover, mentioned Five Eyes. Is there a co-ordinating structure for Five Eyes in relation to this particular structure? If so, where is it based, what is our contribution to it and who exactly is doing it?
Some of our colleagues may have read the recent trading standards report that has just come out—I read it only last evening. A massive number of scams is happening at this point in time and we are dealing with the trouble they cause.
Amendment 20 refers to
“a specified country or … sources connected with a specified country, including by ownership or investment”.
I have worked overseas, including in a fair number of countries in south Asia such as Pakistan, India and Sri Lanka, so I ask: who on the ground will actually be doing the work? Quite frankly, I know of nobody in any of our high commissions capable of doing that sort of analysis. Do we have a floating investigatory system? How are we going to judge the evidence properly?
On Amendment 27, we need to take care, clearly, but we must recognise that there may be a valid opportunity in a company that has upset the host Government. You and I would not know the situation, but we should be aware of that fact.
I am a bit sceptical about the security check. I made a freedom of information inquiry—it was nothing to do with telecoms—and, at the end of the day, the reason given for not producing all the evidence following my FoI request was the security of the country. It was never explained in words of one syllable—or indeed in any syllables at all—what aspect of my inquiry would affect the security of the UK. I would like to know this from the Minister: are we relying on Five Eyes or are we relying on Ofcom? Who is it specifically that will be doing this analysis?
My Lords, I want to say a few words on this. It is highly relevant that we keep a close eye, but on all vendors, including the ones that may seem okay at any given moment—the world keeps changing. I am not an apologist for, and nor do I wish to promote, China in any way whatever, but it happens to be there and it happens to have ripped off a lot of Cisco stuff a few years back and improved it. The Japanese did this to our cars, many years ago—nothing changes.
The real problem is that we do not manufacture this sort of stuff here; some of it is manufactured in Europe, and of course we are no longer part of that, but does that matter anyway? We are reliant for the supply of all this electronic equipment, and the components—such as chips, which I mention specifically —on China and many other places. The Americans also rely on China to manufacture components which they then put in their equipment. We had a security compromise a few years ago, when compromised components were put into some Cisco equipment. It is more complex than trying to ban one company or one country. But there are not many alternatives for us here, and that is the real problem. We need to get some home-grown stuff going and we need to get it done very quickly if we want to be really secure.
What are we going to do about it? The thing that worries me is that you cannot assume that your allies are always your friends in everything. We have to be particularly careful of being dragged into a trade war under the cover of security or defence—and this does happen. The cost of this whole thing is not so much that Huawei will try to cause us problems in some way unknown if we remove it from our system completely; there is the other side of it. If its technology is working and is better, and we can make sure in various ways that we are secure against what Huawei might do, its technology might get us to where we need to be in an internet world a lot quicker. I notice that we have already delayed quite substantially the rollout of broadband everywhere and 5G—everything seems to be stalling because of these rows, which to me are trade rows.
I fully understand the points of the noble Lord, Lord Alton, about supporting regimes that are doing appalling things around the world. The trouble is that there are an awful lot of them. Take the situation he mentioned, to do with cameras. It is actually the software that does the facial recognition, not the camera; it is purely a bit of hardware that takes a very good, high-quality photograph, and there are many alternatives to it. Who is supplying that facial recognition software? That is where I would really target, and I would bet it is China. If there are bits that are useful to us, we need to use them. We need to stay in the world and we need to get ahead. We are not ahead and we are going to drop behind more and more.
The other difficult thing about picking a fight with China is that, if we are really going to go net zero and start going all electric in the next few years, lithium supplies and processing are from China. There is already a shortage of chips and other things in the automotive industry; I am sorry, but we are reliant on an intertwined global supply chain which stretches all over the place. We must be very careful about singling out one country, but we are—and that is why the amendment is useful. We must have something that says that we are keeping a proper eye on the whole lot of them.
This is an interesting debate—one that we started about a year ago. During the summer, on the then Telecommunications Infrastructure (Leasehold Property) Bill, many of these arguments were rehearsed. This Bill was held out, in a sense, as the carrot that would address these issues, and it has been some time coming.
To some extent, the initial issues that came up last year have been discounted, with the Government largely moving on the Huawei issue. However, as we have heard—and will hear over the course of Committee—many questions are unanswered. We should once again thank the noble Lords, Lord Alton and Lord Blencathra, and my noble friend Lady Northover for bringing forward these amendments, as well as the noble Lord, Lord Coaker. I will be interested to hear his perspective as, having been a Minister, he understands some of the trade-offs in decision-making—it is interesting that he chose to sign this amendment none the less.
I thank the noble Lord, Lord Naseby, for his Second Reading speech. He could not give it to us at Second Reading, so we got it anyway. There are some issues around industrial capacity which I will come back to.
The noble Earl, Lord Erroll, picked up a point on which I queried the Minister and did not get a response: at what point are we examining this technology? You have systems, sub-systems, components and software. Frankly, if we are doing this, it must be done at all levels. The capacity to do that and track a chip, a piece of software or something in the software which we do not even know is supposed to be there is a huge task. Do we have the capacity in the intelligence services, and the industrial ability, to do it? It is a very important question, as there is not much point having this if we cannot actually do it.
Before speaking to Amendments 1 and 20, I will say a few words on Amendment 27, the Five Eyes element. As we know, this requires the Secretary of State to review the UK’s security arrangements with companies banned by Five Eyes partners and to decide whether to take similar action on the UK’s arrangements with those companies. As I think my noble friend Lady Northover said, the Minister will no doubt say that we do this anyway. If we do this anyway then, to some extent, we should not be afraid of putting it in the Bill. It is important that we walk in as lock-step a way as we can with our Five Eyes partners, but the point of the noble Earl, Lord Erroll, is apposite; China understands that and will play the Five Eyes against each other. We must be aware of that; we must not be slavish in how we respond but canny, and work with our partners so that they understand why we are moving in the right direction.
Again, this comes down to capacity. The noble Lord, Lord Naseby, asked who does it. The NCSC is supposed to provide the ammunition for the Secretary of State and Ofcom to operate on. There are big questions around the interface between the NCSC and Ofcom and how they relate to each other. How, for example, does the highly secret information the NCSC is dealing with get to DCMS and Ofcom without either breaching security or eroding transparency, or both? We have big concerns about that, and obviously it will come up later.
The noble Lord, Lord Alton, raised Newport Wafer Fab, which until recently I thought was an ice cream firm somewhere in Aberystwyth. However, now I find that, as he set out, it is our only supplier of this equipment. That is an object lesson in itself but it is also completely appropriate to this point. In its response, BEIS confuses manufacturing capacity with technical novelty and has the idea that, because this is not technically novel, that somehow stops it from being valuable to this country. However, manufacturing capacity is central to the delivery of future technical novelty, and if you want somewhere to look, look at the communications industry. We were pre-eminent global leading companies in analogue communications technology; no country could match us. We lost that manufacturing capacity and the ability to innovate in the digital space, and that is why we have the supply chain issues we have today. If the Government have not learned this lesson, and it seems that BEIS has not, we have a long way to travel yet before we get to a sensible place.
In a sense we have heard from the noble Lord, Lord Alton, and others about specific issues but I would like to rise up a bit and look at the bigger picture slightly. In his Mansion House speech on 1 July 2021, Rishi Sunak crystallises the challenge and perhaps the dichotomy, and points us in a number of different directions at the same time. Your Lordships must excuse me, but I will read out a fairly lengthy passage which is appropriate to this debate. He says:
“And our principles will also guide our relationship with China. Too often, the debate on China lacks nuance. Some people on both sides argue either that we should sever all ties or focus solely on commercial opportunities at the expense of our values. Neither position adequately reflects the reality of our relationship with a vast, complex country, with a long history. The truth is, China is both one of the most important economies in the world and a state with fundamentally different values to ours. We need a mature and balanced relationship. That means being eyes wide open about their increasing international influence and continuing to take a principled stand on issues we judge to contravene our values. After all, principles only matter if they extend beyond our convenience. But it also means recognising the links between our people and businesses; cooperating on global issues like health, aging, climate and biodiversity; and”—
here we come to the rub—
“realising the potential of a fast-growing financial services market with total assets worth £40 trillion”.
What does a mature, balanced relationship look like in context? How nuanced are the examples that we have just heard about the Chinese? First, we can see that because of advanced concerns around the security of at least one Chinese vendor, the UK Government are mandating equipment to be torn out of our existing infrastructure and thrown away at the cost of several billion pounds. That is not a nuance. Secondly, we have heard from the noble Lord, Lord Alton, this time and previously, and we have seen the evidence of malevolence within China to its own people on a scale that is, let us say, unusual even for the age in which we live. Thirdly, we can see transparently what is going on in Hong Kong. That in itself is not a nuance either. Fourthly, we have the Chancellor’s stated desire to realise the potential of a fast-growing financial services market.
All this is the context in which Amendments 1 and 20 have been tabled. This gives the chance for the Minister to explain where she and the Bill sit on that nuanced scale, as the Chancellor puts it. He clearly sets out that the Government’s principles will guide our relationship with China, so what are those principles?
My Lords, this is my first Grand Committee appearance, and I hope that I do not disappoint the noble Lord, Lord Fox. I have been in a number of committees, but not at this end of the building. I am still getting used to some of the processes and procedures, but I am very pleased to be speaking on this Bill.
From our perspective, the Bill is very welcome. The Government are clearly addressing a very real security concern that our nation has, and, in trying to deal with it, have not just my support but that of every single Member of the House of Lords. It is our country, and we want it looked after and defended properly. Many of the amendments and the comments that have been made so far today, and which will be made throughout the Committee and no doubt at Report and beyond, are about challenging the Government, not from an oppositional point of view but from one of trying to improve the legislation. We want to ask the Government testing questions to see where their thinking is. That is what all the various speakers have done so far today.
There are a number of particular issues. As others have said, the amendments in this group, from the noble Lord, Lord Alton, deal with the international context for the security of the telecommunications sector, however you define that. This is really important, because it affects—not infects—every single part of our lives. The noble Lord, Lord Alton, gave the example of Hikvision and CCTV. Whether it is the hardware or the software, this demonstrates that there are examples of new technology and telecommunications which impact on all our lives but which many of us probably do not view as causing a potential security threat to our country and nation. We have only to look at where that is going—whether you look at this sphere or the defence sphere—to know that we are going to see an increase in telecommunications, and in the use of space, drones, artificial intelligence and all those sorts of aspects.
One thing that I will talk about in other debates on other amendments is how you future-proof this—and that is part of some of the later amendments. Hikvision, which the noble Lord, Lord Alton, raised, is an interesting instance. At the nub of it is that, if our allies, who we depend on for our collective security, are banning companies such as Hikvision, as in the United States, how is it in our interests to defend our own security to not do the same? It is unfair to say that it has not been thought about, but there is something of a disjointed approach when one of our closest allies—if not our closest—has banned a tech company that we use. I am sure that there are very good reasons for it, and the Civil Service and others will no doubt tell the Minister X, Y and Z, but it defies common sense. Whatever the reality of it, it just does not appear to be a sensible option, so I very much support the example that the noble Lord, Lord Alton, gave. That is one of the reasons why I added my name to Amendment 27.
With regard to NATO and Five Eyes on a domestic and international level—I shall return to this point on Amendments 18 and 25—who actually holds the ring? Who is the person or what is the department that co-ordinates all this activity across government? Who holds the ring across government? You could say that it is the Prime Minister, but the Minister will know what I mean. Out of all the various aspects of government, who actually in the end decides? And if there is a conflict of interest between them, who then is the judge of that and how does that work on an international level? But as I say, that is more to do with Amendments 18 and 25.
Amendment 27 in particular, as I said, ensures a review of telecoms companies when a Five Eyes partner bans the operation of a vendor of goods or services to public telecommunications providers in its country on security grounds. That is eminently sensible. It a review. The amendment is, essentially, testing the Government by asking, “Why wouldn’t you have a review?” Why would you not—to use a security term—keep that under surveillance?
We know that the Government are seeking closer co-ordination. As other noble Lords have mentioned, the integrated review states that
“Under the provisions of the Telecommunications (Security) Bill … we will … work with partners, including the Five Eyes, to create a more diverse and competitive supply base for telecoms networks.”
How will this legislation support the strategic objective as identified in the integrated review, which itself says that we need greater co-ordination? How will the Bill deliver that, and how is the work going on that? How is work with the DCMS going to deliver the strategic objectives the integrated review said are essential to broaden the supply base, but also to ensure that we meet the security needs of our country? Can the Minister confirm directly whether the Government are pursuing, or are about to pursue, a joint network security standard across the Five Eyes? There would be some differences, but that would seem reasonably sensible to me.
I thank the noble Lord, Lord Alton, for Amendment 20 in particular. I know the work he has done campaigning on human rights—we saw that in his impassioned speech about the Uighurs, and so on—and his reputation in this area. We stand shoulder to shoulder with him with respect to the Uighurs and other Turkic Muslim minorities, whose persecution by the Chinese Government has been widely and credibly reported. Everyone here would say that that is simply and utterly unacceptable, but it calls into question what we do about it.
I know that the noble Lord is working to see whether the Modern Slavery Act can be strengthened in that respect. Does the Minister have any knowledge of that? I should declare an interest: I am a trustee of the Human Trafficking Foundation and, as in the register of interests, do some work with the Rights Lab at the University of Nottingham with respect to that. Can the Minister give us an update on the Modern Slavery Act and on when she would expect any legislative changes to come forward?
To finish, ultimately, this group demonstrates how the Bill, which is extremely important domestically, must be placed in an international context. I know the Minister will agree with that, but the amendments seek to test her and tease out detail. She will no doubt have advice to say that this is all unnecessary and that the Bill already deals with these issues, but the concerns being raised across the Grand Committee Room this afternoon, as they were at Second Reading, and from others who have made representations to us, show that international context is everything. Of course we secure our own domestic security arrangements, but that international security context, whether with Five Eyes or beyond—particularly if we try to future-proof the Bill and try to understand what will happen in space and how we achieve security with it—is a challenge.
I know the Minister a little, but, from her reputation, I know she will take on board the points being made here. I hope she understands that we are all trying to improve and strengthen the legislation, which all of us broadly support.
I thank all noble Lords for these amendments, which seek to strengthen the resilience of our telecoms networks by putting a new monitoring requirement on providers in relation to vendors in other jurisdictions, adding to the list of matters to which a requirement in a designated vendor direction may refer, and requiring the Secretary of State to review decisions taken by Five Eyes partners to ban vendors on security grounds.
We recognise the aim of having a comprehensive approach to telecoms security that includes the provider and government. The Bill follows this approach. A number of your Lordships said that I could be advised that the amendments are not unnecessary, but one issue the amendments raise is that of clarity of responsibility in the Bill. We believe genuinely that these amendments would blur some of that clarity.
The Bill as drafted is clear that it is the responsibility of government, not public communications providers, to set security duties and to designate vendors who pose a national security risk. In doing so, the Government, via the National Cyber Security Centre and other agencies, will monitor companies globally, including, of course, in the Five Eyes countries. It is then up to the providers to implement the security duties placed upon them and to comply with any designated vendor directions issued to them.
