In 2015, the European Commission published a study (written by IDC) which provides an overview of Europe’s IoT digital ecosystem, its current status and anticipates a suggested vision of the same ecosystem in 2020. That study found:

The IoT (Internet of Things) is a pervasive innovative technology building on the universal connectivity of things and people, now moving in Europe from the pioneer phase to widespread adoption. In combination with cloud computing and Big Data the IoT is opening the new age of the hyper-connected society and acting as a powerful driver of business innovation, but also facing equally strong barriers in terms of security risks, concerns about privacy protection, and resistance to organizational change.”

According to the model developed by IDC for the EU study in 2015, the number of IoT connections within the EU28 will increase from approximately 1.8 billion in 2013 (the base year) to almost 6 billion in 2020 and IoT revenues in the EU28 will increase from more than €307 billion in 2013 to more than €1,181 billion in 2020, including hardware, software and services. Since 2015, the European Commission has undertaken a range of activities to both regulate and stimulate the IoT sector in Europe. Of course, IoT is a global phenomena, and with so many IT, big data and cloud service providers located in the US no discussion of IoT can ignore the US position.

If you want to find out more about how IoT issues are being addressed in both Europe and the US, please join us on Tuesday, April 18, 2017 from 5-6pm, London / 6-7pm Brussels time for a webinar that will address:

  • Overview of EU security rules
  • Securing the IoT
  • Product liability and other potential claims in the US
  • Health care reimbursement and fraud issues in the US
  • Cyber liability insurance

Click here to register.

 

On 30 March 2017, Ofcom, the UK’s communications regulator, published its annual plan for financial year 2017/18. It also published its budget and work programme for the year. The changes identified by Ofcom in relation to its responsibilities, markets and technology and the legislative framework under which it operates provide a great snapshot of current industry trends and issues.

Taking these in turn:

Changes to Ofcom’s responsibilities: regulating the BBC

As discussed in an earlier post, under the new BBC Charter, from 3 April 2017 Ofcom will assume responsibility for investigating the full range of content standards complaints against the BBC (including accuracy and impartiality complaints), assessing the BBC’s performance against its mission and public purposes, and regulating the impact of the BBC’s activities on fair and effective competition. Ofcom’s annual plan sets out how it will undertake these tasks.

Changes to markets and technologies

To inform its activities, Ofcom undertakes material market research as well as collecting information directly from regulated companies. This gives Ofcom a unique perspective on the UK’s communications market. The changes highlighted by Ofcom in its annual plan are (the following bullet points are cut and pasted directly from section 2 of Ofcom’s plan):

