Ofcom consults on revision of (half of) UK’s general authorisation conditions

As anticipated, Ofcom yesterday started a consultation on its plans to update the UK’s Conditions of General Entitlement i.e. the obligations placed on all telecoms operators in the UK that rely on the UK’s general authorisation.

Ofcom has decided to split its review into two parts, with this first part dealing with network functioning, public payphones, directory information and numbering conditions.

Interested parties have until 11 October to respond.

The second part, dealing with consumer protection issues will follow later in the year.

On initial review, many of the changes seem welcome – in particular the proposals to simply, clarify and address the long-standing bugbear of confusing drafting that defines terms such as ‘Communications Provider’ differently in different conditions.

It seems that the only new regulatory proposal is adding a power to withdraw allocations of number blocks where there are not in use, which seems unobjectionable.

 

 

 

Posted in Broadband, Fixed, Mobile, Regulatory action, Satellite, Telecoms, UK, WiMax | Tagged , | Leave a comment

UK’s Financial Conduct Authority issues guidance on cloud

On 7 July 2016, the UK’s Financial Conduct Authority (FCA) issued finalised guidance for authorised UK financial institutions use of cloud services. In a marked contrast to some other jurisdictions’ approach, this guidance is issued against a policy backdrop of FCA’s ‘Project Innovate’ which is a initiative to foster innovation and competition. The FCA say:

‘Cloud’ is a broad term, and stakeholders have interpreted it differently. We see it as encompassing a range of IT services provided in various formats over the internet. This includes, for example, private, public or hybrid cloud, as well as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Cloud services are constantly evolving. Our aim is to avoid imposing inappropriate barriers to firms’ ability to outsource to innovative and developing areas, while ensuring that risks are appropriately identified and managed.

Using the cloud can provide more flexibility to the service that firms receive, enabling innovation and bringing benefits to firms, their consumers, and the wider market. However it can also introduce risks that need to be identified, monitored and mitigated. These risks primarily affect the degree of control exercised by the firm and specific issues such as data security. Cloud customers may have less control of the supplier, for example the degree to which they can tailor the service provided, and of the data, such as where data are stored.

So we are setting out in more detail our approach to regulating firms which outsource to the cloud and other third-party IT services. We see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules.

In a post-Brexit world, forward-looking policy approaches like this will be needed to help the UK to retain its role as a leading global financial centre.

free-photo-cloud-957

Cloud just another type of outsourcing

The FCA’s guidance makes it clear that wherever a third party delivers services to a regulated firm that comprises outsourcing and so relevant regulatory obligations apply – in particular appropriate management of risk.

Cloud is a type of outsourcing so rules applicable to outsourcing (e.g. see SYSC 8) will apply to cloud. In assessing applicable rules, key issues to consider include whether the function being outsourced (i.e. supplied from the cloud) is:

(i) critical or important;

(ii) constitutes a material outsourcing; and/or

(iii) whether it relates to an important operational function.

Checklist of areas for regulated firms using the cloud to consider

Finally, the FCA guidance provides a helpful checklist (with notes) of areas for regulated firms to consider:

  • Legal and regulatory considerations
  • Risk management
  • International standards
  • Oversight of service provider
  • Data security
  • Data protection
  • Effective access to data
  • Access to business premises
  • Relationship between service providers
  • Change management
  • Continuity and business planning
  • Resolution
  • Exit plan
Posted in Cloud computing, Data protection, Data Protection Act 1998, Data Protection Directive 1995, Government policy, Outsourcing, Regulatory action, Risk management | Tagged , | Leave a comment

European Network and Information Security Directive adopted to address cyber-threats

On 6 July 2016, the European Union (which for now includes the UK) adopted the Network and Information Security (or NIS) Directive. This imposes obligations on three sets of stakeholders:

  1. Member States;
  2. Essential services operators; and
  3. Digital service providers.

Andrus Ansip, European Commission Vice-President for the Digital Single Market, commented:

“If we want people and businesses to make the most of digital services, they need to trust them. A Digital Single Market can only be created in a secure online environment. The Directive on Security of Network and Information Systems is the first comprehensive piece of EU legislation on cybersecurity and a fundamental building block for our work in this area. It requires companies in critical sectors – such as energy, transport, banking and health – to adopt risk management practices and report major incidents that can affect the Digital Single Market to their national authorities which will, in turn, be able to carry out better capacity-building with greater cross-border cooperation inside the EU. It also obliges online market places, cloud computing services and search engines to take similar security steps. The rules adopted today, complemented by the new partnership with the industry on cybersecurity presented yesterday, create the right conditions for people and businesses to use digital tools, networks and services in the EU with confidence.”