Amendment 1 in particular risks blurring these lines of responsibility and requiring telecoms providers to spend disproportionate resources on monitoring vendors internationally. This amendment seeks to place a new duty on public telecoms providers to review vendors of goods or services to those providers which are prohibited from other jurisdictions on security grounds, and to review the reasons for the prohibition. This would require public telecoms providers to monitor the policies and regulations of all other jurisdictions to understand whether those jurisdictions had banned certain companies from operating. This would be an onerous, disproportionate duty to place on industry.
Furthermore, in some cases, it may be impossible for telecoms providers to comply with the duty. The amendment states that telecoms providers must review the reasons for a vendor’s prohibition from a jurisdiction. As noble Lords will be aware, many jurisdictions have opaque decision-making processes, where it may be difficult, if not impossible, for telecoms providers to review the reasons for the prohibition of certain companies. Moreover, new Section 105A, which is inserted by Clause 1, places a strengthened overarching security duty on public telecoms providers. This duty is centred on an appropriately future-proofed definition of security compromises. Clause 1 therefore already ensures that telecoms providers undertake appropriate risk management to guard against any relevant threats to network security. In the light of this, I do not consider that this amendment is either proportionate or necessary, given the burden that it would place on telecoms providers and the duties already contained in the Bill.
Amendment 20 seeks to clarify that a requirement in a designated vendor direction may make provision by reference to the sourcing of goods, services and equipment from a specified country, or from sources connected with a specified country. While it is important that we protect our networks from the threats posed by hostile state actors, I do not consider this amendment to be necessary. As currently drafted, the Bill already allows for requirements to be included with provisions relating to the “source” of goods, services and facilities supplied by a designated vendor. I would consider that countries, and sources connected to countries, would already be captured by this wording.
Further, the list of matters that the noble Lord seeks to amend is explicitly non-exhaustive. The Bill is clear that the provisions of a requirement may refer to matters other than those listed in the Bill. It is therefore already possible for a requirement in a direction to refer to the country from which goods, services and facilities are sourced, if the Secretary of State considers that such a requirement is necessary in the interests of national security and proportionate to the aim that is sought to be achieved. As such, this amendment would not achieve anything that is not already possible under the provisions of the Bill as drafted.
Amendment 27 seeks to add a new section to the Communications Act 2003. This amendment would require the Secretary of State to review decisions taken by Five Eyes partners to ban telecoms vendors on security grounds and consider whether similar action is required in the UK.
A number of Members of the Committee, including the noble Lords, Lord Alton and Lord Coaker, and the noble Baroness, Lady Northover, stressed the importance of co-operation. She asked whether this was happening anyway. The short answer is that it is. The UK is already committed to a close partnership, and engages regularly with the Five Eyes. The UK’s telecom networks face similar challenges to networks in other countries.
The Government have engaged with partner countries on the approaches to high-risk vendors throughout the drafting of the Bill and will continue to do so once it is passed. I reassure the Committee that we are in regular contact not only with the Five Eyes nations but with other key partner nations—for example, Japan, France and Germany, to name but a few. Therefore, a requirement to review their decisions to ban a high-risk vendor and consider whether to issue a designated vendor direction in the UK would be unnecessary.
The noble Baroness, Lady Northover, asked more broadly how we worked with other countries in relation to national security. We have always maintained that each country needs to implement the mitigations that are right for their national circumstances. Of course in practice, Governments are adopting similar measures to address the risks, and adapting them to meet their own national circumstances. For example, the Netherlands, Germany and Australia have all either adopted or are planning to adopt security measures comparable to those set out in the UK’s draft secondary legislation, which the Bill would allow us to implement.
In July 2020, following advice from the National Cyber Security Centre, the National Security Council considered the impact of US sanctions in relation to Huawei. It considered that further action was needed, as the new US restrictions made oversight of Huawei products significantly more challenging and potentially impossible. That is another example of how the UK already regularly reviews security advice and requirements in response to international considerations.
Some of the issues raised were closely linked to the Bill, while others were slightly less so. The noble Lord, Lord Fox, asked how Ofcom and the NCSC would work together in practice. To formalise the relationship between the two organisations, they are in the process of developing a memorandum of understanding and have published a statement, available on the Ofcom website, that sets out the three key principles that they will follow. They are: first, that the National Cyber Security Centre will provide expert technical cybersecurity advice to Ofcom to support the implementation of the new telecoms security framework; secondly, that they will exchange information where necessary and permitted by law; and, thirdly, that the National Cyber Security Centre will continue to provide incident management support during serious cybersecurity incidents, both to telecoms operators and to Ofcom as needed.
The noble Earl, Lord Erroll, suggested that our broadband rollout programme had stalled—forgive me if I misheard—but I do not accept that. We as a Government remain committed to delivering nationwide gigabit and mobile connectivity as soon as possible. We have put in place £5 billion of funding to roll out next-generation gigabit broadband and have already connected more than 1 million hard-to-reach homes and businesses. Despite the pandemic, the expansion has been extraordinary, with 40% of premises now having access to gigabit-capable broadband, which will rise to 60% by the end of this year.
On export and import controls, raised by the noble Lord, Lord Alton, we do not have plans to ban imports from Xinjiang. We advise businesses with supply chain links there to conduct appropriate due diligence to satisfy themselves that their activities do not support human rights violations. Import and export controls are governed by different processes and legislation, and we have announced plans to review export controls, as I know that he is aware.
In relation to ownership of Chinese entities, the UK is a fair and open market for Chinese investment which supports growth and jobs but which adheres to our laws, our regulatory frameworks and our national security requirements. We continually monitor the market for acquisitions from any country, including China, that would undermine national security. The National Security and Investment Act will give the Government broader powers to address those concerns.
The noble Lord, Lord Fox, raised the nuance that my right honourable friend the Chancellor spoke about in his Mansion House speech and asked where this Bill sits. In one sense, it is at the less nuanced end; it is clearly about national security—that is the absolute. As the noble Lord has heard me say too often, it could not be clearer in its intent. Our approach to China remains rooted in our values but also cognisant of our interests as a nation. As has always been the case, where we have concerns we will raise them, and where we need to intervene we will do so.
The noble Lord, Lord Alton, raised the Newport Wafer Fab takeover by Nexperia. I am unable to comment on the detail of the commercial transaction or of the national security assessment. We have considered the issue thoroughly, and the National Security Adviser has now been asked to review the case.
The noble Lords, Lord Alton and Lord Coaker, raised Hikvision. As I said in response to the points raised by the noble Lord, Lord Fox, the Government are absolutely committed to upholding human rights and we have serious concerns regarding the Chinese state’s use of technology in ways that violate human rights and harm individuals and society. Your Lordships will be aware that the Foreign Secretary announced in January a number of measures to help ensure that UK businesses and the public sector are not complicit in human rights violations or abuses in Xinjiang. This includes ensuring that the Government and public sector bodies have the evidence they require to help them exclude suppliers who are complicit in human rights violations in Xinjiang. This should send a clear message to China that such violations are unacceptable.
The noble Lord, Lord Coaker, spoke about the risk of a disjointed approach across national security and where it touches aspects beyond telecoms security. That is a fair challenge, and it was touched on also by my noble friend Lord Naseby, who asked how confident we were that this was well co-ordinated. I think the noble Lord probably understands the role of the National Security Council better than I do; obviously, it is to consider matters relating to national security, foreign policy, defence, international relations and development, resilience, energy and resource security. The Prime Minister chairs the committee and the National Security Council sets direction and policy on a very wide range of these priority issues, drawing on the collective capabilities of the different departments and agencies.
The noble Lord, Lord Alton, asked about military-civil fusion. I think I am right in thinking that we have received a Written Question from him on this, to which we will reply shortly.
I hope I have managed to address some, if not all, of the points raised by your Lordships. I am aware that I did not respond directly to some of the issues around modern slavery raised by the noble Lord, Lord Coaker, but I will cover those and any other points that I have missed in a letter.
For the reasons that I have set out, I do not feel able to accept these amendments and I hope that the noble Lord, Lord Alton, will feel able to withdraw Amendment 1.
I have received a request to speak after the Minister, so I call the noble Lord, Lord Fox.
I congratulate the Minister on introducing the Barran scale of nuance, which will no doubt become a classic in future. She did not address the issue of componentry, if you follow my drift. It seems to me, in analysis, that what tipped the balance in the sense of Huawei was the absence of American-made chips. Were that not to have happened, the NCSC would not have recommended the widescale removal that we have seen. That appears to be the implication. There seems to be an element of component monitoring going on, although in this case the monitoring appears to have been done more by the Americans than by the United Kingdom. It comes back to that fundamental point: at what level is the Bill going to be applied? Will it be applied on the overall capability of the system? In other words, is it a systems capability issue? Is it a subsystem operational outcome view, the individual pieces that go to make those subsystems, or the software that drives the overall system? How will the Bill actually be put into process?
I may need to write to the noble Lord about the technical details he has set out. I think for the approach to be effective it needs to incorporate all elements of that. An overall system cannot be a capable system if the subsystem is not. There needs to be coherence across the equipment that is supplied and our understanding of how it operates in practice and the component parts to inform the judgment about its security or not. I am happy to follow up in writing if he is agreeable.
I thank all noble Lords who have participated in the debate and the Minister for her replies. I thought that the intervention just now by the noble Lord, Lord Fox, was important. It drives at one of the issues that we have debated today in the context of Nexperia and what is happening to a British company that has been acquired by a Chinese company through its Dutch affiliate. It is about computer chips. It is about semiconductors. It is about our ability to be able to control what goes into the technology that the Bill is very much about. That is not an on-the-side question; it is a very important central question and I look forward to seeing the response that the Minister gives to the noble Lord, Lord Fox, when she looks at it further.
I turn now to some of the contributions made today. The noble Baroness, Lady Northover, in a typically powerful and thoughtful intervention, invited us to delve more deeply. That is what we have been doing during this afternoon’s proceedings. She emphasised the importance of countries working together. She regretted, with sadness, that we have been forced to make some of these decisions about our own individual ability to acquire intelligence as a result of our decision to leave the European Union.
I thought it was interesting that, earlier today, the European Commission issued new guidance to combat forced labour in supply chains. It rather puts our laggardly and perfunctory efforts to shame. The guidance provides concrete, practical advice on how to identify, mitigate and address the risks. This issue has been referred to and the noble Baroness has said that she is going to write to us further on modern-day slavery and supply chains. High Representative/Vice-President Josep Borell says that the guidance
“will help EU companies to ensure their activities do not contribute to forced labour practices in any sector, region or country.”
It paves the way for future legislation which will have enforcement mechanisms and should introduce a mandatory due diligence duty, requiring European Union companies to identify, prevent, mitigate and account for sustainability impacts in their operations and supply chains.
Our amendments today would gather that kind of information. I simply do not accept that it is impossible for companies, in partnership with government—a point made by the noble Baroness in opposition to these amendments was that this would place too much responsibility on companies—or countries such as our own to collect this information. Like other noble Lords around the table, I have no staff. The information I gave to the Committee today is publicly available and, with a little bit of research, it can be obtained without too much difficulty. It is absurd to suggest that it is beyond the ability of companies or countries to collect information and share knowledge. The example from the European Union underlines what the noble Baroness said to us today.
The noble Lord, Lord Naseby, was, as always, asking all the right questions. From our many years together in another place, as well as here, I am always happy to stand with the noble Lord, not least because of his experience in many parts of the world. It is important to ensure that our people who are in post in many of our embassies are given the ability to ask these searching questions and to ensure that the information comes back to us, to prevent many of the expensive mistakes that have been made around Huawei, and which have been referred to during the debate, happening all over again.
My noble friend Lord Erroll was right to say that there are human rights abuses in many countries. Like him, I become indignant about some of those abuses; I do not argue, though, that we should no longer trade with those countries. I always prefer that we trade with countries that are on a trajectory to reform, that are law-abiding and that believe in human rights and democracy, but I accept that it would be impossible to take out of supply chains any country that carries out any kind of human rights violation.
However, there are certain markers that we can look to. One of them is our legal duty under the 1948 convention on the crime of genocide. This is not a word to be used lightly. The word “genocide” came into our vocabulary thanks to a Polish Jewish lawyer, Raphael Lemkin, who had seen over 40 of his own family murdered in the Holocaust. During the proceedings on the telecoms infrastructure Bill last year, I gave examples from that period of how companies such as Philips had their own forced labour in the camps where people were dying. I gave the example of Corrie ten Boom, a Dutch woman who had given refuge to escaping Jewish people trying to flee the Holocaust. She and her sister were arrested and sent to work in that factory; her sister died there. Corrie ten Boom wrote a deeply moving book called The Hiding Place. That is the comparison I seek to draw.
It is not just me. In April this year, the House of Commons said that what is taking place in Xinjiang is genocide—it is only the second time that it has ever made such a declaration, so this is of a different order. Where there is genocide, we, as signatories to an international treaty—the 1948 convention on the crime of genocide—have a legal obligation to predict the signs of genocide, prevent it from happening, protect those affected and prosecute those responsible. I accept my noble friend’s argument—we are not going to stop trading tomorrow with Gulf states or whomever it may be who is doing fairly odious things—but the crime of genocide is surely in a different league.
My noble friend was also right to talk about raw materials. During the proceedings of our International Relations and Defence Committee, in an inquiry that we conducted over a year ago into sub-Saharan Africa, I specifically raised the issue of lithium and many of the raw materials that come out of countries such as the Democratic Republic of the Congo, the use of child labour to produce them and the wicked, terrible things that happen in those supply chains. We have a duty to look at the supplies and to act.
In listening to the debate today, I was struck that the Romans had a strategy when they wanted to take over territories. They did two things. First, they divided and ruled—many noble Lords referred to the importance of what the noble Lord, Lord Fox, described as being in step-lock and of standing together, about which the noble Baroness made a point as well. However, the truth is that we have been divided—even New Zealand, which she referred to, stepped out from the step-lock for a while, but we hope that it has re-emerged.
We have seen what happened to Australia, which dared to even ask for an independent inquiry into the origins of Covid-19. The retaliation that then took place, against WTO rules and about which we have done nothing, is a signal to countries such as our own. China said, “We will poke out their eyes”, referring to the standing together of countries such as us, the United States, Australia and others outside of those networks, “in resisting attempts to destroy our industry”. That is the second thing that the Romans would do: they would ruin a country’s economy so that they could prey off it. Those are two rules that my noble and gallant friend Lord Stirrup, who is here in Committee —I referred to him in my earlier remarks—would be able to give us a long lecture on. Those elements are both there when you look at what is happening and they are why we need intelligence and information shared across the piece.
The noble Lord, Lord Fox, was right to talk about our industrial and security capacity and what has to be done at all levels—I agree with him entirely. He said that manufacturing capacity is crucial and central to our ability to innovate, and the example of semiconductors is very good. He cited the Mansion House speech of the Chancellor, Rishi Sunak. I do not think that life is about binary choices, generally, but sometimes you have to decide and you may have to take a hit. It may cost this country something: there are consequences when we decide to pull out of agreements with Huawei and, perhaps, if Hikvision is next on the list, there will be financial consequences. However, we have to accept those things sometimes because it means that we are then able to do something about the kind of regime that has created these things in the first place. Chris Patten recently described the argument about nuances as “cakeism”, or wanting to have your cake and eat it—to have this on the one hand and that on the other. Sometimes, we have to be clearer.