  • “Connectivity is increasingly central to UK consumers and businesses. The internet is playing an increasingly central role in the lives of people in the UK. In August 2016, 86% of UK adults had access to the internet at home, the average UK internet user reported spending 25 hours online each week, and 75% considered the internet “important” to their daily lives. People use the internet for a variety of activities, including person-to-person communication, social networking, news consumption and watching TV. The internet has also transformed the way in which audiences access news, and is gradually changing TV consumption. For example, in 2016 around six in ten UK adults used video on demand services such as BBC iPlayer, All4, Netflix or Amazon,4 with 6 million households subscribed to Netflix. Between 2015 and 2016, UK mobile data use grew by over 40%, while average monthly household/small businesses’ fixed data use grew by 36%.  Connectivity is also increasingly important for UK businesses. For example, teleworking, online access to customer and public services, e-commerce and cloudbased office software are increasingly common. Further, machine to machine (M2M) communications – with applications ranging from ‘smart’ utility meters to connected cars– are increasingly common, with nearly 7 million connections in the UK
  • Operators are investing in networks to improve speed and meet user needs. Responding to these demands, fixed network operators are investing to increase the speeds of existing networks, including through the use of fibre to the premises (FTTP), to provide higher speeds directly to homes and businesses. For example, BT has announced plans to deliver FTTP to two million premises by 2020, and G.FAST to a further 10 million. Virgin Media’s ‘Project Lightning’ will extend cable coverage to 60% of premises, planning to build 800k homes this year. As a result of investment, ‘superfast’ broadband speeds of at least 30Mbit/s are now available to 89% of UK premises. In its Autumn Statement, the Government has announced a £400m broadband investment fund to support further deployment of fibre networks. Mobile network operators are also upgrading their networks, rolling out 4G and using WiFi and small cells to improve mobile data coverage. Research into and preparation for future 5G networks continues, with the potential to provide speeds up to 40 times faster than current 4G networks. Mobile improvements, including 5G, are being designed to provide greater capacity and improved reliability, enabling innovative new services across different industry sectors. The deployments of the first international ‘5G’ standard are expected to begin by 2020, but with further evolution (for example to more small cells) after that.
  • However, concerns remain about availability and connection quality. Despite increased network investment, an estimated 1.4 million, or 5% of, UK households are unable to receive a decent broadband speed of 10Mbit/s to allow effective access to the internet. This risks creating a ‘digital divide’ between those who can fully engage with new communications services and those who cannot. In addition, quality of service in telecoms has failed to meet people and businesses’ expectations. Fault rates and repair times cause considerable concern and dissatisfaction.
  • Online media is changing the competitive landscape for established players. As consumers increasingly use internet-delivered, “over-the-top” (OTT) services for media, OTT providers have begun to invest in content production, including original UK content, thereby challenging established media providers. For example, Amazon has launched a competitor to the BBC’s Top Gear in December, while Netflix has invested in original drama The Crown, released in November. In March, YouTube announced its plans to launch a new 40 channel TV subscription service which will compete directly with US cable networks. Established broadcasters and pay-TV operators have also entered the video on demand (VOD) market, resulting in an increasingly complex and shifting competitive landscape. As the BBC has exploited new online opportunities for delivering its public purposes, the competitive impact of these activities has become a focus of concern for some stakeholders.
  • M&A activity continues to reconfigure the communications industry In recent years, there has been a wave of mergers and acquisitions among European communications firms, driven by convergence of services and the continuing importance of scale. Examples include ‘quad-play’ mergers combining fixed and mobile operators (e.g. BT’s acquisition of EE); horizontal international mergers (e.g. the acquisition of Virgin Media by Liberty Global, and BSkyB’s merger with Sky Deutschland and Sky Italia) and vertical acquisitions by pay-TV operators investing in content firms (e.g. Liberty Global investing in All3Media, and indirectly in Eurosport). On 3 March 2017 21st Century Fox made a formal notification to the European Commission of its intention to acquire the shares in Sky it does not already own. On 16 March 2017, the Secretary of State issued a European intervention notice on the proposed acquisition. This requires Ofcom to consider two public interest grounds, media plurality and commitment to broadcasting standards, and to provide advice and a recommendation on any public interest issues raised by the merger relating to these grounds.” 

Changes to legislation and policy

The legislative framework for the UK communications market is currently undergoing significant change. Ofcom highlight:

  • Digital Economy Bill. The Bill contains a range of provisions designed to help Ofcom carry out its functions and deliver better communications services for citizens and consumers. These include confirming Ofcom’s powers to make rules related to switching and automatic compensation; to collect and publish information from communications providers; and to regulate the BBC. The Bill also includes changes to Ofcom’s powers to regulate electromagnetic spectrum.
  • Brexit. Ofcom comment: “The impact of Brexit on the UK’s communications market remains to be determined, and will depend on arrangements yet to be negotiated between the UK and the EU”,  so it would appear that Ofcom are not yet fully engaged with the Brexit process and the potential implications for communications regulation.
  • EU Digital Single Market. Whilst the impact of changes to audio-visual and telecoms regulation at the European level will in large part turn on the approach taken to Brexit. Pending clarity on Brexit, Ofcom note that they will continue to contribute to the on-going review of the EU Electronic Communications Framework and the Audiovisual and Media Services (AVMS) Directive.

