Political Monitor 17/07/2020

17 July 2020

Cyber Security

Government announcement on High Risk Vendors

This week, DCMS Secretary, Oliver Dowden MP made a statement in the House of Commons on the conclusions of the NCSC review into the recent US sanctions on Huawei and the National Security Council decision to limit the vendor further in the UK. The DCMS announcement can be found here.

The US sanctions announced in May were considered a “significant and material change” that have “potentially severe impacts on Huawei to deliver” in the UK. Updated guidance from NCSC can be found here which indicates the new risk assessment applies only to new equipment affected by the sanctions.

For 5G the Digital Secretary has confirmed that:

• From the end of this year no 5G equipment can be procured from HRVs and will be illegal when the Telecoms Security Bill is passed.
• By 2027 all HRV equipment must be removed from the 5G network.
• He noted that this will delay the rollout of 5G – stated that £2bn in costs and a 2-3 year delay.
• The Telecoms Security Bill will put this into legislation but be delayed to the autumn due to these changes, the Government keen to “pass as soon as possible”.

Dowden was clear to differentiate between 5G and fixed/full fibre networks, though noted that all networks need to be resilient. A technical consultation will be held with operators on the exact timetable for a transition away from purchasing new Huawei equipment. This transition period is expected to ‘last no longer than two years’.

On the commitment to diversify the supply chain during this Parliament Dowden noted that efforts would largely be focussed on OpenRAN development. Dowden will give evidence on this to the Science and Tech Committee next week.

Secure By Design proposals published for IoT security

The Government have published proposals for a new law to ensure all connected devices have adequate cyber security. This includes an ETSI standard based on the code of practice which outlines the three main requirements for suppliers:

• Device passwords must be unique and not resettable to any universal factory setting;
• Manufacturers must provide a public point of contact so anyone can report a vulnerability;
• Information stating the minimum length of time for which the device will receive security updates must be provided to customers.

Online Harms

Oral Question on Online Harms

During oral questions to the Home Office, Tanmanjeet Singh Dhesi MP (Lab) asked the Home Office Minister Victoria Atkins MP on the delay to the Online Harms Bill. He pushed the Minister on reports that the sanctions within the White Paper were being watered down and conversations the Government is having with social media companies. Atkins was clear to mark out the Online Harms White Paper as both ambitious and world leading, and confirmed the Government will respond to the consultation in the Autumn.

Data protection

ECJ make ruling on EU-US Privacy Shield

The European Court of Justice has made a ruling on the adequacy of the protection provided by the EU-US Privacy Shield. The relevant press release can be found here and the full judgement here.

The Court invalidated the European Commission’s Decision on the Privacy Shield arguing that the surveillance laws of the US do not allow for US protections of privacy to be deemed ‘equivalent’ to those offered by the EU’s GDPR.

Although the Court did not invalidate the European Commission’s Decision 2010/87 on the standard contractual clauses (SCCs), it argued that any data transfer involving SCCs must also individually evaluate the legal system of the third country in addition. Given the previous point on US surveillance rules, this could effectively block EU-US transfers using SCCs as well. Of course, many cases of data transfers will remain valid, such as:

• Cases where users want their data to flow abroad (based on informed consent that can be withdrawn at any time);
• Data flows for what is necessary to fulfill a contract;
• Other ‘necessary’ data flows under Article 49 of the GDPR.

On the discretion of national Data Protection Authorities (DPAs) to act once they receive a complaint, the ECJ ruled that, unless there is a valid Commission adequacy decision, DPAs are required to suspend or prohibit a transfer of personal data to a third country if they believe the protection of the data cannot be ensured at the country of destination. DPAs previously argued that the decision whether to act on such complaints and is up to them.

ICO update on regulatory approach during COVID-19

The information Commissioner’s Office (ICO) has published a further update on how they would regulate during Covid-19 pandemic. This  updated document  states that the continuing importance of data protections, and the need for privacy and information rights to be considered as part of recovery plans.

Ofcom

Ofcom publish call for evidence on video sharing platform (VSP) regulation

Ofcom have published a call for evidence ahead of VSP regulation in the UK, Ofcom will be given new powers this autumn to regulate UK-established VSPs. This will include a duty to ensure that VSPs have in place appropriate measures to protect young people from potentially harmful content and all users from illegal content and incitement to hatred and violence. Services will also need to ensure standards around advertising are met. The call for evidence further sets out the core principles of their approach:

• Protection and assurance
• Freedom of expression
• Adaptability
• Transparency
• Enforcement
• Independence
• Proportionality

Working Groups

Over the course of the pandemic ISPA has sought to engage members regularly on policy areas, and in a different way to our established subgroups. This has included the regular COVID-19 members calls, as well as the establishment of subject specific working groups. Our existing subgroups (Broadband, Cyber and Liability) will continue to be used for updates and general policy developments.
We have tweaked this structure to allow for more focused discussions to drive policy development within ISPA and adapt to often quite quickly developing trends due to the pandemic. These working groups are:

• TSRs: This working group is focused on the debate around High Risk Vendors, and the development of the Telecoms Security Requirements.
  • This group will meet on Monday 27^th July at 2pm
• Consumer: This working group met last week to discuss the impact of coronavirus commitments around vulnerable customers and will focus on all consumer related policy.
• Infrastructure: This group will look at all broadband infrastructure related issues – including barriers to rollout, state aid programmes, Streetworks and skills.
  • This group will meet on Thursday 23^rd at 3pm

In addition, ISPA is currently organising member calls on EECC, online harms and more. If you have any questions, please contact emmas@ispa.org.uk