I can reassure the noble Lord, Lord Coaker, that he never disappoints. I have enjoyed working with him over the years on human trafficking. We worked together on the 2015 modern slavery legislation and he has done wonderful work with the Human Trafficking Foundation. As he knows, I have a Private Member’s Bill; we mentioned it in conversation together this morning. I previously invited, and will go on inviting, the noble Baroness to get the Government to agree to sponsor that Bill, which would prevent the House from having to hear from me further on the subject, and to take it over—because it seeks to do the kind of things that the European Union is looking at and that the Government themselves agreed that they would do. I will come back to that as well before I conclude; I will not be much longer.
Bills are not semaphore, but they do send important signals. It may well be that some of what is in here is being done already, but let us spell it out in the Bill and make it clear that it is something we want to happen. That is how it gets picked up by officials, non-governmental organisations and by industry as well, because they read it in the Bill. It is not otiose to include these things. I simply say to the noble Baroness that it does not blur clarity; in fact, it seeks to strengthen it. It is pretty clear about issues such as unacceptable violations, as the noble Baroness said; it would send a clear message on those things.
I end by coming back to something that I raised with the Minister on Second Reading. I told her that a letter had been sent to her by the right honourable Iain Duncan Smith Member of Parliament, a former leader of her party. Earlier today, she replied to Sir Iain, saying: “I cannot agree with your assessment that there has been no meaningful progress after seven months”, and reiterating her view that this Bill “is not an appropriate vehicle to address concerns around human rights and modern slavery”. But there is no information on what has happened to the Uighur review of exports or the fines. Perhaps even in responding today she can enlighten us on when that review will be completed and point us to any single policy that has been implemented on how China is being held to account for breaching the joint declaration in Hong Kong—I should mention that I am vice-chairman of the All-Party Group on Hong Kong, which was referred to by the noble Lord, Lord Fox.
In reminding Sir Iain that the review’s primary focus is on national security and the security of the UK’s public telecoms network, I say that it fails to connect those issues back to companies in countries that employ slave labour, enabling them to produce components at vastly lower costs than manufacturers in free societies, who are frequently then driven out of business. That enables the ruination of UK industry and its absorption by agencies directly linked to the CCP, and jeopardises our telecoms industry and our national security. Meanwhile, there is no sight of what was supposed to be an urgent export control review and fines for non-compliant businesses.
No doubt the noble Baroness will hear directly from Sir Iain, but I know that disquiet among her noble friends, including the noble Lords, Lord Blencathra and Lord Forsyth, and from other parts of the House, will inevitably mean that, as things stand, we will need to return to that question on Report. Those wanting to protect UK national security and protect UK consumers from complicity in mass atrocities are not the bad guys, and are not to be described as holding pitchforks for every Chinese investment, as the Prime Minister said recently. The bad guys are the people who are asleep on their watch as our industries are strategically taken over by those who threaten our national security, filling outlet schemes with slave labour-made goods.
It is for those reasons that I know that this debate is not over. I thank everyone who has participated today. I hope that the noble Baroness might be willing to continue in dialogue, between now and Report, to see whether any of these issues can be satisfactorily overcome. On that basis, today I beg leave of the Committee to withdraw my amendment.
Amendment 1 withdrawn.
2: Clause 1, page 1, line 15, leave out “anything” and insert “a security issue”
Member’s explanatory statement
This amendment, along with similar amendments to Clause 1 in the name of Lord Fox, seeks to narrow the scope of the definition of “security compromise”.
My Lords, I hope the Committee will forgive me if I move on to drier but—I hope the Committee will agree—important ground. In moving Amendment 2, I will also speak to Amendments 3, 4, 5 and 6.
Amendment 2, along with similar amendments to Clause 1 in the name of my noble friend Lord Fox and myself, seeks to narrow the scope of the definitions of “security compromise” and “connected security compromise”. As well as having concerns about oversight of the new powers of the Secretary of State, which we will debate later, there is also concern, reflected by the Constitution Committee, about the width of these crucial definitions and the consequences that flow, particularly as regards planned outages and the need to make a clear distinction between reporting on security compromises and on resilience.
I say this in the context of the impact assessment of 9 June, which stresses the large degree of uncertainty surrounding the costs to be incurred by business, amplified by the report of the Regulatory Policy Committee under its new chair. The Constitution Committee says:
“Clauses 1 and 2 impose duties on providers of a public electronic communications network or service … These include taking such measures as are appropriate and proportionate for the purposes of identifying and reducing the risk of security compromises occurring. The Bill defines security compromises, but the Explanatory Notes acknowledge this definition is broad and do not explain their intended scope. The consequences of a security compromise for providers are potentially significant, including substantial and costly duties of due diligence”—
this echoes the impact assessment. It goes on:
“The House may wish to consider whether narrowing the definition of security compromises would be appropriate.”
BT gave evidence to the Public Bill Committee in the Commons. Of course, BT is a provider which will need to comply with the provisions of the Bill, so I take the liberty of reading out much of its evidence:
“As currently defined, a ‘security compromise’ … would cover any planned network outage that may be required for maintenance or upgrading of the network, or any unplanned outages due to faults or wear and tear. These types of outages are relatively regular occurrences given the scale of our network and we always seek to minimise customer impact and restore service as quickly as possible. The duties on operators in the Bill that flow from this definition are significant—including network issues that cannot reasonably be considered as security compromises (rather resilience or availability issues) would create undue burdens on operators and potentially on OFCOM.
These outages are not the result of any unauthorised access or malicious intent, nor do they have consequences for the confidentiality of data or signals carried over the network. We do not believe it is the intention of the Bill to apply the same requirements (e.g. with respect to reporting or notification to stakeholders), or to make the same powers available to OFCOM, in relation to these types of incidents, as are intended to apply to ‘security compromises’.”
It goes on:
“The definition also seeks, we understand, to capture any compromise to the integrity of signals conveyed over a network. However, the way that this is expressed—by reference solely to compromises of the ‘confidentiality of signals’—is unclear and confusing. It could be significantly improved by making a simple amendment to refer to ‘confidentiality and integrity’.
The definition of ‘connected security compromise’ … is a simple definition referring to something that ‘occurs in relation to another public electronic communications network or a public electronic communications service’. Given the potential breadth of this definition, building some specifics on how the ‘connected’ element will be assessed in the overall Government/OFCOM guidance on ‘security compromise’ will be important.”
So a provider that will be considerably impacted by the Bill and the Constitution Committee have raised important issues about the width of these definitions. These amendments perhaps do not go as far as some providers would like, but they attempt to give greater certainty by specifying that compromises which involve security issues are covered, but not wider outages which do not have security implications. I very much hope the Government will heed both the providers and the Constitution Committee by narrowing the width of these definitions. I beg to move.
My Lords, I had the privilege of being an RAF pilot. The instructions we received as pilots in methods of security included the word “anything”. In other words, if you are flying a jet on a mission and you suspect something, “anything” is reported back, or you take remedial action. You do not try to refine that security by, in this case, reducing it or leaving any element of doubt. Thinking about it a little further, the “anything” could be technical. In this context, it could be competitive; it could be a company being taken over; it could be lack of finance; it could be fraud. Above all, it could provide a loophole. Therefore, Her Majesty’s Government are absolutely right in putting in the word “anything” and not trying to restrict it further.
My Lords, I rather agree with the noble Lord, Lord Clement-Jones, on this matter. The Bill is meant to be about security, not about “anything”. I have seen this happen with other legislation—that it suddenly becomes convenient to take something never intended for another purpose and, because it is very broadly worded, use it to beat some company or someone over the head over something completely unrelated. I am afraid that I agree that the Bill needs to be tightened up and brought down to security issues, not just “anything”.
For starters, a powerful, predominant supplier of routing equipment in the IP network would be a security risk. If anyone relies too much on one supplier—and they may unfortunately be pushed in that direction—it becomes a security risk, and we may have to close down some providers: “Oh dear, that’s our network finished”. That would be stupid. We are going to be anti certain companies. Companies get based or controlled elsewhere as takeovers happen internationally, so I see a certain amount of difficulty with this if it is very wide.
I come to what the noble Lord, Lord Fox, said. The reason we lost our manufacturing, of course, was that BT selected Huawei as the preferred supplier of the 21st-century network rewrite in 2005. That is the point at which we closed down our capability, effectively being blackmailed by America to get rid of Huawei while potentially blackmailed by Huawei, which could get too much control. We need to look at these strategic decisions where private companies that used to be government suddenly make companies that affect UK security. I have never been happy about that.
My Lords, in response to the noble Earl, Lord Erroll, I say that it is also a huge issue when you have, essentially, a near-monopolistic private sector supplier, which makes any decision completely catastrophic for the under-bidder. I am speaking not to that but to Amendments 2, 3, 4, 5 and 6, which, as my noble friend Lord Clement-Jones pointed out, bear my name. He set out a very clear rationale for these amendments, which back up the concerns of the Constitution Committee and, indeed, some suppliers. Rather than reiterate those, I beg noble Lords’ indulgence to illustrate the point, inviting them to join me in a thought experiment. They need not worry—it is not going to hurt and I will not be pushing them into a Petri dish or anything like that. I simply ask your Lordships to imagine things the other way around: imagine that the Telecommunications (Security) Bill did indeed include the words currently proposed by my noble friend Lord Clement-Jones and myself, words that clearly identify that the focus of the Bill should be on the security of telecoms.
I ask noble Lords to continue to use their imagination that it was my noble friend and I who were proposing changes to include the words that are currently there; in other words, imagine that we were proposing to take the word “security” from this imaginary Bill and turn it into “anything”. Broadening the cover, as we have heard, would broaden the problem around any interruption very widely. I do not know but I dare say that, if we tried to do that, the Public Bill Office would have something to say, pointing to the Long Title of the Bill, which is:
“To make provision about the security of public electronic communications networks and public electronic communications services”
—in other words, security. Were we to try to take that word out and put in “anything”, I dare say the PBO would not allow us to do so.
If we did however slip it past the PBO, I guarantee that the Minister of the day would tell us that this would subvert the Bill’s intention and would take away the Bill’s focus from security to some of the imaginary things that the noble Lord opposite suggested—or, indeed, a digger backing into a green box somewhere in Kent. This is not the “Telecoms (Mishaps) Bill” but the Telecommunications (Security) Bill. These simple and modest amendments focus the Bill on its stated objective.
This is a really important discussion. I do not want to speak for too long but the noble Earl, Lord Erroll, was right to say that the Bill is about security and not just “anything”. None of us on the Committee wants to compromise the nation’s security or compromise the ability of our military personnel to conduct necessary operations. However, sometimes in legislation words really matter—they are the law of the land. That is why scrutiny of legislation in Committee like this is so important, word by word and line by line, otherwise—and I will have a series of questions for the Minister on this—down the line in one, two, three or five years, something will happen and everybody will go, “How was the word ‘anything’ included?” The unintended consequence of legislation is something that we need to consider, or people will ask how something happened—how that word was allowed.
With that in mind, it is important that the Minister explains to the Committee how this definition is arrived at. The starting point would be to ask her to explain the differences between having the word “anything” and having the phrase “security issue”. Can she give examples of how the Bill would be weakened by having that term rather than “anything”, and what “anything” means—apart from saying that it means “anything”? What does it actually mean, given that the Bill is supposed to be about security issues, as the noble Earl said?
The Government argue that the duty on providers is appropriate and proportionate to ensure that the effects of compromise are limited and to act to remedy the impacts. I understand why Ministers are keen to keep the definition wide, but on its own it is not good enough. For example, can the Minister explain whether there are any thresholds to what amounts to a security compromise, or is it “anything”, and what does that mean to an individual who might stray into territory that they are not sure about? How was the Bill’s definition arrived at? Who came up with it and what advice did they receive? Were alternatives suggested to it, what did security experts say to the Minister was necessary, and were there dissenting voices?
In seeking clarification, I wonder whether the Minister can explain why the definition does not include, as I understand it, the presence of supply chain components, as the noble Lord, Lord Fox, mentioned on the earlier group of amendments, if they represent a security threat. Maybe it does—but could the Minister clarify that? We need to know that to understand the diversification of the supply chain and how effectively or not it is proceeding. It is important to consider the components of the supply chain, particularly when identifying where they are a threat to our national security. As I see it, that is not included in Clause 1, but perhaps the Minister can tell me that it is and that I have not read the clause correctly. If so, where is it?
I go back to where I started. These amendments are important in testing how the Government have arrived at this use of “anything”. I know it sounds like semantics —what does “anything” mean?—but the point made by the noble Earl, Lord Erroll, is crucial. The Bill is a security Bill. That being so, why does “anything” appear and why is “security issue” not the appropriate way to describe this? Why is it not included in the Bill? It is necessary for the Committee to understand the Government’s thinking on this for us to consider whether we need to bring back this matter on Report.
My Lords, the Committee will recall that the UK Telecoms Supply Chain Review Report in July 2019 found that telecoms providers lack incentives to apply security best practice. This Bill is our response to its recommendations and takes forward the Government’s commitment in the report to introduce a new security framework, including new legal duties and requirements, to ensure that telecoms providers operate secure and resilient networks and services.
I thank the noble Lords, Lord Fox and Lord Clement-Jones, for tabling these amendments to Clause 1. Before I address them directly, I hope that it will be helpful if I set out some brief context for the clause as it appears in the Bill and try to address the challenges posed by the noble Lord, Lord Coaker.
Clause 1 inserts a new Section 105A into the Communications Act 2003. New Section 105A places a duty on public telecoms providers, first, to identify the risks of security compromises; secondly, to reduce the risks of compromises occurring; and, thirdly, to prepare for the occurrence of security compromises. To support the duty, new Section 105A creates a new definition of “security compromise”. The definition is purposefully broad and includes anything that compromises the availability, performance or functionality of a network or service, or that compromises the confidentiality of the signals conveyed by it. I thank my noble friend Lord Naseby for his support for this approach.
I am genuinely slightly puzzled by the remarks of the noble Lord, Lord Coaker, about what is included and excluded, because Clause 1 goes into great detail—which I shall not read out now, but I know the noble Lord has looked at it. Not only do we define what is included in “compromise” but we are explicit about what is excluded. This comprehensive approach will help ensure that telecoms providers protect their networks and services properly in the future. It creates a new duty on providers to take steps to reduce the risk of incidents and attacks seen globally in recent years.
As we have heard, the amendments tabled by the noble Lords, Lord Fox and Lord Clement-Jones, would narrow the definition of a security compromise. As both noble Lords noted, this was also a matter that the Constitution Committee recommended the House consider in its recent report. As I have said, the definition is designed to support a long-term approach to security. It aims to be focused enough to address risks that are specific to telecoms networks. At the same time, it is broad enough to ensure the Bill is future-proof and has flexibility to enable us to address new and evolving threats.