On 30 March 2017, the UK’s Department for exiting the European Union published a white paper outlining its proposals for a Great Repeal Bill (GRB). Whilst superficially, this appears to bring clarity to the legal position after Brexit, on closer examination the GRB proposal over-simplifies the position and glosses over the very significant legislative (and consequential business) problems that will arise from the UK’s departure from the EU in the absence of a comprehensive and detailed free trade agreement between the UK and EU to enable many of the existing business arrangements to continue. Whilst much of the press commentary has focused on the impact of Brexit on the financial services sector, the same issue, disruption of existing business models as a result of leaving the single market, arises in almost every other sector of the economy, and certainly in the telecoms, media and technology sectors.

In particular, the GRB white paper ignores the fundamental problem that cross-border issues cannot be dealt with by UK-only legislation, but will require agreement with the EU.”

Prime Minister May says in her foreword to the GRB that in her view: ‘The same rules and laws will apply on the day after exit as on the day before.

The white paper then envisages a large, but quite mechanical, task of conversion of EU law into UK law, with delegated powers to deal with ‘correcting’ the operation of laws that will no longer function. However, in many cases it is simply not possible for the UK to ‘convert’ or ‘correct’ EU legislation to work post-Brexit without the explicit agreement of the EU and consequential changes to EU legislation.

Some simple examples relating to the telecoms, media and technology sectors clearly illustrate the problem: international mobile roaming, ‘country of origin’ rules for broadcasters, and cross-border data transfers. In each case, regardless of what the UK does to ‘convert’ or ‘correct’ its legislation, the EU legislation applicable in other Member States will treat the UK as being outside the EU post-Brexit unless amended by the EU prior to Brexit, with adverse consequences for businesses established in the UK.

  • So far as international roaming is concerned, unless the EU updates the Roaming Regulation to include the UK (there is no obligation to so do), mobile operators in the EU will then be free to charge UK mobile networks the same (generally higher) wholesale roaming charges they apply to roaming from networks outside the EU. As commercial businesses, the UK mobile networks will then have little choice but to pass on the higher wholesale roaming charges to their customers.
  • So far as ‘country of origin’ broadcast rules are concerned, once the UK leaves the EU, without modification of the Audio-visual Media Services Directive, UK-based broadcasters will lose their ability to rely on the provisions of the AVMS Directive which allow EU-wide broadcasting provided that the broadcaster comply with country of origin rules. Whilst there is a fall-back to the non-EU based European Convention on Transfrontier Television, this is more restrictive and the change may cause some international broadcasters to reconsider the best location for their European business.
  • So far as cross-border data transfers are concerned, unless the Commission finds that the UK has an adequate level of protection (and it is under no obligation to do this in any particular timeframe) EU companies will need to put in place appropriate alternative safeguards (e.g. by means of contractual obligations or binding corporate rules) for cross-border data transfers to the UK post-Brexit.

In each case, there is simply nothing that the UK can do by means of unilateral UK legislation to fix these issues.

We will follow the progress of the GRB and the Brexit negotiations to see how these (and similar) issues are addressed.

During the 1920s, the BBC’s first General Manager, John Reith set the BBC’s mission as being to:

inform, educate and entertain”.

That mission has continued into article 5 of the BBC’s current Royal Charter, effective from 3 April 2017. It has been more recently supplemented by the BBC’s public purposes:

  1. To provide impartial news and information to help people understand and engage with the world around them
  2. To support learning for people of all ages
  3. To show the most creative, highest quality and distinctive output and services
  4. To reflect, represent and serve the diverse communities of all of the United Kingdom’s nations and regions and, in doing so, support the creative economy across the United Kingdom
  5. To reflect the United Kingdom, its culture and values to the world

However, whilst the BBC’s mission has remained constant, the governance and regulation of the BBC has changed significantly since the 1920s, and April 2017 sees a significant shift in both the governance and regulation of the BBC. From 1927 to 2007, the BBC was both governed and regulated by a non-executive Board of Governors, accountable to parliament. In 2007, the Governors were replaced by the BBC Trust, which both regulated and oversaw the activities of an executive board. Following significant criticism of the BBC Trust, the decision was taken to split the (inherently conflicted) roles of governance and regulation, with a new unitary BBC Board responsible for governance, and regulatory responsibilities being transferred to Ofcom.

