19.This 29-clause Bill was passed by the House of Commons on 25 May. It was introduced in the House of Lords on 26 May and has its Second Reading on 29 June.
20.The purpose of the Bill, according to the Explanatory Notes, is “to introduce a new security framework for the UK telecommunications sector to ensure that public telecommunications providers operate secure and resilient networks and services and manage their supply chains appropriately”. The Bill amends the Communications Act 2003, which provides the current regulatory framework for telecommunications security.
21.The Bill contains eleven delegated powers. The Department for Digital, Culture, Media and Sport has provided a Delegated Powers Memorandum (“the Memorandum”).
22.We draw one power to the attention of the House.
23.Clause 3 gives the Secretary of State the power to issue, revise and withdraw codes of practice. The purpose of the codes is to give guidance on the measures to be taken by providers of public electronic communications networks and public electronic communications services (referred to below as “providers”) in the performance of their duties under the Bill to protect those networks and services against security compromises. The duties in question are—
24.Before issuing or revising a code of practice, the Secretary of State must—
25.A code of practice must be published and laid before Parliament but is subject to no Parliamentary scrutiny procedure.
26. The Department gives the following reasons for the absence of Parliamentary scrutiny—
The Department adds that the requirement for consultation on any code “will contribute to ensuring codes are drafted to a high standard and therefore are appropriate to have the statutory effects [that are provided for in the Bill]”.
27.In our view, the Department’s reasons are unconvincing—
28.Although a failure by a provider to act in accordance with a code of practice “does not of itself make the provider liable to legal proceedings before a court or tribunal”, the Bill provides for codes of practice to have two important effects.
29.First, OFCOM must take into account a provision of a code of practice if it is relevant to the determination of any question arising in connection with the carrying out of its functions under the Bill of (a) ensuring that providers comply with their duties under the Bill, (b) assessing whether providers have complied with those duties, and (c) enforcing those duties. Indeed, where OFCOM suspects a provider of failing to act in accordance with a code, it can require the provider to give a statement that either confirms or denies the failure, with a supporting explanation. The Memorandum explains that, “where Ofcom has concerns that a provider is not complying with its duties under [the Bill] … , Ofcom’s exercise of [this] power… might be used in determining whether to open an investigation”.
30.We consider that the codes are liable to be highly influential when OFCOM determines whether there has been a failure by a provider to comply with its duties and, where there has been such a failure, when it considers enforcement action (with the options available including the imposition of significant financial penalties and the suspension or restriction of the entitlement to provide an electronic communications network or service).
31.It is also a measure of the significance of the codes of practice that OFCOM must report annually to the Secretary of State about the extent to which providers have acted in accordance with them.
32.The second important effect of codes of practice is that a court or tribunal must take into account a provision of a code of practice if it is relevant to the determination of any question arising in legal proceedings before it. This includes legal proceedings brought under the Bill by a person who sustains loss or damage as a result of a breach by a provider of its duties under the Bill.
33.Where legislation requires that regard must be had to statutory guidance, in practice this means that those to whom the guidance applies will normally be expected to follow it unless there are cogent reasons for not doing so. We have often recommended that guidance of this kind which is designed to have a transformative effect on behaviour should be subject to a Parliamentary procedure.
34.The Bill provides for codes of practice to play a significant role–both in relation to the exercise of OFCOM’s regulatory functions and in legal proceedings - in supplementing the important duties to take security measures that the Bill imposes on providers. This is acknowledged in the Memorandum, which refers to the importance of codes of practice setting out “clear expectations” as to “the measures that providers should take” to comply with their duties under the Bill.
35.In our recent report on the Education (Guidance about Costs of School Uniforms) Bill, we were unconvinced by the Government’s reasons for statutory guidance to state-funded schools in England about the “costs aspects of school uniform policies” being subject to no Parliamentary procedure. The Government argued then that the guidance was “not equivalent to a Code of Practice” and was instead “a very limited document covering one aspect of school uniform which will sit alongside and complement the non-statutory guidance”. Yet the Government now argue in relation to this Bill that codes of practice that will be far from “limited”, that will supplement important duties in primary legislation and that will have the significant statutory effects described above also merit no Parliamentary scrutiny.
36.In our view, it is unacceptable for codes of practice that will have the significant statutory effects provided for in this Bill to be subject to no Parliamentary scrutiny procedure. We consider that the negative procedure would afford an appropriate level of scrutiny.
2 See para 1 of the Explanatory Notes to the Bill.
3 Department for Digital, Culture, Media and Sport, , 26 May 2021.
4 Annex A of the Explanatory Notes to the Bill explains what public electronic communications networks and services are. “Electronic communications network” is defined in section 32 of the Communications Act 2003. It means a “transmission system” and associated apparatus, software, data and other resources for the conveyance of signals (for example, a satellite or cable TV network or a mobile phone network). “Electronic communications service” is also defined in section 32. It means a service for conveying signals by means of an electronic communications network (for example, a mobile phone contract or an internet connection).
5 This duty is imposed by new section 105A of the Communications Act 2003, inserted by clause 1 of the Bill.
6 See new section 105B of the Communications Act 2003, inserted by clause 1 of the Bill.
7 This duty is imposed by new section 105C of the Communications Act 2003, inserted by clause 2 of the Bill.
8 See new section 105D of the Communications Act 2003, inserted by clause 2 of the Bill.
9 OFCOM is the independent regulator for communications services in the UK.
10 See new section 105F, inserted by clause 3 of the Bill.
11 See paras 35–40 of the Memorandum.
12 See para 39 of the Memorandum.
13 See new section 105H(1), inserted by clause 3 of the Bill.
14 See new section 105H(3) and (4), inserted by clause 3 of the Bill.
15 See new section 105I, inserted by clause 3 of the Bill. Failure to provide a statement may result in a significant financial penalty - see new section 105T(2) and (3), inserted by clause 7 of the Bill.
16 See para 34 of the Memorandum.
17 See new section 105Z(4)(b), inserted by clause 11 of the Bill.
18 See new section 105H(2), inserted by clause 3 of the Bill.
20 For example, the Committee’s , Session 2015–16, para 13; , Session 2015–16, paras 10-11; , Session 2015–16, para 27; , Session 2015–16, para 19; , Session 2016–17, para 38.
21 See para 38 of the Memorandum.
22 See the Committee’s , Session 2019–21, para 7.
23 See para 17 of the Delegated Powers Memorandum for that Bill.