I appreciate that the noble Lords are seeking to ensure that legal obligations on telecoms providers are targeted and appropriate to specific risks, but it is important to remember that the framework within the Bill is designed to do exactly that. Certainly, we are not aiming, in the words of the noble Earl, to bash suppliers over the head. Rather, the broad definition in the Bill helps future-proof the legislation, whereas the specific security measures which narrow that focus will be set out in secondary legislation. I tried to get my head around the thought experiment from the noble Lord, Lord Fox, but I got stuck at the idea of trying to fit inside a petri dish, which would definitely be impossible.
Secondary legislation is where detail will be provided on the precise measures—on which both noble Lords are seeking clarification—that telecoms providers must take to protect networks and services and respond to specific risks and current vulnerabilities. Accompanying technical guidance will be set out in codes of practice, which will also help telecoms providers understand the steps they could take to meet their obligations.
Should the definition of “security compromise” be narrowed in the Bill, it is possible that some future threats may not be captured in the measures in secondary legislation and in guidance in codes of practice. That would undermine the whole approach. The amendments in the group as drafted would also leave open the definition of what constitutes a security issue, and telecoms providers would have to identify that for themselves. Our concern is that the amendments would not in fact provide further clarity on what might be covered in the definition of a security compromise. As we know, that is not what noble Lords intended.
The difference between “security compromise” and “resilience” was raised by the noble Lord, Lord Clement-Jones. Resilience is already covered in the existing Act; the sections that this Bill will replace already do this, so we feel it is appropriate to keep the definition broad.
For the reasons I have set out, we cannot accept these amendments. I therefore ask noble Lords not to press them.
I have received one request to speak after the Minister, from the noble Lord, Lord Fox.
The Minister brought up the review, which was very clear that there are huge potential market failures within the security and resilience telecoms market, the reason being that security is not valued by the networks. It is other things, such as network connectivity and price, which are of maximum importance to those networks—things that might come under the word “anything”, for example.
Let us be clear about the four reasons given by the review that security is undervalued by networks: insufficient clarity on cyber standards and practices; insufficient incentives to internalise the costs and benefits of security; lack of commercial drivers, because consumers of telecoms services do not tend to place a high value on security; and the complexity of delivering, monitoring and enforcing contractual arrangements in relation to security. All four of those issues, which I think are driving the purpose of this Bill, involve the word “security”. Far from these amendments watering down the intent of the Bill, the Minister is watering it down herself by including the word “anything” and ignoring the word “security”. I do not expect her to accept these amendments now, but I would like the department to go away and think about this very carefully, because a catch-all Bill catches nothing.
I hear the noble Lord’s concerns. We will of course take back his comments and reflect on them again. However, I know that officials working on this Bill have considered these points in enormous detail and would be happy to meet the noble Lord and discuss them, if that would be helpful. We believe that our framework does not water down but balances future-proofing with the precision and specificity that the noble Lord seeks. I hope we can follow up on that in a separate meeting.
My Lords, I see a slight chink of light, perhaps, that may be opened by opened by a meeting with the Minister on this subject—because she will appreciate that none of the amendments tabled to the Bill, which we think is important, has been put down lightly, and definition is crucial.
I was somewhat baffled by the noble Lord, Lord Naseby, flying in his jet—I was thinking of perhaps pressing the ejector button, but I thought better of it. The idea that there is an analogy between flying a jet and what we are talking about here was a bit baffling. The only way that I could think of the analogy for a planned outage, which is exactly what the providers are worried about being subject to under this definition of “security compromise”, is where a jet does a planned manoeuvre and everyone scrambles and treats it as an incident—so I cannot see that his analogy holds at all.
I much prefer and give thanks for the contributions of the noble Earl, Lord Erroll, the noble Lord, Lord Coaker, and my noble friend Lord Fox, who, in doubling down on the points raised about the purposes of the Bill, illustrated exactly why we seek to have a much more precise definition. The big problem is that the flexibility demanded by the Government is effectively at businesses’ cost and causes uncertainty. That is the worry about the way that the Bill is currently drafted.
The Minister talked about future-proofing and doing it more precisely, in a sense, by setting out the duties by secondary legislation—but, of course, there are great concerns about the way that the secondary legislation is to be agreed and the codes of practice. So I suppose that, if I were going to ask for a quid pro quo, if there is to be a loose definition of “security compromise”, there must be a very tight way of agreeing the codes of practice and the secondary legislation—but I wonder whether the Minister will actually agree to that trade-off, as we go through the afternoon. I would like to have all of the amendments that we have tabled for today.
I really think that, when the Minister said that this would “undermine the whole approach”, it is good to have it in her script, but that is absolutely not the case. The last thing that we are doing by trying to tighten this definition is to undermine the whole approach; we are trying to create certainty for the providers so that, when they plan outages and there are other planned events, they are not caught by a sidewind when trying to comply with the terms of the Bill. This is a practical issue.
I understand what the Minister says about resilience and, to some degree, that is the case, but there is clearly a great deal of uncertainty surrounding the providers’ interpretation of the Bill, as it currently stands—and they are the ones that will be subject to this. As I said—without wishing to repeat myself too much—the Government’s impact assessment itself makes it very clear that the costs of this exercise, of having to comply with the Bill, are extremely uncertain at this point, and there is quite a lot of concern about that.
I am sure that, if we have a meeting with the Minister in due course, we will be able to persuade her to accept these amendments, and I look forward to it. In the meantime, I beg leave to withdraw Amendment 2.
Amendment 2 withdrawn.
Amendments 3 to 6 not moved.
We now come to the group beginning with Amendment 7. Before I call the mover, the noble Lord, Lord Clement-Jones, I will run through the speakers’ list, so that everyone is clear: the noble Lord, Lord Clement-Jones, will be followed by the noble Lord, Lord Naseby, the noble Earl, Lord Erroll, the noble Lord, Lord Fox, the noble Baronesses, Lady Merron and Lady Barran, and finally the noble Lord, Lord Clement-Jones.
7: Clause 1, page 3, line 22, at end insert—
“(1A) Regulations under subsection (1) may not be made unless a draft has been laid before, and approved by a resolution of, each House of Parliament.”Member’s explanatory statement
This amendment would require Parliamentary approval before regulations regarding the duty to take specified security measures are made.
My Lords, I beg to move Amendment 7 and will speak also to Amendment 12. New Section 105B introduced by Clause 1 affords the Secretary of State the ability to make regulations that have highly onerous provisions, laying down that a provider must take specified security measures. This is under the negative procedure, which is of course a near 100% guarantee of their coming into force. There is no provision for any independent or specialist oversight of these regulations, as we will discuss later. They cover a huge range of issues in great detail, including
“Network architecture … Protection of data and network functions … Monitoring and audit … Supply chain”.
These are all in the draft regulations, along with
“Prevention of security compromise and management of security permissions … Remediation and recovery … Governance and accountability … Competency … Testing … Assistance”.
Very helpfully—in a way—to my case in the last group, the Minister said that the whole purpose of the regulations was to specify in greater detail what the duties of providers would be. But, already, particular issues have been identified in the draft regulations by providers relating to patches, audit and monitoring, supply chains, foreign network operating centres—and the list goes on. So, there is already a feeling not only that these regulations are very detailed but that they should not be subject to the negative procedure. It seems extraordinary that regulations of such importance are not to be subject to greater parliamentary scrutiny.
Noting, obviously, that the noble Baroness, Lady Merron, will be speaking to her Amendment 11, I move on to my Amendment 12. The fourth report of the Delegated Powers Committee drew the attention of the House to proposed new Section 105E of the Communications Act 2003, which gives the Secretary of State power to issue, revise or withdraw codes of practice about security measures that should be taken by providers in the performance of their duties to prevent security compromises under Sections 105A to 105D. There is a duty to consult with Ofcom and providers but no oversight or approval role for Parliament.
In her letter to us after Second Reading, the Minister of course assured us that:
“Government will consult with affected public telecoms providers and Ofcom on any codes of practice that are issued. This will ensure that we have a full understanding of the code’s impact before it is finalised. A consultation on the first code of practice will take place after the Bill receives Royal Assent.”
I am glad to say that the Delegated Powers Committee, in the light of the importance of the codes to assessing compliance and in enforcement by Ofcom, were unconvinced by the department’s claim that this was too detailed and technical and “not legislative”. As the committee said:
“The Bill provides for codes of practice to play a significant role—both in relation to the exercise of OFCOM’s regulatory functions and in legal proceedings—in supplementing the important duties to take security measures that the Bill imposes on providers.”
“In our view, it is unacceptable for codes of practice that will have the significant statutory effects provided for in this Bill to be subject to no Parliamentary scrutiny procedure.”
As the UK communications council said, the combined effect of the two proposed provisions that I have talked about in these two amendments amount to a near-unfettered ability for the Secretary of State to interfere in the normal operations of what is an otherwise innovative and successful industry. Amendment 7, in particular, seeks to ensure that these regulations need to be approved by Parliament by the affirmative procedure. Amendment 12 would require approval from Parliament for codes of practice under the Bill. Where I differ from the committee and, it seems, the noble Baroness, Lady Merron, is on the procedure to be adopted. In my view, at minimum, it should be by the affirmative procedure. I beg to move.
My Lords, I am sorry that the noble Lord, Lord Clement-Jones, does not like my analogy of flying. I just remind him of a recent series of Boeing airliners that crashed with a huge loss of life when the security of flying was overridden by a piece of machinery. I stick by my analogy but I will not progress that any further in relation to these amendments.
The Bill says clearly:
“publish the code; and … lay a copy of the code before Parliament.”
However, it does not allow Parliament by right to debate that code and any amendments that come. This is a fast-moving market, as we all know. New opportunities have come up that will have a security dimension to them. There will be new developments, I hope, from our own technical universities so there must be some provision for the expertise that both the House of Commons and the House of Lords have within them to debate. Those of us who have been in Parliament for a few decades know that quite often there are unusual people who have a particular niche that they know something about. That is the benefit of the experience of Parliament.
I agree with the noble Lord that it ought to be done on the affirmative procedure. I sat in the chair for five years during the passage of all the Maastricht and other Bills and there are certain areas where it is absolutely crucial that it should be done by affirmative resolution. Therefore I certainly support that dimension.
My Lords, I can see that it might be useful to avoid scrutiny sometimes when we have to finesse difficult issues—say, balancing effectiveness and public perception of certain other issues, or whatever. We can also end up with an awful lot of SIs in front of both Houses and everyone feeling rather swamped and bored by them and no one really doing anything about them. The trouble is that we get more and more wide-ranging powers in Bills, and this is a particular example of it. The more we do that, the more careful we have to be about the secondary legislation, because that is where the devil resides and that is where the real control is. We have just passed something that enables a takeover by the Executive. In some cases that may be a good thing; in others it could be very dangerous. To be honest, because of the huge, general issues in these Bills, I now come down in favour of the affirmative procedure. We are going to have to scrutinise it.
My Lords, harmony is breaking out across the Room, with the possible exception of the Minister. I will not reiterate my noble friend’s well-put argument but I refer the Minister—I am sure she has already read it—to the impact assessment. I am increasingly of the opinion that the single most useful document that comes with the publishing of a Bill is not the Explanatory Notes but the impact assessment. The department is to be congratulated on the quality of the one produced in this case.
Page 30 of the impact assessment covers the monetised and non-monetised costs of this. At the front of the assessment there is a number. However, point 6.1 says:
“This impact assessment makes an estimation of the costs and benefits of the options”.
It says it brings together “a number of sources” and notes that there are “limitations to the analysis”. The first is the
“lack of robust and specific data”—
that is a fairly serious limitation—
“for example on UK telecoms market size and the size of specific sub-markets”.
Therefore, the number on the front is based simply on—obviously, well-intentioned—estimates of the telecoms market. Furthermore, the costs are quantified based on equipment costs. They are not based on the friction of running a network under the constraints of this Bill, which is itself a glaring error in how one looks at the cost of this Bill in terms of impact.
It is not just about the cost and replacement of equipment—it is about the draft regulations to which my noble friend Lord Clement-Jones referred. They cover all aspects of the operation of the networks in this country. We are looking at a situation in which, if the Minister so chose, the regulations could be made and implemented such that the Minister ran the networks by remote control from the department. That is why these safeguards, parliamentary scrutiny and the affirmative process are an important safeguard to prevent attention—not, I am sure, from this Minister or this Secretary of State, who I am sure can be trusted with these regulations, but we do not know who will follow or what their intentions will be.
As the noble Earl, Lord Erroll, wisely said, to hand over these powers without simultaneously taking significant powers of scrutiny of the statutory instruments that will inevitably follow is the wrong way in which to pass a Bill in your Lordships’ House. For these reasons, along with the huge uncertainty of the cost of what we are doing here, I commend my noble friend’s amendments.
My Lords, I speak to Amendment 11 in my name and welcome Amendments 7 and 12 in the names of the noble Lords, Lord Fox and Lord Clement-Jones. I was interested that the noble Lord, Lord Fox, referred to a chorus of agreement, which I certainly heard ringing out, expressing concerns about the role that Parliament should have in scrutinising on codes of practice that this Bill currently does not provide for. To me, the codes remind us that the Bill can provide us only with something of a framework, and for many areas there is a wait for the details to be filled in later. As the noble Earl, Lord Erroll, said, the devil, as always, is in the detail.
Clause 3 allows the Secretary of State to issue new telecom security codes of practice that will set out to providers the details of specific security measures that they should take. As we have heard referred to, the impact assessment states that these codes are the way in which the DCMS seeks to demonstrate what good security practices look like. However, I note that Ministers are proposing only to demonstrate but not actually to secure good practice, which I am sure is the real intent—and it would be very helpful if, through this debate, we could get to that place.
I am interested also to note and draw the Minister’s attention to the fact that the Government have said that these codes will be based on National Cyber Security Centre best practice security guidance. The Government have said that they will consult publicly, including with Ofcom and the industry, as we read in the Minister’s letter following Second Reading. That public consultation will be on implementation and revision. However, it strikes me as very strange that the National Cyber Security Centre is not a statutory consultee; can the Minister say why it is not?
I particularly make the point that, as the codes of practice will be admissible in legal proceedings, they have to be drafted accurately and we have to ensure that security input and expertise is fed into them. The National Cyber Security Centre, which is described as a bridge between industry and government and is, indeed, an organisation of the Government, would seem to be a body that should be, in a statutory sense, invited to make the input and offer its expertise, along with other departments and agencies. After all, we can see, when reading about the centre, that its whole reason for being is that it provides widespread support for the most critical organisations in the United Kingdom as well as the general public, and they are absolutely key when incidents, regrettably, occur. We are trying to address those incidents in respect of this Bill.