Ofcom’s regulatory remit for the BBC has three main elements:

  1. holding the BBC to account for the delivery of its mission and public purposes
  2. ensuring that the BBC’s editorial standards comply with the broadcasting code including due impartiality, due accuracy and preventing undue harm and offence
  3. ensuring that the impact of the BBC’s activities on fair and effective competition is appropriate in relation to the direct benefits to consumers and citizens.

On 29 March 2017, Ofcom started consultation on its plan for holding the BBC to account for the delivery of its mission and public purposes. The consultation closes on 17 July 2017, with implementation by the end of September 2017.

Regular readers will be aware that current data protection (privacy) laws will be replaced in Europe by the new General Data Protection Regulation (or GDPR) from May 2018. This change is driving a lot of preparatory regulatory activity – see this article for a recent summary. Whilst the impact of Brexit on data protection law in the UK is not yet finally settled, the UK regulator ICO is proceeding on the basis that the GDPR (or something very like it) will take effect in the UK and as a result is starting to consult on implementation.

On 2 March, ICO published their first piece of detailed topic-specific GDPR guidance for public consultation. Their consultation deals with ‘consent’ once GDPR takes effect. The consultation finishes on 31 March and ICO aims to publish final guidance in May 2017.

The basic concept of consent, and its main role as one lawful basis (or condition) for processing, is not new. However the GDPR does set a high standard for consent. It builds on the Data Protection Act (DPA) standard of consent in a number of areas, and it contains significantly more detail on both the standard and processes for consent.

The ICO’s draft guidance on consent explains their recommended approach to compliance and what counts as valid consent and explains the key differences between consent under the GDPR and current data protection law.

The draft explains that the ICO sees that the main practical differences stemming from the GDPR requirements for consent to be specific, granular, clear, prominent, opt-in, documented and easily withdrawn are that consent should be:

  • Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service
  • Active opt-in: pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (eg a binary choice given equal prominence)
  • Granular: give granular options to consent separately to different types of processing wherever appropriate
  • Named: name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR
  • Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented
  • Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place
  • No imbalance in the relationship: consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.

Ofcom’s own guidelines for setting fines say that it will be transparent about how it weighs various factors to set the level of fines. However, recent decisions do not follow this practice. Should Ofcom change its practice and be be more transparent?

Ofcom’s own penalty guidelines provide that:

Ofcom will have regard to the need for transparency in applying these guidelines [for setting fines], particularly as regards the weighting of the factors considered.”

However, our review (below) of Ofcom’s recent decisions to fine various communications providers shows that Ofcom is not currently providing transparency to the industry at large. In particular, Ofcom is not publishing its rationale for setting the level of fines by reference to the weighting of the various factors it considers. Without this transparency, it seems that Ofcom is failing to meet its own policy aim, which it explains (again in the penalty guidelines) as:

The central objective of imposing a penalty is deterrence. The amount of any penalty must be sufficient to ensure that it will act as an effective incentive to compliance, having regard to the seriousness of the infringement.”

For any fine to act as an effective deterrent against future non-compliance, regulated companies should be clear about the circumstances that may give rise to fines, the approach the regulator will take and the opportunities for mitigation.

Ofcom’s Penalty Guidelines

Ofcom’s penalty guidelines say:

Ofcom will consider all the circumstances of the case in the round in order to determine the appropriate and proportionate amount of any penalty. The central objective of imposing a penalty is deterrence. The amount of any penalty must be sufficient to ensure that it will act as an effective incentive to compliance, having regard to the seriousness of the infringement. Ofcom will have regard to the size and turnover of the regulated body when considering the deterrent effect of any penalty.

The factors taken into account in each case will vary, depending on what is relevant. Some examples of potentially relevant factors are:

  • The seriousness and duration of the contravention;
  • The degree of harm, whether actual or potential, caused by the contravention, including any increased cost incurred by consumers or other market participants;
  • Any gain (financial or otherwise) made by the regulated body in breach (or any connected body) as a result of the contravention;
  • Whether in all the circumstances appropriate steps had been taken by the regulated body to prevent the contravention;
  • The extent to which the contravention occurred deliberately or recklessly, including the extent to which senior management knew, or ought to have known, that a contravention was occurring or would occur;
  • Whether the contravention in question continued, or timely and effective steps were taken to end it, once the regulated body became aware of it;
  • Any steps taken for remedying the consequences of the contravention;
  • Whether the regulated body in breach has a history of contraventions (repeated contraventions may lead to significantly increased penalties); and
  • The extent to which the regulated body in breach has cooperated with our investigation.