As we have heard from all noble Lords who spoke in this section of the debate today, the input needs to come from Parliament, which is why I tabled Amendment 11. As the Bill is drafted, the current reading is that a code of practice must be published and laid before Parliament, but there is no scrutiny procedure. I put it to the Minister that if codes have legal weight, why is Parliament being denied the chance to scrutinise them? We seem to have a complete mismatch there. I was taken by the words in the Delegated Powers Committee report, mentioned by the noble Lord, Lord Clement-Jones, in his introduction, which stated that this way of being was “unacceptable” and called for the negative procedure for codes. That is what Amendment 11 does. Can the Minister address specifically the words of that committee report? I refer her to paragraph 27, which says:
“In our view, the Department’s reasons are unconvincing … the fact that codes of practice would be produced after consultation with interested parties cannot be a reason for denying Parliament any scrutiny role; and … the Department appears not to have recognised the significance of the statutory effects of the codes of practice”,
as has been highlighted today. I therefore hope that the Minister will both comment on the report and seek to make what is a very important and significant change in this regard.
I will pick up on one additional point. The impact assessment also says that the codes of practice will have a tiering system for different-sized operators. The initial code will apply to tier 1, which serves the majority of businesses of critical importance to the United Kingdom. This will also apply to tier 2 medium-sized operators but with lighter oversight by Ofcom and longer timetables. Can the Minister offer a draft list of the operators in tiers 1 and 2, and can it be shared with noble Lords? I would also be interested to know whether the Minister has any concerns that tier 2 operators will somehow be worse at compliance. If she has those concerns, what support will be provided to small and medium-sized enterprises? I look forward to her reply.
My Lords, I have heard with interest the contributions of your Lordships regarding the parliamentary oversight of the secondary legislation and codes of practice associated with the Bill. I will try not to disrupt the harmony that broke out so agreeably.
Amendment 7 tabled by the noble Lord, Lord Fox, would apply the affirmative procedure to regulations made under new Section 105B in Clause 1. It would require secondary legislation to be laid in Parliament in draft and to be subject to a debate and a vote in both Houses. Both Amendment 11 tabled by the noble Baroness, Lady Merron, and Amendment 12 tabled by the noble Lord, Lord Fox, would require a statutory instrument to be laid in Parliament for the Secretary of State to issue or revise the codes of practice, under the negative or affirmative procedure respectively.
I will first address Amendment 7 and the procedure for the regulations. The Bill currently provides for the statutory instrument containing the regulations to be laid using the negative procedure. This is the standard procedure for instruments under Section 402 of the Communications Act. The only delegated powers in the Bill currently subject to the affirmative procedure are Henry VIII powers to retrospectively amend penalty amounts set out in the primary legislation.
The Bill’s delegated powers memorandum justified the use of the negative procedure for these regulations on two grounds. First, for the regulations to be made, Parliament will have had to approve the clauses in the Bill that determine the scope of regulations. These are Clauses 1 and 2. The regulations are not amending primary legislation, so it is these clauses that most parliamentary attention is rightly focused on. Secondly, the measures set out in the statutory instrument are technical and will need to be revised from time to time to account for evolving technology and a changed threat landscape. This means that they require a procedure that strikes an appropriate balance between extended parliamentary debate and putting appropriate and proportionate measures in place efficiently to secure our networks. The negative procedure delivers that balance.
In addition, the delegated powers memorandum was provided to the Delegated Powers and Regulatory Reform Committee for scrutiny. Having closely assessed the Bill, the committee did not suggest that the regulations should be subject to affirmative procedure, as the noble Earl, Lord Erroll, and my noble friend Lord Naseby suggested.
I will now address the amendments to the parliamentary procedure for codes of practice. The noble Baroness has explained that Amendment 11 is in line with the recommendation put forward by the Delegated Powers and Regulatory Reform Committee, and we continue to welcome the committee’s role in scrutinising the Government’s approach. The committee first argued that as codes of practice will be used in Ofcom’s monitoring and enforcement of the new framework, they should be subject to parliamentary procedure. The codes of practice will provide technical guidance to assist public telecoms providers in meeting their legal obligations. Those obligations will be set out in the Bill and in secondary legislation, both of which will be subject to parliamentary scrutiny. Ofcom will therefore not just take into account public telecoms providers’ adherence to guidance within the codes when making its enforcement decisions. Those enforcement decisions will consider how far public telecoms providers are meeting their legal obligations in the Bill and the regulations, both of which will have been subject to parliamentary scrutiny.
Furthermore, Ofcom will provide procedural guidance on how telecoms providers should work with Ofcom to demonstrate compliance with their legal obligations. The committee’s report also argued that the effect of codes of practice in legal proceedings means that they require additional scrutiny, as the noble Baroness pointed out. Technical guidance in codes of practice could assist the courts when deciding whether a public telecoms provider has met or breached its legal obligations. The committee’s report argues that the interests of providers must be considered with respect to court judgments. The Government agree, and consider that the Bill’s consultation requirement is sufficient to protect those interests. Consultation means that no code would come into effect without giving due consideration to how it could impact providers. Additional parliamentary scrutiny would therefore not be necessary.
Furthermore, the codes of practice are intended to be flexible and responsive to changing technologies and the threat environment, allowing regular updates to be implemented with minimal delay to protect UK networks from cyberattack. Additional parliamentary procedure would limit this flexibility, requiring statutory instruments to be brought forward each time a code needed to be updated. The committee’s recommendation would therefore extend the minimum period between a draft code being revised and its coming into effect. This could reduce the effectiveness of updates to a code of practice and reduce responsiveness to changing threats and technologies.
While the codes of practice may have the effects that the committee has highlighted, they are technical in nature. They will detail practical security measures relating to specific technology. Their intended audience is security professionals working for public telecoms providers; we need the codes to be able to be understood by that audience. They are not intended to be formal secondary legislation. We do not therefore believe they are suitable for the scrutiny that the committee has recommended.
Amendment 12, requiring the use of the affirmative procedure for codes of practice, would only exacerbate those impacts. The three amendments are unnecessary. They risk duplication, reduce flexibility and increase delay in assisting telecoms providers with necessary security improvements.
The noble Baroness, Lady Merron, asked why the NCSC was not mentioned in the Bill. It is because its role is set out in legislation elsewhere. She also asked which companies would be in each tier. I have some examples, but I am not sure whether they are in the public domain. If I may, I will gladly write to the noble Baroness and share what I can.
For these reasons, I am not able to accept these amendments. I hope your Lordships will not press them.
My Lords, I thank the Minister for that rather depressing reply. I also thank the noble Lord, Lord Naseby, for his support—I think we will have a fly-by in celebration. I thank too the noble Earl, Lord Erroll, my noble friend Lord Fox and the noble Baroness, Lady Merron, who raised some very interesting points, all supportive of greater scrutiny in both respects, which was very helpful. As my noble friend illustrated—the impact assessment is a mine of information—the lack of robust and specific data is one of the areas of great uncertainty, and there is the risk of running the industry by remote control without adequate scrutiny. There is great uncertainty about cost, and therefore there needs to be that level of scrutiny, and there is great concern about the role that Parliament should have.
I was fascinated by the Minister’s argumentation. It does not really matter whether a committee recommends something or not; the Government are not going to accept it. Apparently, it is not good enough to have the affirmative procedure because the committee did not recommend it; on the other hand, it is not good enough to have scrutiny of the codes of practice even though the committee did recommend it. Basically, the Government are saying, “Well, what the hell? We’re not going to agree with the committee on any basis.”
Sitting suspended for a Division in the House.
My Lords, the Grand Committee will now resume. I think we were just about concluding the remarks of the noble Lord, Lord Clement-Jones.
I might take that hint, but there is still a little bit of water to flow under the bridge.
The Minister knows that there is already a great deal of concern about both the regulations, which I have specified and gone through to some degree, and the forthcoming codes which we are assured will come out, so there is no doubt that the Government are fully aware of the providers’ concerns.
I thought the point made by the noble Baroness, Lady Merron, on the NCSC’s lack of involvement was very strong. That absolutely must be bolted into the Bill; it is fundamental in so many ways, and I do not think any of us really understands why that should not be bolted in.
I come on to the substance of what the Minister said: that using the negative procedure for the regulations was fine because we are not amending primary legislation. Do we now make a virtue of a non-Henry VIII power? Are the only powers that we think should now be subject to the affirmative procedure Henry VIII powers? We have moved some way. I am clearly getting far too long in the tooth to see those sorts of arguments being made by Ministers, especially when it is a matter of scrabbling around to keep the Bill as it is. I understand the “not invented here” principle, but it is a bit depressing to see it when the merits of a case are so strong.
The other time-old argument is “Don’t worry your pretty little heads; these are technical regulations. Parliamentarians can’t have too much oversight of a technical regulation—they might not understand it. They might get confused and lose sleep.” I do not know what the arguments are, but they are clearly bogus. We should go for the affirmative, and someone with the experience of the noble Lord, Lord Naseby—I am sorry to see he is not here—as a Deputy Speaker in the Commons knows full well that that is the appropriate form.
The words “legislative effect”, which the noble Baroness, Lady Merron, emphasised, as I do, are important in this context, and were raised by the Delegated Powers Committee. On this point about having no delay, regulations needing to be updated, and a code of practice needing to be flexible and updated, we have seen that this Government can pass Covid-19 regulations in a blink; they can do virtually anything they feel like at the drop of a hat and nobody says boo to a goose, so I do not think that is a very useful argument.
The other point the Minister made was that the code needs to be understood by its audience. Again, that is a “Don’t worry your pretty little head” argument—“Parliamentarians will not understand the code—it is not relevant to them; only the providers need to worry about it.” But providers are worried about the code, and they would be much reassured if they saw that there was proper scrutiny.
I am really sorry to say that I did not even see a chink of daylight in that group, sadly. I hope that we can move a bit further as the Bill progresses but, in the meantime, with great disappointment, I beg leave to withdraw the amendment.
Amendment 7 withdrawn.
Clause 1 agreed.
Clause 2: Duty to take measures in response to security compromises
8: Clause 2, page 4, line 30, at end insert—
“(7) In making regulations under this section, the Secretary of State must take the utmost account of the advice of the Technical Advisory Board and a Judicial Commissioner concerning the proportionality and appropriateness of any measure or description of measure specified in the regulations.”
My Lords, I move Amendment 8 in my name and welcome the similar Amendments 9 and 19 in the names of the noble Lords, Lord Clement-Jones and Lord Fox. The Minister will recognise some similar themes in this group to those in the previous debate. The amendments are to Clause 2, which gives the Secretary of State the powers to make regulations which require providers to take specified measures in response to a specified security compromise and where a security compromise has a specified adverse effect on the network or service. The Minister will not be surprised that the amendments seek to understand what advice the Secretary of State will receive and where that advice will come from when making these regulations.
I am sure that we have all heard concerns about how these regulations are widely shared. For example, Comms Council UK has said that this represents an
“unprecedented shift of power from Parliament to the Minister in relation to how telecoms networks operate”,
and argues that
“the Minister will be able to unilaterally make decisions that impact the technical operation and direction of technology companies, with little or no oversight or accountability.”
Unsurprisingly, there has been a call for technical and judicial oversight, as reflected in these amendments, just as the Investigatory Powers Act 2016 established a Technical Advisory Board to advise the Home Secretary on the reasonableness of obligations imposed on communications providers. There is precedent here to which we can usefully refer.
Other concerns were expressed in Committee in the other place. The Digital Policy Alliance is familiar to a number of parliamentarians, especially the noble Earl, Lord Erroll, who is chair of that august organisation. I am sure that he is aware of the comments of its Dr Louise Bennett, who said:
“There is no mention in the Bill of a technical advisory board focused on the provisions of the Bill, and that would be a very helpful addition.”—[Official Report, Commons, Telecommunications (Security) Bill Committee, 14/1/21; col. 49.]
I agree. Such a board would, for example, be able to point out that new types of components were coming down the track. Does the Minister feel that such a board would be a helpful addition? If not, why not?
Have the Government considered expanding the remit of the current Technical Advisory Board to cover the powers in the Bill? Amendment 19 in the name of the noble Lord, Lord Clement-Jones, gives us a useful steer on how any such new board could be constituted. Without such a board, what technical advice will the Secretary of State receive? Who will it come from, and will it be published? I look forward to the Minister’s reply.
My Lords, I am delighted to be on the same page as the noble Baroness on the insertion of a technical advisory board and judicial commissioner into the process. I note that she quoted Dr Bennett of the DPA; I am proud to be a DPA member and sitting opposite my chair. Others from the industry have made the same points. Comms Council UK has pointed out that there are no clear mechanisms for technical feedback or expertise to be fed into the drafting of the regulations and the codes of practice, which we discussed on the last group. It makes the point that many of the technical requirements that will be placed on its members are not in the text of the Bill but are in the accompanying regulations and the code, which we have heard has yet to be published. It is clear that, in these draft regulations made under Section 105B and 105D—
Sitting suspended for a Division in the House.
My Lords, the Grand Committee is resumed—third time lucky. I call the noble Lord, Lord Clement-Jones.
My Lords, I hope I am demonstrating the agility of which the Minister is so fond. As I said earlier in respect of the judicial commissioner, these amendments provide a ready-made mechanism for oversight concerning the proportionality and appropriateness of any measures in the regulations and codes. Taken together, Amendments 9 and 19, would require the Secretary of State to take into account the advice of the technical advisory board—and insert a new clause after Clause 14—and that of a judicial commissioner appointed under the 2016 Act. We have gone a little further in specifying the make-up of the technical advisory board, but we are clearly on the same page as the noble Baroness, Lady Merron, with her Amendment 8.
My Lords, I want to speak on this issue as I remember mentioning it at Second Reading. There is a person for whom I have huge respect, Dr Louise Bennett, whose extensive knowledge and sagacity I first ran into when we were talking about ID cards years ago and the whole problem of digital identity and privacy over the internet. If you really want to know about such things, read her work: she has produced a lot of work on this. I think a technical advisory board is essential: these are complex issues. The Minister said that the matters subject to regulation will be technical. I do not see how we can do this without a good technical advisory board, and it is good if we have some view of who goes on it, because it is too easy for these things to disappear off and no one thinks about them. We will keep needing cutting-edge advice and not have groupthink, and these matters are very tricky.
Between Amendments 8 and 9, I could not decide between taking “the utmost” and “full” account; there is a neat little difference in the wording. Otherwise, the point about laying it out properly is important. The other thing, which slightly goes back to our previous debate, is that we get into the whole problem of what are regulations, what is guidance, what are guidelines and what is a code of practice and the different legal stance of those different things. We have to be careful about using them as if they were interchangeable. Regulations will often give rise to a code of practice, breach of which is not necessarily an offence, but they can be linked back to a primary Act offence. We should not bandy those words around interchangeably; they are different. We need a technical advisory board and, between these amendments, we should do something about it.
In quick response to, or doubling up on, the noble Earl, Lord Erroll, my understanding is that the code is enforceable by law. If it is not, perhaps the Minister can explain how the operators are expected to deliver.
This is relatively simple. The Minister has asserted that this is a technical issue. She has asserted that it is too technical for Parliament to be able to manage, but at the same time, as it is currently structured, there will be a self-referential group of people. If the Covid crisis has told us anything, it is that a self-referential group of people is not good at horizon-scanning. Security is a great big horizon scan. You normally know you have not got security only when you lose it and it is essential to take advantage of the diversity of technical opinion that exists in this country and elsewhere. It is extremely arrogant to believe that the sum of human knowledge is contained in one department, and probably one subsection of one department.
For those reasons alone, a technical advisory board is vital to secure the future of this country. That seems to me self-evident, but clearly it is not, so perhaps the Minister can explain. Was this discussed, when was it discussed and why was it dismissed as an option?
Both these amendments have very cunningly taken advantage of existing structures; they have looked at the Investigatory Powers Act 2016 and read across, with ready-made structures that can deliver both the technical advisory board and the benefits that I have just set out and a judicial commissioner to make sure that there is sufficient proportionality and appropriateness in those measures. It seems to me that it is for the Minister to explain, if this was good enough for the 2016 Act, why it is not appropriate to put it in this Bill for these issues.
My Lords, I am grateful to noble Lords who have taken part in the debate on these amendments, which seek to require regulations and codes to reflect advice provided by technical advisory boards and a judicial commissioner. The amendment to Clause 2, tabled by the noble Baroness, Lady Merron, requires any regulations made under new Section 105D to reflect advice provided by the existing Technical Advisory Board to the Home Office and a judicial commissioner. Similarly, the two amendments tabled by the noble Lord, Lord Clement-Jones, would require regulations to reflect advice provided by a new technical advisory board and a judicial commissioner.
Each of these amendments concern regulations made under new Section 105D and codes of practice issued under new Section 105E. I appreciate that noble Lords are seeking to ensure that any regulations and codes of practice are appropriate and proportionate before they are made or issued. However, there are several difficulties with what they propose. First, Clause 2 already requires the Secretary of State to make these measures only when he actively considers that they are appropriate and proportionate, under the wording of subsections (2) and (4) of new Section 105D. To ensure that is the case, the Secretary of State would have to consider relevant advice, which could include technical security assessments provided by the National Cyber Security Centre. The noble Baroness, Lady Merron, asked whether the advice would be published. As is usual practice, we would not publish advice given to the Secretary of State on the new framework, but we will consult on the code, and we feel that is the best and appropriate way in which to draw together the views of all relevant parties and their expert advice.
Advice to the Secretary of State could also include relevant representations by public telecoms providers. To reassure the Committee on this point, we have received helpful feedback from telecoms providers on the illustrative draft measures that were published in January. DCMS continues routinely to engage with telecoms providers about this Bill and telecoms security more widely.
Similarly, Clause 3 requires that any codes of practice are finalised only after consultation with affected providers. The process of consultation, when taken together with the fact that codes can only give guidance on legal obligations and not expand their scope, as noble Lords noted, means that any final codes in effect will be appropriate and proportionate. The noble Lord, Lord Fox, asked whether it was enforceable by law. It is guidance, not law, but the code has certain legal effects, as set out in Clause 3. In that context, further advice from a technical or judicial panel would therefore be unnecessary.
We understood the amendment proposed by the noble Baroness, Lady Merron, to refer to the Technical Advisory Board to the Home Office. That board provides advice regarding the reasonableness of obligations imposed on telecoms providers under the Regulation of Investigatory Powers Act 2000 and the Investigatory Powers Act 2016. Each of these amendments risks confusing two separate sets of security arrangements.
Section 227 of the Investigatory Powers Act provides for the Prime Minister to appoint the Investigatory Powers Commissioner and judicial commissioners. The role of the Investigatory Powers Commissioner is to authorise and oversee the use of the investigatory powers, in the public. The Investigatory Powers Act regime is not comparable with the new framework set out by this Bill. Oversight of the Investigatory Powers Act regime by the Investigatory Powers Commissioner is considered appropriate because of the potential intrusion into the private lives of individuals as a result of the use of covert powers.
The powers to make regulations under this Bill are very different to those in the Investigatory Powers Act. They are focused on protecting public telecoms networks and services by improving the security practices of telecoms providers—so those two sets of arrangements should not be confused. Indeed, there are specific provisions in the Bill designed to ensure that it does not adversely affect lawful activity carried out by law enforcement authorities and the intelligence services under the Investigatory Powers Act. The judicial commissioner would therefore be the wrong body to advise the Government on the Bill’s regulation-making and code-issuing powers. For those reasons, the Government are not able to accept these amendments, but I hope that that explains why and reassures the noble Lords sufficiently for them to be content not to press their amendments today.
I call the noble Lord, Lord Clement-Jones—sorry.
I must admit that I am somewhat baffled by the Minister’s response. The argument on the technical advisory board seems to be, “Oh, we’ve got enough technical advice, so we don’t need one”—but, clearly, it seems that there is a need for this. I quoted providers—I can go into the papers that we have received from them—as saying that real issues arise out of the regulations. These are technical and relate to things such as patches and audit and monitoring issues. There is a feeling that the department is just not listening on those issues, and what is needed is someone who is rather more dispassionate and can advise on the technical issues that are arising—perhaps, if it is seen as a conflict, someone like the noble Earl, Lord Erroll, who can genuinely advise on this kind of thing. It seems to me to be extraordinarily dismissive to say, “We’ve got enough advice. We don’t need a board of this kind”.
In the Investigatory Powers Act 2016, there is a very useful technical advisory board—it is not usable for this purpose because its function is rather different under that Act. When the Minister comes to the point about the judicial commissioners, saying, “Oh, no, they are for an entirely different purpose”, I say that, actually, if you read their function, it is four square with the kind of thing that would be useful under this Bill. They are talking about not technical issues but proportionality, appropriateness and so on—very much the kind of thing that they are dealing with under the 2016 Act.
So I am afraid that I do not buy what the Minister has to say, sadly; I just think that it is pushback based on the thinking that, “Well, the Bill’s the Bill and it’s all drafted, so we don’t really want to do very much with it by way of amendment”. That is the time-honoured government response to this kind of suggested amendment, but I believe that, constructively, both these aspects—a judicial commissioner and a technical advisory board—would make a great difference to the functioning of the Bill and would lead to much better regulations and codes of guidance at the end of the day.
I thank the Deputy Chairman and apologise for speaking across him. I am a bit intrigued by the comment of the noble Lord, Lord Parkinson, on the subject of legal enforceability. He is correct to say that, as new Section 105H states, the
“provision of a code of practice does not of itself make the provider liable to legal proceedings”
—but it would not be liable only when the provision was not in force in time or when it was not legal. However, you would not bring a legal case anyway when it was not relevant or in force, so, to all intents and purposes, where the code is in force and relevant, it is legally enforceable. Therefore, it is legally enforceable.
First, if I may, I will take back the point made by the noble Lord, Lord Fox, about new Section 105H under Clause 3; I will write to him to, I hope, alleviate any concerns and confusion. There are certain legal effects set out; I will write to him to clarify the point about legal enforceability.
I am grateful to the noble Lord, Lord Clement-Jones, for his appreciation. Part of the confusion here may be that two technical advisory boards are mentioned in these groups of amendments. As I think he noted, the one set up under RIPA has a different function, but we are certainly not being dismissive of the points that have been raised. Indeed, as I said, we have spoken to the industry and received helpful feedback from telecoms providers on the illustrative draft measures that were published in January. We will also be glad to look at the information that he mentioned—the views that have come his way—to make sure that these are reconciled; if he is happy to share them, we will look at them and come back him.
I thank all noble Lords for their contributions. In view of the pandemic restrictions on the numbers that might sing in a choir inside, it is dangerous now to say that we are singing from the same hymn sheet—as the noble Baroness, Lady Barran, will recall from her time at the Dispatch Box. I do not know whether we would count as amateur or professional, so perhaps I could venture in that direction, but there is a sense among noble Lords of wanting to strengthen the Bill by ensuring that the Secretary of State has the best technical advice.
I thank the Minister, the noble Lord, Lord Parkinson, for his response. However, I take from it that a technical advisory board is not required. I share the confusion that was referred to earlier by the noble Lord, Lord Clement-Jones. On the one hand, in the previous set of amendments, we were advised that this is so technical that it is not appropriate for a particular aspect of parliamentary scrutiny, yet suddenly, it seems, it is not quite as technical but we need further advice. I am reminded of the words of the then Lord Chancellor, Michael Gove, who we will recall commenting in a debate over Brexit that we have “had enough of experts”; I suspect the Minister will have picked up from the amendments today that we feel we have not had enough of experts. I hope he will reflect on the fact that these amendments seek to assist the Secretary of State, and to assist this Bill to do the job it is here to do to very best effect. With that, I beg leave to withdraw the amendment.
Amendment 8 withdrawn.
Amendment 9 not moved.
Clause 2 agreed.
Clause 3: Codes of practice about security measures etc
10: Clause 3, page 5, line 12, at end insert—
“(d) must ensure that the code of practice is necessary and proportionate to what it intends to achieve and does not place an undue burden on any electronic communications networks or electronic communications services.”Member’s explanatory statement
This amendment seeks to ensure codes of practice are necessary and proportionate.
My Lords, in its evidence to the Bill in the Commons, BT said:
“we believe greater clarity is needed on OFCOM’s planned approach, with safeguards introduced in the Bill to ensure operator burdens are proportionate.”
Amendment 10 seeks to ensure that codes of practice are necessary and proportionate.
As regards Ofcom’s new powers to ensure compliance with security duties as set out in new Section 105M, how will these relate to Ofcom’s existing powers and duties under Sections 3 and 6 of the Communications Act 2003? Will this duty and the new powers Ofcom is being given still be subject to good regulatory practice so that, for example, it still must have regard to the principles of transparency, accountability, proportionality and consistency and not impose unnecessary burdens? How will this fit in with the statement to be made by Ofcom under new Section 105Y?
Amendments 16, 17 and 21 to Clauses 5, 6 and 19, in my name and that of my nobble friend Lord Fox, seek to ensure that the new powers for Ofcom introduced in the Bill are subject to requirements in the 2003 Act regarding carrying out and reviewing its functions. I was pleased that in her letter to noble Lords after Second Reading, the Minister explicitly said:
“When carrying out its security functions, Ofcom will remain bound by its general duties under Section 3 of the Communications Act 2003 as it is now. Section 3(3) provides a duty on Ofcom to have regard to the need for transparency, accountability and proportionality when carrying out its functions. Ofcom will also be bound by its duty under Section 6 of the Communications Act 2003 to review the burden of its regulation on public telecoms providers. If Ofcom fails to carry out its security functions in line with these duties, then it is likely to be subject to legal challenge.”
I very much appreciate those words, which are a very clear interpretation of the existing Act and the duties of Ofcom and the responsibilities it has in the way that it carries them out. Will the Minister repeat that assurance today?
My Lords, I want to say a few words on this because the key words “undue burden” stand out. It is very important that we do not put too many burdens, particularly unnecessary ones, on companies. In particular—and this is something that I have often looked at because I have done a lot of work with innovative and growing companies—you must not let large corporations stifle innovation. There is an attitude among them that regulations are for your enemies; they are a very good way of stopping up-and-coming competition. I have also noticed that departments tend to consult the companies which have significant market presence already and see them as being the people who know all about it. However, that does not take account of what is up and coming. The other thing is that they often have people on secondment from them or people who have retired from the companies and gone into the departments, so there can be some interesting biases within. With those few warnings, I think the whole undue burden issue is more important than people might think.
The undue burden point touched on by the noble Earl, Lord Erroll, is really important. On a previous group I spoke about regulatory friction and the fact that this has not been costed into the impact assessment. Clearly, regulatory friction is harder for smaller companies to deal with than larger companies. I think that is the point that the noble Earl was making. It is one that I would also join up.
We should also not confuse lots of regulations with security. The whole point about people who wish to subvert security is that they understand the regulations and go round them. Indeed, sometimes regulations are a guidebook for security, in a sense, because they show the map around which you seek to find the chinks.
The point in the impact assessment about making the networks value security is right. On that, I completely agree with the Government. I am not sure that some of the measures in the Bill actually do that; what they do is create a regulatory load without necessarily adding value. Some of the measures that we spoke of in the last group of amendments, as well as in this, are about stripping this down to where value is added rather than simply more regulation being loaded up.
One of the great pleasures of speaking after my noble friend Lord Clement-Jones is that he normally says everything better than I would. He simply asked the Minister to repeat what was in the letter and to endorse the 2003 Act. I hope that he is able to grant his wish.
I thank the noble Lords, Lord Fox and Lord Clement-Jones, for these amendments. As before, it is a pleasure to follow their contributions and that of the noble Earl, Lord Erroll.
On the codes of practice and Amendment 10, I understand the importance of not wanting to put undue burdens on businesses. We should make particular reference to the exceptionally difficult and testing times that businesses and the economy have had to suffer over the past year due to the pandemic. Obviously, a balance needs to be considered. We have to ensure that if the codes are going to be used, they are the most effective way of implementing security measures. How will the Government consider the impact of codes on businesses? For example, will there be specific consultation about undue costs in respect of businesses?
The concerns that we have heard in this debate give a further nod to concerns about lack of parliamentary oversight, which is missing from the codes. I again say gently to the Minister that by giving parliamentarians the opportunity to provide scrutiny there might also be the ability to review the impact on businesses.
Amendments 16, 17 and 21 would ensure that Ofcom’s new powers in the Bill were subject to requirements in Sections 3 and 6 of the Communications Act 2003. Section 3 focuses on the general duties of Ofcom, while Section 6 focuses on reviewing regulatory burdens. It would be helpful to hear from the Minister whether the Bill has been deliberately drafted for the new powers to fall out of scope of those sections in the Communications Act and, if so, why.
What review process will be faced in respect of Ofcom’s new powers? It is very important that, when new powers are given, there is an opportunity to review, reflect and amend, and to keep a close eye on whether those new powers are doing the job intended.
I thank the noble Lords, Lord Fox and Lord Clement-Jones, for these amendments, and all noble Lords who have spoken in the debate. The amendments focus on the need for the regulations and code of practice to be proportionate, and to ensure that the duties of Ofcom are carried out in a transparent and similarly proportionate way.
I turn first to Amendment 10, tabled by the noble Lord, Lord Fox. This amendment to Clause 3 seeks to ensure that codes of practice are necessary and proportionate to what they are intended to achieve, and do not place an undue burden on telecoms providers. The Bill already includes provisions in Clauses 1 and 2 to ensure that security duties placed on public telecoms providers in the primary legislation and specific security measures set out in regulations must be considered to be appropriate and proportionate by the Secretary of State. The code of practice will provide the technical guidance on the steps that public telecoms providers should take to meet their security duties. I certainly agree with the noble Baroness, Lady Merron, about the extra—and indeed extraordinary—work that providers have done over recent months to keep us all in contact during the pandemic.
To help ensure that technical guidance in the code of practice is appropriate and proportionate, Clause 3 requires the Secretary of State to publish a draft version of the code of practice before it is issued, and to consult on its contents. This public consultation will take place after the Bill has attained Royal Assent; it will enable the voices of telecoms providers of all sizes—as noble Lords rightly pointed out—the wider sector, Ofcom, and any other affected groups to be heard and taken into account before the code of practice is finalised. Subsequent versions of the code of practice, which will be revised as technology evolves and new threats emerge, will also be subject to the same process of consultation before being issued.