When considering the degree of harm caused by the contravention and/or any gain made by the regulated body as a result of the contravention Ofcom may seek to quantify those amounts in appropriate cases but will not necessarily do so in all cases.

Ofcom will have regard to any relevant precedents set by previous cases, but may depart from them depending on the facts and the context of each case. We will not, however, regard the amounts of previously imposed penalties as placing upper thresholds on the amount of any penalty.

Ofcom will have regard to any representations made to us by the regulated body in breach.

Ofcom will ensure that the overall amount of the penalty is appropriate and proportionate to the contravention in respect of which it is imposed, taking into account the size and turnover of the regulated body.

Ofcom will ensure that the overall amount does not exceed the maximum penalty for the particular type of contravention.

Ofcom will have regard to the need for transparency in applying these guidelines, particularly as regards the weighting of the factors considered.”

Recent fines

On 27 March 2017, Ofcom announced that it would fine BT:

  • £42 million for non-compliance with a regulatory obligation to provide wholesale ethernet services in a timely manner; and
  • £300,000 for failing to comply with its obligation to provide complete and accurate information to Ofcom.

The fines follow Ofcom’s 8 January 2016 resolution of a dispute submitted to Ofcom by Vodafone concerning the same facts. That dispute was resolved by Ofcom finding that BT had breached relevant regulatory obligations, and that relevant operators would be therefore entitled to compensation from BT. In BT’s 27 March 2017 press statement, BT say: “The precise amount of these compensation payments will result from discussions with the affected Communications Providers outside of BT, but is currently estimated at approximately £300 million.

Commenting on the BT fines, Gaucho Rasmussen, Ofcom’s Investigations Director, said:

We found BT broke our rules by failing to pay other telecoms companies proper compensation when these services were not provided on time. The size of our fine reflects how important these rules are to protect competition and, ultimately, consumers and businesses. Our message is clear – we will not tolerate this sort of behaviour.”

The legal basis for the £42m fine for breach of is s96 of the Communications Act (Act) for notified breach of condition. The amount of the fine is determined in accordance with s97 of the Act, which provides that:

“s97: The amount of a penalty imposed under section 96 is to be such amount not exceeding ten per cent. of the turnover of the notified provider’s relevant business for the relevant period as OFCOM determine to be—

(a) appropriate; and

(b) proportionate to the contravention in respect of which it is imposed.”

Ofcom’s press release notes that the fine was reduced from a potential £60m to £42m (30%), due to BT’s agreement to settle Ofcom’s investigation by admitting full liability, and to set up a scheme to compensate the telecoms providers that have been affected. Ofcom does not explain what factors it considered in both originally setting the fine and then reducing it.

So far as the failure to provide complete and accurate information is concerned, the penalty provision in s139 of the Act provides for a maximum fine of £2m. Again there is no explanation by Ofcom of how it set the fine at £300k, or the way it assessed the various factors.

Other recent enforcement action by Ofcom has included:

  • 22 March 2017: £880,000 fine for Plusnet (a BT subsidiary) for billing ex-customers an estimated amount exceeding £500,000 (which Plusnet repaid by way of compensation and/or made equivalent charitable donations where customers could not be located). This fine was reduced: “The penalty incorporates a 20% reduction to reflect Plusnet’s willingness to enter into a formal settlement, which will save public money and resources. As part of this settlement, Plusnet admits and takes full responsibility for the breach of Ofcom’s billing rule.” There was no explanation of how the various factors were considered by Ofcom.
  • 26 October 2016: £4.6 million fine for Vodafone for breach of consumer protection rules. This fine was reduced: “The penalties incorporate a 7.5% reduction to reflect Vodafone’s agreement to enter into a formal settlement, which will save public money and resources. As part of this agreement, Vodafone admits the breaches. It has also reimbursed all customers who faced financial loss, but for 30 it could not identify, and made a donation of £100,000 to charity.” There was no explanation of how the various factors were considered by Ofcom.
  • 3 July 2015: £1 million fine for EE for failing to comply with Ofcom’s rules on handling customer complaints. Amount of compensation not quantified, no mitigation of fine. There was no explanation of how the various factors were considered by Ofcom.
  • 29 July 2015: £200,000 fine for Unicom for mis-selling. Amount of compensation not quantified, no mitigation of fine. There was no explanation of how the various factors were considered by Ofcom.

On 24 March 2017, Ofcom started a consultation on proposed template contract terms as well as a code of practice and template notices to be used with the revised UK Electronic Communications Code (Code). The Code provides a statutory backdrop for the relationship between infrastructure based telecoms operators and landowners, with a revised Code to be introduced as part of the UK’s Digital Economy Bill. The drafts being consulted on represent the output of extended engagement by Ofcom with stakeholders from both the landlord and operator communities. Once adopted, the template terms, notices and code will from the starting point for standard market practice, so any interested parties who have additional issues or comments should use this consultation as a means of having their views considered. As discussed in more detail below, the level of indemnity and liability caps in the standard wayleave template are likely to be of material interest to both operators and landlords.

Ofcom’s consultation closes on 2 June 2017.

Current position

The current version of the Code dates back to the mid 1980s when the UK telecoms market was first liberalised. At that time, the Government wanted to stimulate investment and network build and so they put in place statutory entitlements for specified telecoms companies to install, maintain, adjust, repair or alter electronic communications apparatus on public and private land.

Reasons for change

As technology and market practice has moved on, shortcoming with the current version of the Code have become increasingly apparent, and in 2013 the Law Commission undertook a thorough review of the Code. In May 2016, the Government proposed reform of the Code, which is currently being progressed through the Digital Economy bill. The then responsible minister Ed Vaizey summarised the key changes as:

“The new Code will vastly improve on the existing Code.

It will make major reforms to the rights that communications providers have to access land – moving to a “no scheme” basis of valuation regime. This will ensure property owners will be fairly compensated for use of their land, but also explicitly acknowledge the economic value for all of society created from investment in digital infrastructure.

In this respect, it will put digital communications infrastructure on a similar regime to utilities like electricity and water. This will help deliver the coverage that is needed, even in hard to reach areas. The other reforms this Government is putting forward will also make it easier for communications providers to deploy and maintain their infrastructure. New rights to upgrade and share will allow future generations of technology to be quickly rolled out as they become commercially viable. There will also be administrative changes to court processes to allow for improved dispute resolution, ensuring that disagreements between communications providers and landowners do not hold up investment and create uncertainty.”

Ofcom’s consultation – indemnity and liability caps?

The drafts tabled for consultation by Ofcom follow prior engagement with stakeholders including representatives from the fixed and mobile operator community, communications infrastructure providers and representatives from the National Farmers Union (NFU), the Country Land & Business Association (CLA), the British Property Federation (BPF) and the Central Association of Agricultural Valuers (CAAV).

The draft standard Code Agreement (aka wayleave) proposed in Annex 6 to the document. Whilst many parts of this document are sensible and represent a middle ground, it is notable that the stakeholders were unable to reach consensus in relation to the two clauses that tend to be the last to be finalised in any wayleave negotiation:

  1. the indemnity from the operator to the landlord; and
  2. the mutual limitation of liability.

So far as the indemnity is concerned, the open points are:

  • whether this is to be subject to a cap, and
  • to the extent there is a cap, whether it is £1m, £3m, £5m and
  • whether on an per annum (or not) or aggregate of claims arising (or not) basis.

The limitation of liability cap is again left open, although in contrast to the indemnity cap there is no ‘anchoring’ suggestion of £1m, £3m or £5m: the number is left entirely open in the suggested draft.

No doubt stakeholders will lobby hard on these points, and it will be interesting to see whether Ofcom provides more guidance or (as in the consultation) will leave these points open and therefore to be dealt with by commercial negotiation.