An impact assessment is also being conducted for proposed secondary legislation to be laid as part of the new framework, which will take into account the initial cost assessments from providers to ensure that the framework is balanced and proportionate. The precise make-up and design of each provider’s network remains a commercial decision. The Bill makes it clear that providers are responsible for the security of their own networks and services; providers also remain responsible for deciding how they recover their costs. As such, we expect the costs of ensuring adequate security to be met by individual providers.
I turn to Amendments 16, 17 and 21, tabled by the noble Lord, Lord Clement-Jones. These seek to apply Sections 3 and 6 of the Communications Act 2003 to Ofcom’s duties and powers under Clauses 5, 6 and 19 of this Bill. Section 3 of the Communications Act sets out Ofcom’s general duties; these include a duty on Ofcom to have regard to the need for transparency, accountability and proportionality when carrying out its functions. Section 6 of the Communications Act requires Ofcom to review the burden of its regulation on telecoms providers. These are all principles that we think are essential to the functioning of the new security regime created by this Bill. I am glad to repeat the reassurance given by my noble friend in her letter, which the noble Lord, Lord Clement-Jones, mentioned, that Ofcom is already bound by its general duties in Sections 3 and 6 of the Communications Act when carrying out its security function under new Section 105M, and when using any of its powers in this Bill. This will include Ofcom’s power to carry out an assessment of public telecoms providers’ compliance with their security duties under Clause 6 of this Bill, and powers for Ofcom to give inspection notices under Clause 19. As my noble friend said in her letter, if Ofcom fails to carry out its security functions in line with these duties, it could be subject to legal challenge.
The provisions in the Bill already ensure that the regulations, code of practice and duties of Ofcom are proportionate. Therefore, we do not think that these amendments are necessary, and we hope that noble Lords will be happy not to press them.
My Lords, I thank the Minister for that—he pierced through the gloom of the afternoon, giving an assurance that existing duties of Ofcom will cover the new powers.
I think we have a Pepper v Hart situation that works for the other aspects on the code of practice. It is not just the regulations and the duties and powers of Ofcom that are subject to it; the way in which the code of practice will be drawn up is covered also by the duties under Sections 3 and 6 of the existing Act. I very much hope so, and I need to take away and read what the Minister had to say.
The other aspect which was useful—it was an assurance given to the Regulatory Policy Committee—was the fact that the Minister mentioned the impact assessments for secondary legislation. I assume again that that will not just include the regulations but an impact assessment for any code of practice that is drawn up. Again, I will need to read quite carefully what the Minister said about that, in order to get the right assurance. But generally, he gets a big tick on this occasion. I beg leave to withdraw the amendment.
Amendment 10 withdrawn.
Amendments 11 and 12 not moved.
Clause 3 agreed.
Clause 4: Informing others of security compromises
13: Clause 4, page 7, line 26, at end insert “within 30 days”
My Lords, Amendment 13 seeks to speak up for consumers and to probe possibilities as to how we may act in their interests. After all, they are the ones who are, on an individual basis, and often in very large numbers, at the receiving end of security threats.
Amendment 13 would amend Clause 4, which places a duty on providers to take steps to inform users about security compromises or where there is a significant risk of a security compromise occurring which may adversely affect the user as a result. As we see in the clause, the provider must inform the user about the existence of the risk, the nature of the security compromise, what steps could be reasonably taken by users in response, and of course the name and contact details of a person who may provide further information. All those are welcome, and such a duty being placed on providers to report security incidents is right and proper. After all, for many years, we have heard calls from all sides to place a clearer and more comprehensive duty on providers to share information with users, who should not be kept in the dark. When they are affected by a breach, there are not just practical considerations; as we all know, such security breaches are extremely distressing and worrying, as well as compromising for those affected. It is right for them to have some sort of redress.
Let us reflect on the high-profile incidents where users have not been told of security incidents. For example, TalkTalk failed to inform 4,500 customers that their personal information, including bank account details, was stolen as part of the 2015 data breach. That was revealed only in 2019, when details were found online. I am sure that, like me, the Minister will completely understand how distressing this must have been for those people, who were not only affected but were given no opportunity by the company to do anything about it.
Clearly, we know that such behaviour by telecoms companies is unacceptable. However—and this is what the amendment seeks to assist with—Clause 4 does not give a timeframe for providers to inform consumers. This probing amendment suggests a 30-day window to do so. I understand that we have to be aware that this cannot lead to further security compromises that could result from informing the public, so that point has to be taken into account.
How quickly does the Minister think providers should inform the public of a security breach? I ask that because under Clause 4, which is very open, it could be months before users find out that their personal data has been stolen. How much worse for people to find out in that way and in that sort of timeframe?
The amendments we are debating today and the Bill we are considering are all about the protection of national security. In all that, let us remember consumers too, whose interests are key to these debates. The public have to know that their data is safe and when to take necessary steps if their privacy has been threatened in some way.
On Amendments 14 and 15, I should be interested to hear from the Minister whether an Ofcom backstop to halt providers speaking to users on security grounds already exists. Does Ofcom have the expertise already to make such a judgment, or would new experts—I use that word carefully but definitely—and new expertise be needed? I look forward not only to the Minister’s reply but to the comments of noble Lords participating in this debate.
My Lords, I shall speak to Amendments 14 and 15. I wanted to say on the last group of amendments that I entirely agree with the noble Earl, Lord Erroll, about regulation. It is entirely possible for regulation to provide certainty, to stimulate innovation and, in the context of this Bill, to ensure that we have the right framework for our providers to ensure that our security is not compromised. So there is certainly no negativity in that respect towards regulation; the question is whether it is appropriate in the circumstances and not unduly burdensome for those subject to it. That is why the question of parliamentary oversight, which has been mentioned throughout this afternoon, continues to be important, and I think that it will come up again in the next group.
This amendment is on rather a different area. I have quite a lot of sympathy with Amendment 13 in the name of the noble Baroness, Lady Merron, but this is more nuanced than the Bill provides for. I want to quote again from the evidence of BT to the Bill Committee in the Commons. It said:
“We agree with the requirements on operators to support the users of their networks in preventing or mitigating the impact of a potential security compromise … In certain cases”—
and this is a sort of “however”—
“the security of the network may be put at greater risk if potential risks are communicated to stakeholders, providing malicious actors with additional information on potential vulnerabilities in the network that they may seek to exploit. We therefore believe that the Bill should explicitly consider such scenarios and not place obligations on communications providers to inform users of risks whereby doing so it will increase the likelihood of that risk crystallising.”
That is where our first amendment is going. BT further stated that
“the Bill also confers powers on OFCOM to inform others of a security compromise or risk of a compromise, such as the Secretary of State or network users. We understand the intention of the Bill in this regard and support the principle. We believe that this would be most effective when done in conjunction with the operator in question to ensure there is clarity and agreement, where possible, on the timing, audience and messaging of such information provision. This would also ensure that this does not cut across any other obligations that an operator may have, such as market disclosures. The Bill currently does not require OFCOM to consult with the operator prior to informing third parties of a security compromise (or risk of one).”
I think these are fair points. The Government must have an answer before Ofcom is faced with that set of issues. In this light, Amendments 13 and 15 make further provision about the duty to inform users of a risk of security compromise and specify that duties to inform others of “significant risks” of security compromises must be proportionate and not in themselves increase security risks.
My Lords, I put my name down to speak to this because the problem with putting a fixed time period on having to report security breaches is that it very much depends on what the breach is. We mentioned patches earlier. If it is a vulnerability in the software—or it may be the hardware—which requires a patch to be released, you must have the time to produce it and test it as fully as possible. You do not want the hackers out there to know what the vulnerability is until you can roll out the answer to it. That is what zero-day attacks are based on. Equally—the noble Baroness is absolutely correct here—you do not want this stuff swept under a carpet to sit there unused for years. Could our technical advisory board give advice at an incident level, or something like that?
My Lords, this is an interesting and nuanced—to coin a word we used earlier—debate. I am probably the only person here who has had to deal with a national security issue that impacted a consumer brand in real time on television. I must say that 30 days was not an option—30 minutes was not an option. Picking up on the point of the noble Earl, Lord Erroll, the time is entirely dependent on the nature of the crisis or security breach. My fear is that 30 days becomes a target rather than an injunction.
I think the point here is “no burial”. I assure colleagues and others in this Room that our amendments do not intend to bury the issue either, but to introduce some equivocation in the event that not announcing something makes things more secure than announcing them. The point of this is not to protect the reputation or otherwise of the network, but to protect consumers and the integrity and security of the network. That is the decision Ofcom would need to make. That would be its call. Its default position would be that it needs to be communicated to consumers as quickly as is sensible, unless there is a reason not to communicate it, and it would be up to the network providers to put their position forward. However, there are definitely times when it should not be communicated. At the moment the Bill seems rather unequivocal in its approach.
I call the noble Baroness, Lady Barran.
Sorry, I have not quite finished.
I would call Amendment 15 a “good manners” amendment. If Ofcom possesses information that the network provider does not, it simply calls for that network to be brought into the loop before the rest of us are. That seems good manners to me—you do not necessarily have to legislate for that, but these days it always helps. I have now finished.
My Lords, I thank the noble Baroness, Lady Merron, and the noble Lords, Lord Clement-Jones and Lord Fox, for tabling these amendments to Clause 4 and for their considered remarks. As we have heard, these amendments speak to reporting requirements placed on industry in the event of a significant risk of a security compromise and the powers bestowed on Ofcom in the event of a compromise or the risk thereof.
Amendments 13 and 14 amend new Section 105J. As the noble Baroness, Lady Merron, summarised, new Section 105J is designed to give users of telecoms networks and services relevant information when there is a significant risk of a security compromise, including the steps that they should take to prevent such a compromise adversely affecting them. Giving users this information will help ensure that, where possible, they can take swift action to protect themselves. It will also contribute to greater awareness of security issues, supporting users to make more informed choices about their telecoms provider.
Amendment 15 amends new Section 105L. This new section enables Ofcom to share information with certain groups, including the Government and users of the network. Under it, Ofcom is required to share information about serious security compromises with the Government. It may also share information on less serious compromises if, for example, it would help the Government with developing telecoms policy and any future regulations. This information will inform policy thinking on telecoms security, including the development of any future regulations or codes of practice under this Bill.
I will take the substance of each amendment in turn, and the Government’s position on them. Amendment 13, tabled by the noble Baroness, Lady Merron, amends new Section 105J. New Section 105J requires that public telecoms providers take “reasonable and proportionate” steps to inform users of their networks or service where there is a significant risk of a security compromise that could adversely affect them. The noble Baroness is absolutely right to point out the distress caused to consumers by a security breach. More specifically, a provider must inform those users, in clear and plain language, about the existence of the risk, the nature of the security compromise, the steps that the user could reasonably take in response, and contact details of a person who may be able to provide further details.
As currently drafted, new Section 105J does not specify a time period in which this relevant information must be imparted, but rather leaves this to the discretion of telecoms providers by requiring that they take “reasonable and proportionate” steps to inform users who may be adversely affected. This amendment would change that, requiring telecoms providers to bring such information to the attention of the users who may be adversely affected within a period of 30 days. The noble Baroness asked how long we think the right period is. Our answer lies in that phrase, “reasonable and proportionate”. These steps would need to be undertaken in a timely manner and carried out within sufficient time to allow the user to take measures to protect themselves from the effects of the potential compromise.
We heard from other noble Lords about the potential drawbacks of a very fixed time period. Indeed, the Government believe that in some cases it will be proportionate for a user to be informed in less than 30 days, but this would depend on the specific facts of the case. The rigid time limit of 30 days created by the amendment could also operate inappropriately to give telecoms providers too much leeway to notify users later in urgent cases, something that I am sure the noble Baroness would not wish to see. As currently drafted, the Bill’s requirement to take reasonable and proportionate steps allows the circumstances of each case to be taken into account and we would not wish to remove this flexibility from the Bill.
Therefore, we believe that telecoms providers are, in the first instance, in the best position to determine what timescales are “reasonable and proportionate”, depending on the particular circumstances of the potential security compromise. However, to reassure the noble Baroness, who expressed her reservations about whether that might happen in practice, should a provider not in fact take action in a timely manner, it could be subject to enforcement action. For the reasons that I have set out, I am not able to accept this amendment. I hope that, at the end of this debate, the noble Baroness will feel able to withdraw her Amendment 13.
I now turn to the amendments tabled by the noble Lords, Lord Clement-Jones and Lord Fox, starting with Amendment 14. As I mentioned, this would also insert new wording into new Section 105J in Clause 4 of the Bill, creating exemptions, under two sets of circumstances, from the requirements in new Section 105J for public telecoms providers to inform users of a significant risk of a security compromise that may adversely affect them. I shall refer to each of these exemptions in turn.
The first exemption is when the provider reasonably considers, and Ofcom agrees, that providing this information to users would increase the likelihood of that specific or another security compromise occurring. The intention that telecoms providers should not release information if it could cause a security breach is laudable. However, this amendment is unnecessary because, in practice, public telecoms providers can provide this information to their users in a way that does not endanger their networks.
The National Cyber Security Centre publishes information on risks as well as advice for network users on how to protect themselves without creating security compromises. For example, in August 2017, the NCSC published information about an ongoing security compromise to routers in multiple networks that was, in some cases, allowing hostile attackers to gain control of the routers and extract traffic passing through them. It also published detailed mitigation advice to help users protect themselves. This is an example of how it is possible to release information about a security compromise in a way that does not endanger network security. In fact, in this instance, transparency actually helped protect users and gain control of the incident.
The second exemption inserted by the amendment would mean that telecoms providers that have taken “reasonable and proportionate steps” to mitigate the risk of a security compromise would not be required to inform users where there is a significant risk of a security compromise occurring that may adversely affect them. In practice, this would be a sweeping exemption that would significantly reduce the effectiveness of this clause. Telecoms providers will be required by new Section 105A(1)(a) to take steps to reduce the risk of security compromises. They should be attempting to mitigate every risk of a security compromise. Even when mitigating steps have been taken, these will not always remove the risk entirely. The Government intend that, where there is a significant risk that could adversely affect users, they should be informed.
As drafted, this amendment would leave it up to telecoms providers to determine whether the risk had been mitigated. The term “mitigated” has not been defined, and its meaning cannot be inferred from use of the term elsewhere in the Bill. Therefore, in effect, telecoms providers would be self-policing. We do not believe that it should be left solely to the discretion of providers whether they inform users of significant risks that could adversely affect them. That is why we have created the requirements set out in new Section 105J.
Finally, I turn to Amendment 15, which would require Ofcom, before it informs others of a risk of a security compromise or an actual compromise occurring under new Section 105L, to consult with the affected provider on the content and timing of the information provided. This amendment is caveated to apply only where it is reasonably practicable for Ofcom to do so.
I appreciate that public telecoms providers may have some concerns that Ofcom could inadvertently release information that is commercially sensitive or puts their network at risk. However, it is worth noting that the power for Ofcom to share information is not entirely new. For example, since 2011, Ofcom has been able to share information with the public under the existing Section 105B(4) of the Communications Act 2003, should it consider it in the public interest. Ofcom is not required to consult before doing so.