On 5 July 2016, the UK Government published its first draft of the Digital Economy Bill.

As expected, it contains provisions addressing (text taken from Government explanatory fact sheet):

“Fast Broadband and support for consumers

  • new Broadband Universal Service Obligation (USO) for the United Kingdom – giving all citizens the legal right to request a 10Mbps broadband connection
  • new powers for Ofcom to help consumers access better information and enable consumers to act on that information through easier switching
  • new provisions to ensure that consumers are automatically compensated if things go wrong with their broadband service

Enabling digital infrastructure

  • new Electronic Communications Code to cut the cost and simplify the building of mobile and superfast broadband infrastructure
  • new and simpler planning rules for building broadband infrastructure
  • new measures to manage radio spectrum to increase the capacity of mobile broadband

Protecting intellectual property

  • further supporting digital industries equalising penalties for online copyright infringement with laws on physical copyright infringement
  • new online design registration system – known as webmarking, to protect valuable rights

Government digital services

  • enabling government to deliver better public services and produce world leading research and statistics
  • enabling technology to manage information by allowing public authorities to connect where the objective has a public benefit
  • new powers for public authorities to share information to combat the public sector fraud which costs the country billions
  • help citizens manage their debt more effectively and reduce the billions of overdue debt owed to government
  • tough safeguards of personal data, reinforcing the Data Protection Act with new offences for unlawful disclosure

Protecting citizens in the digital economy

  • a new statutory code of practice for direct marketing, ensuring the Information Commissioner can better enforce sanctions against nuisance callers and spammers, ensuring that consent is obtained from consumers
  • protecting children from online pornography by requiring age verification for access to all sites and applications containing pornographic material”

On 6 July 2016, the European Union adopted the Cybersecurity or Network and Information Security Directive. This imposes obligations on three sets of stakeholders:

  1. Member States;
  2. Essential services operators; and
  3. Digital service providers.

Andrus Ansip, European Commission Vice-President for the Digital Single Market, commented:

“If we want people and businesses to make the most of digital services, they need to trust them. A Digital Single Market can only be created in a secure online environment.

The Directive on Security of Network and Information Systems is the first comprehensive piece of EU legislation on cybersecurity and a fundamental building block for our work in this area.

It requires companies in critical sectors – such as energy, transport, banking and health – to adopt risk management practices and report major incidents that can affect the Digital Single Market to their national authorities which will, in turn, be able to carry out better capacity-building with greater cross-border cooperation inside the EU. It also obliges online market places, cloud computing services and search engines to take similar security steps. The rules adopted today, complemented by the new partnership with the industry on cybersecurity presented yesterday, create the right conditions for people and businesses to use digital tools, networks and services in the EU with confidence.”

The Directive requires implementing national legislation to come into force by 10 May 2018. This is before the earliest date that the UK can leave the UK, and so the NIS Directive will need to be implemented in the UK.

Member states

The NIS Directive obliges member states to:

  • adopt a national NIS strategy to define their strategic objectives and appropriate policy and regulatory measures in relation to cybersecurity;
  • designate a national competent authority for the implementation and enforcement of the Directive; and
  • a Computer Security Incident Response Teams (CSIRTs) responsible for handling incidents and risks (which can be the same as the national competent authority).

In addition, at  European level the Directive:

  • forms a ‘Cooperation Group’ between Member States, in order to support and facilitate strategic cooperation and the exchange of information among Member States and to develop trust and confidence amongst them; and
  • creates a network of Computer Security Incident Response Teams, known as the CSIRTs Network, in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.

The Commission will provide the secretariat for the Co-operation Group, whilst the EU Agency for Network and Information Security (ENISA) will provide the secretariat for the CSIRTs Network.