In considering this amendment, we should also look at the purpose of new Section 105L. Ofcom will be required to share information about security compromises with the Government should they be sufficiently serious, and can elect to share information about other compromises or risks of compromises with the Government. New Section 105L will also allow Ofcom to share information about security compromises with other organisations such as overseas regulators and other telecoms providers. This amendment would result in the sharing of information by Ofcom under new Section 105L being delayed, even if this was just routine information sharing with the Government about risk in the industry.
Furthermore, new Section 105L will enable Ofcom to inform users of networks of measures that may be taken to prevent a security compromise adversely affecting them or mitigate the adverse effects that it has on them. Ofcom needs to be able to share that information with users in an effective and timely manner, so that they can take any steps to protect themselves from the effects of a security compromise. The amendment could delay the sharing of this important information.
Adding a need to consult the provider would also create extra burdens on Ofcom and telecoms providers in what should be a routine process. To put this in context, under the current regime, 532 significant security incidents were reported to Ofcom in 2020, which is to say nothing about the number of times that risks of security compromises occurred. The amendment introduces a requirement to consult before disclosing information on both actual compromises and risks of compromises. Although Ofcom would not inform others of such incidents, a requirement to consult could still be a significant burden on both Ofcom and industry.
For the reasons I have set out, I am not able to accept either of the noble Lords’ amendments, and I hope that the noble Baroness will withdraw her amendment.
I have received a request to speak after the Minister from the noble Lord, Lord Clement-Jones.
My Lord, until the Minster replied, “nuance” was the word being used in the context of information being provided and required and so on. I am afraid that nuance was completely lost in that response. The response to Amendment 14 was that the NCSC, the Government, the Secretary of State and Ofcom know best and that is it. They have to release the information. They do not believe there are any circumstances where it should not be released. It is all there in the NCSC guidance and well, too bad—tough. That seemed to be just about the Government’s position. That is pretty extraordinary considering that the relationship with the providers is extremely important, particularly in these circumstances where there have been breaches. We have heard from noble Lords during the debate that the timing of giving the information is important but the very fact of giving the information may also be important. I am afraid that is part 1 of a rather depressing response.
Part 2 was almost worse because the amendment being put forward is the mildest possible one. Ofcom must consult the provider in question
“where reasonably practicable to do so.”
As for the idea that this is going to lead to horrendous delay, the Minister really had to scrape away to find a suitably negative response to that amendment. I am afraid that her response in both respects does not engage with the real issues and I think it is grossly unsatisfactory in the circumstances.
My Lords, I am sorry, as ever, to disappoint the noble Lord, Lord Clement-Jones. With regard to his first point, of course the relationship with providers is important, which is why we have worked so closely with industry throughout the preparation of the Bill. However, as the noble Baroness, Lady Merron, said so eloquently, the relationship with users is also very important; it is that balance that we are seeking to strike. I am sorry if the noble Lord found my remarks grudging or negative; there was a lot of thought behind them.
My Lords, this has been a healthy debate. I thank all noble Lords who have contributed on the various amendments. I certainly noted from her response to Amendment 13 in my name that the Minister shares my understanding of the issues for consumers. The debate has shone a light on the fact that it is not possible to simply put one set of interests above another. I felt in the course of the debate that it has been understood that, while fixed time periods may create an unintended consequence, as the noble Earl, Lord Erroll, said, they do ensure that things are not swept under the carpet. That is really where the amendment was seeking to probe.
I appreciate the point made that, while timescale is at the discretion of telecoms providers, there are certain requirements on them. I still have a sense of nervousness; I hope that, as we proceed with this legislation, the telecoms providers will understand the importance of acknowledging and responding to the very real concerns, interests and threats to consumers when they consider what the words “reasonable and proportionate”, as well as the words “timely manner”, mean. With that, I beg leave to withdraw my amendment.
Amendment 13 withdrawn.
Amendments 14 and 15 not moved.
Clause 4 agreed.
Clause 5: General duty of OFCOM to ensure compliance with security duties
Amendment 16 not moved.
Clause 5 agreed.
Clause 6: Powers of OFCOM to assess compliance with security duties
Amendment 17 not moved.
Clause 6 agreed.
Clauses 7 to 12 agreed.
We now come to the Question that Clause 13 stand part of the Bill. As many as are of that opinion will say, “Content”—
We need to debate it.
I apologise to the noble Lord, Lord Clement-Jones.
Clause 13: Appeals against security decisions of OFCOM
Debate on whether Clause 13 should stand part of the Bill.
My Lords, we know how it is when you are on a roll. This reminds me that it is very unusual for somebody to have the opportunity to get in before the noble Lord, Lord Fox, draws breath, as the Chair did. “Very impressive footwork,” I thought to myself.
There has been a common theme this afternoon of a lack of oversight over aspects of this Bill in many respects—in particular, the regulations and codes. This lack of oversight is compounded by the fact that, under Clause 13, any appeal to the Competition Appeal Tribunal cannot take account of the merits of a case against the Secretary of State. The rationale for this, as the Constitution Committee says,
“is unclear and is not justified in the Explanatory Notes.”
I will quote the Explanatory Notes in full. Clause 13 provides that, in appeals against relevant “security-related” Ofcom decisions, the Competition Appeal Tribunal is to apply ordinary “judicial review principles”, notwithstanding any retained case law or retained general principle of “EU law”—by that they of course mean retained EU law. This means that the tribunal should not “adopt a modified approach” to proceedings, as required under retained EU law, which provides that the “merits of the case” must be “duly taken in account”.
Therefore, this provision disapplies aspects of the ongoing effect and supremacy of retained EU law, as permitted by Section 7 of the European Union (Withdrawal) Act 2018. The rationale for reducing the powers of the tribunal in respect of security matters is unclear and not justified in the Explanatory Notes. The House may wish to ask the Government to justify reducing the powers of the Competition Appeal Tribunal in respect of appeals under Clause 13. That is the motive behind this clause stand part debate.
The most authoritative judgment to date about the current standard of review is the Competition Appeal Tribunal’s TalkTalk Telecom Group plc and Vodafone Ltd v Office of Communications case. This addresses, inter alia, the standard of review on an appeal to the Competition Appeal Tribunal under Section 192 of the Communications Act. The judgment of Peter Freeman QC provides a good analysis of the context and history of the changes to the standard of review. I make no apology for quoting it at some length:
“Of particular relevance to how the Tribunal should approach this appeal are Article 4(1) of the Framework Directive and section 194A of the 2003 Act, as amended by the DEA17 … Article 4(1) provides: ‘Member States shall ensure that effective mechanisms exist at national level under which any user or undertaking providing electronic communications networks and/or services who is affected by a decision of a national regulatory authority has the right of appeal against the decision to an appeal body that is independent of the parties involved. This body, which may be a court, shall have the appropriate expertise available to it to enable it to carry out its functions. Member States”—
this is the key bit—
“shall ensure that the merits of the case are duly taken into account and that there is an effective appeal mechanism…’ … Section 194A provides: ‘The Tribunal must decide the appeal, by reference to the grounds of appeal set out in the notice of appeal, by applying the same principles as would be applied by a court on an application for judicial review.’ … The combined effect of these provisions is to require the Tribunal to apply the same principles as would apply in a judicial review case but also to ensure that the merits of the case are duly taken into account so that there is an effective appeal.”
At paragraph 139, the judgment concludes:
“Given that Article 4(1) continues to apply, it would appear that, in accordance with the Court of Appeal’s view in BT v Ofcom and the High Court’s view in Hutchison 3G, as set out helpfully by the Tribunal in the recent Virgin Media judgment, we should continue, as before, to scrutinise the Decision for procedural unfairness, illegality and unreasonableness but, in addition, we should form our own assessment of whether the Decision was ‘wrong’ after considering the merits of the case.”
“Article 4(1)” refers to the now-repealed framework directive. It should now be read as referring to Article 31(1) of the European Electronic Communications Code—the EECC. The transposition deadline of the EECC was just before the end of the transition period and iseb;normal;j therefore currently binding as part of retained EU law. The wording of the EECC is almost exactly the same as the framework directive in respect of appeals.
That is what will continue to apply across the remainder of the Communications Act for other appeals under Section 192 but is being changed by Clause 13 of the Bill, which amends Section 194A of the Communications Act in respect of security provisions. This is a very significant change to the appeals procedure in security cases. There is a single bald paragraph in the Explanatory Notes, no justification is given—as the Constitution Committee says—and neither is there any evidence of why it is necessary. What evidence does the Minister in fact have of the need to make this major change in respect of security decisions made by Ofcom? I beg to move.
My Lords, I saw this and thought that I really did not understand why the Government were doing it. I saw what the Constitution Committee had said and realised that it did not understand why it was needed. I cannot believe that you can have a proper appeal if you ignore the merits of the case. I probably have an overdeveloped sense of justice and I think that to have an appeal where you are not allowed to present half the case or whatever is not a proper appeal. In fact, what you find is that the system can use procedural things to run rings around people who have a very justifiable complaint about something. I did not like the look of it and I entirely agree with everything that the noble Lord, Lord Clement-Jones, said.
My Lords, I am not going to attempt to outlawyer my noble friend Lord Clement-Jones. I may not be a lawyer, but I am suspicious or, indeed, perhaps ultra-suspicious. What is the department seeking to avoid by removing what would seem to be natural justice from this process? What are the Government seeking to protect themselves from in advance? Who are they frightened of?
I do not think I know the answers to these questions, but I know that there is someone or something there that the department is seeking to avoid in advance. For those reasons, we should be extraordinarily suspicious, just as suspicious as I am. I ask the Minister: what is the justification? What are the Government scared of?
My Lords, I have been very interested to hear the arguments put forward by the noble Lords, Lord Clement-Jones and Lord Fox, and the noble Earl, Lord Erroll. As we heard from the noble Lord, Lord Clement-Jones, in his opening remarks, concern about oversight is driving this section of the debate. As we know, Clause 13 ensures that when deciding an appeal against certain security-related decisions made by Ofcom, the tribunal is to apply judicial review principles without taking any special account of the merits of the case.
I understand that this does not apply to appeals against Ofcom’s enforcement decisions and that the Government have said that this ensures that it is clear that the tribunal is able to adapt its approach as necessary to ensure compatibility with Article 6, the right to a fair trial. My questions to the Minister are about the legal advice that the Government have received on this clause. What legal advice has been received? Is this external legal advice as well as internal legal advice?
The clause states that
“the Tribunal is to apply those principles without taking any special account of the merits of the case.”
Can the Minister explain what “special account” is expected to mean?
I thank the noble Lords, Lord Clement-Jones and Lord Fox, for tabling this amendment to Clause 13. I am aware that the noble Lord, Lord Clement-Jones, has spoken extensively on the standards of appeal in this House. As the noble Lord remarked, this matter was also raised in the Constitution Committee’s recent report, where it asked for further clarification about the reasoning for the changes made by this clause. I will attempt to address this point today and answer the questions from the noble Lord, Lord Fox, about what we are worried about.
Clause 13 contains provisions regarding the standard of review applied by the Competition Appeal Tribunal on appeals against certain Ofcom security-related decisions. Subject to a few exceptions, Ofcom’s regulatory decisions relating to telecommunications under Chapter 1 of Part 2 of the Communications Act are subject to a right of appeal to the tribunal. This will also be the case for most of Ofcom’s decisions relating to the exercise of its regulatory powers conferred by the Bill. The tribunal determines those appeals by applying judicial review principles, as required by Section 194A of the Communications Act. However, this standard of review has been modified in so far as required to meet the requirement in EU law that the “merits of the case” be duly taken into account.
Clause 13 makes provision to ensure that the tribunal is not required to modify its approach in appeals against relevant security decisions, and should instead apply ordinary judicial review principles. The noble Earl, Lord Erroll, asked about the criteria. Under such principles, those decisions can be successfully challenged only when they are unlawful, irrational or procedurally unfair. Judicial review principles are also the normal standard by which most decisions of government and public bodies are reviewed.
To be clear, the clause does not prevent public telecoms providers from appealing Ofcom’s decisions, or the Competition Appeal Tribunal from reviewing those decisions. It merely changes the standard to which they will be reviewed. Having these cases reviewed on ordinary judicial review principles, rather than taking account of the merits of the case, aims to ensure a smooth regulatory process that focuses on fair decision-making. To go back to the question asked by the noble Lord, Lord Fox, this should reduce any incentives for providers to litigate solely for the purpose of delaying the regulatory process.
It is particularly important, given that these decisions relate to the security of a provider’s network, that decisions can be addressed swiftly, and providers can get back to the important work of ensuring that their networks are secure. The Competition Appeals Tribunal already applies judicial review principles in appeals against certain security decisions under the network and information systems regulations.
As the noble Baroness, Lady Merron, mentioned, the scope of Clause 13 is limited; it does not change the standard of review for enforcement decisions under Sections 105S and 105T. Clause 13 applies to appeals only against relevant security decisions—that is, decisions under Sections 105I, 105L to 105O, and 105U to 105W. The Government consider this approach to be appropriate to ensure that Ofcom’s regulatory decisions can only be successfully challenged when they are, broadly speaking, unlawful, irrational or procedurally unfair. By reducing providers’ incentives to litigate to delay regulatory action, the provisions in the clause contribute to Ofcom’s effectiveness as a regulator.
The noble Baroness, Lady Merron, asked me to comment on what legal advice we had received. She will understand that I cannot comment on the specific advice, but I can confirm that we took external advice in this case.
For the reasons I have set out, I hope that the noble Lord will withdraw his objection, so that Clause 13 can stand part of the Bill.
My Lords, I have heard some ministerial pushbacks but, I must say, that circularity more or less takes the biscuit: “The Government believe that we need to change the standard and therefore we have changed it.” There is very little that one can get one’s teeth into in terms of the argument. It is simply that the Government believe that JR in its unlawfully rational or unfair incarnation should apply in this set of circumstances—and that is it, whereas, for the rest of the 2003 Act, the merits version of JR continues unabated.
The Minister made a few points. I thought “merely” was rather extraordinary; it is a very important change to the way the tribunal will operate in those circumstances. Providers will not appeal against these decisions unless they are of major importance. The process of going to the Competition Appeal Tribunal is not lightly undertaken. She used the words “a smooth regulatory process”. Of course Governments always love smooth regulatory processes, but how big is the steamroller employed in these circumstances? There was also the use of “appropriate”—a splendid weasel word.
This is the end of a very entertaining afternoon so I cannot really comment heavily on the Minister’s reply. However, she really could have done better. The noble Earl, Lord Erroll, and I asked for evidence of why in these circumstances—we have all just asked why—but nothing was forthcoming: no evidence, precedent or, “We did it that way and it didn’t work”. We have just decided within the bowels of Whitehall to do this—splendid, but the Government need to do better than that, even with their current majority. However, this is the end of a splendid set of debates this afternoon and I hope for better on another occasion.
Clause 13 agreed.
My Lords, that concludes the work of the Committee this afternoon. I remind Members to sanitise their desks and chairs before leaving the Room.
Committee adjourned at 6.52 pm.