Essential Services Operators

Identification

Each Member State will undertake a process to identify its operators of essential services. An Essential Services Operator is a public or private entity  in one of the following sectors:

  • Energy: electricity, oil and gas
  • Transport: air, rail, water and road
  • Banking: credit institutions
  • Financial market infrastructures: trading venues, central counterparties
  • Health: healthcare settings
  • Water: drinking water supply and distribution
  • Digital infrastructure: internet exchange points, domain name system service providers, top level domain name registries

which meets the following criteria :

  • it provides a service which is essential for the maintenance of critical societal and/or economic activities;
  • the provision of that service depends on network and information systems; and
  • an incident would have significant disruptive effects on the provision of that service.

Obligations

Identified operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority. The security measures include:

  • Preventing risks: Technical and organisational measures that are appropriate and proportionate to the risk.
  • Ensuring security of network and information systems: The measures should ensure a level of security of network and information systems appropriate to the risks.
  • Handling incidents: The measures should prevent and minimize the impact of incidents on the IT systems used to provide the services.

Notification

The Directive does not define  what is an significant incident requiring notification to the relevant national authority, but identifies three factors to be taken into consideration:

  • Number of users affected
  • Duration of incident
  • Geographic spread

We expect to see further guidelines around notification thresholds and process in due course. Helpfully, Article 14 (3) of the NIS Directive makes it clear that:

… Notification shall not make the notifying party subject to increased liability.”

Digital Service Providers

Digital Service Providers  (DSPs) are defined as:

  • online marketplaces;
  • online search engines; and
  • cloud computing services.

DSPs will be required to take appropriate security measures and to notify substantial incidents to the competent authority. To seek to avoid disparate national approaches and/or impractical obligations being imposed, the Commission will adopt implementing acts with regard to security requirements and notifications obligations of DSPs within one year from the adoption of the Directive. Member States will not be able to impose additional more stringent security and notification requirements on DSPs. In addition, the competent authorities will be able to exercise supervisory activities only when provided with evidence that a DSP is not complying with its obligations under the Directive.

Security measures

DSPs will have to implement security measures covering:

  • Preventing risks: Technical and organisational measures that are appropriate and proportionate to the risk.
  • Ensuring security of network and information systems: The measures should ensure a level of security of network and information systems appropriate to the risks.
  • Handling incidents: The measures should prevent and minimize the impact of incidents on the IT systems used to provide the services.

The security measures taken by DSPs should also address specific factors, to be further specified by the Commission:

  • security of systems and facilities
  • incident handling
  • business continuity management
  • monitoring, auditing and testing
  • compliance with international standards

Notification

The Directive does not define thresholds of what is a substantial incident requiring notification to the relevant national authority. However, it defines five factors which should be taken into consideration:

  • Number of users affected
  • Duration of incident
  • Geographic spread
  • The extent of the disruption of the service
  • The impact on economic and societal activities

Again, we expect further guidelines in due course, and  again Article 16 (3) of the NIS Directive helpfully makes it clear that:

… Notification shall not make the notifying party subject to increased liability.”

On 7 July 2016, the UK’s Financial Conduct Authority (FCA) issued finalised guidance for authorised UK financial institutions use of cloud services. In a marked contrast to some other jurisdictions’ approach, this guidance is issued against a policy backdrop of FCA’s ‘Project Innovate’ which is a initiative to foster innovation and competition. The FCA say:

 

We see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules.”

 

Cloud just another type of outsourcing

The FCA’s guidance makes it clear that wherever a third party delivers services to a regulated firm that comprises outsourcing and so relevant regulatory obligations apply – in particular appropriate management of risk.

Cloud is a type of outsourcing so rules applicable to outsourcing (e.g. see SYSC 8) will apply to cloud. In assessing applicable rules, key issues to consider include whether the function being outsourced (i.e. supplied from the cloud) is:

(i) critical or important;

(ii) constitutes a material outsourcing; and/or

(iii) whether it relates to an important operational function.

Checklist of areas for regulated firms using the cloud to consider

Finally, the FCA guidance provides a helpful checklist (with notes) of areas for regulated firms to consider:

  • Legal and regulatory considerations
  • Risk management
  • International standards
  • Oversight of service provider
  • Data security
  • Data protection
  • Effective access to data
  • Access to business premises
  • Relationship between service providers
  • Change management
  • Continuity and business planning
  • Resolution
  • Exit plan