The Directive requires implementing national legislation to come into force by 10 May 2018. This is before the earliest date that the UK can leave the UK, and so the NIS Directive will need to be implemented in the UK.

Member states

The NIS Directive obliges member states to:

  • adopt a national NIS strategy to define their strategic objectives and appropriate policy and regulatory measures in relation to cybersecurity;
  • designate a national competent authority for the implementation and enforcement of the Directive; and
  • a Computer Security Incident Response Teams (CSIRTs) responsible for handling incidents and risks (which can be the same as the national competent authority).

In addition, at  European level the Directive:

  • forms a ‘Cooperation Group’ between Member States, in order to support and facilitate strategic cooperation and the exchange of information among Member States and to develop trust and confidence amongst them; and
  • creates a network of Computer Security Incident Response Teams, known as the CSIRTs Network, in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.

The Commission will provide the secretariat for the Co-operation Group, whilst the EU Agency for Network and Information Security (ENISA) will provide the secretariat for the CSIRTs Network.

Essential Services Operators

Identification

Each Member State will undertake a process to identify its operators of essential services. An Essential Services Operator is a public or private entity  in one of the following sectors:

  • Energy: electricity, oil and gas
  • Transport: air, rail, water and road
  • Banking: credit institutions
  • Financial market infrastructures: trading venues, central counterparties
  • Health: healthcare settings
  • Water: drinking water supply and distribution
  • Digital infrastructure: internet exchange points, domain name system service providers, top level domain name registries

which meets the following criteria :

  • it provides a service which is essential for the maintenance of critical societal and/or economic activities;
  • the provision of that service depends on network and information systems; and
  • an incident would have significant disruptive effects on the provision of that service.

Obligations

Identified operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority. The security measures include:

  • Preventing risks: Technical and organisational measures that are appropriate and proportionate to the risk.
  • Ensuring security of network and information systems: The measures should ensure a level of security of network and information systems appropriate to the risks.
  • Handling incidents: The measures should prevent and minimize the impact of incidents on the IT systems used to provide the services.

Notification

The Directive does not define  what is an significant incident requiring notification to the relevant national authority, but identifies three factors to be taken into consideration:

  • Number of users affected
  • Duration of incident
  • Geographic spread

We expect to see further guidelines around notification thresholds and process in due course. Helpfully, Article 14 (3) of the NIS Directive makes it clear that:

“… Notification shall not make the notifying party subject to increased liability.”

Digital Service Providers

Digital Service Providers  (DSPs) are defined as:

  • online marketplaces;
  • online search engines; and
  • cloud computing services.

DSPs will be required to take appropriate security measures and to notify substantial incidents to the competent authority. To seek to avoid disparate national approaches and/or impractical obligations being imposed, the Commission will adopt implementing acts with regard to security requirements and notifications obligations of DSPs within one year from the adoption of the Directive. Member States will not be able to impose additional more stringent security and notification requirements on DSPs. In addition, the competent authorities will be able to exercise supervisory activities only when provided with evidence that a DSP is not complying with its obligations under the Directive.

Security measures

DSPs will have to implement security measures covering:

  • Preventing risks: Technical and organisational measures that are appropriate and proportionate to the risk.
  • Ensuring security of network and information systems: The measures should ensure a level of security of network and information systems appropriate to the risks.
  • Handling incidents: The measures should prevent and minimize the impact of incidents on the IT systems used to provide the services.

The security measures taken by DSPs should also address specific factors, to be further specified by the Commission:

  • security of systems and facilities
  • incident handling
  • business continuity management
  • monitoring, auditing and testing
  • compliance with international standards

Notification

The Directive does not define thresholds of what is a substantial incident requiring notification to the relevant national authority. However, it defines five factors which should be taken into consideration:

  • Number of users affected
  • Duration of incident
  • Geographic spread
  • The extent of the disruption of the service
  • The impact on economic and societal activities

Again, we expect further guidelines in due course, and  again Article 16 (3) of the NIS Directive helpfully makes it clear that:

“… Notification shall not make the notifying party subject to increased liability.”

Posted in Belgium, Brexit, Cloud computing, Data protection, Data Protection Act 1998, Data Protection Directive 1995, EU, France, GDPR, Germany, Government policy, Regulatory action, Services, Spain, UK | Tagged , , | Leave a comment

UK Government publishes Digital Economy Bill draft

The UK Government today published its first draft of the Digital Economy Bill.

RGB STock imageAs expected, it contains provisions addressing (text taken from Government explanatory fact sheet):

“Fast Broadband and support for consumers

  • new Broadband Universal Service Obligation (USO) for the United Kingdom – giving all citizens the legal right to request a 10Mbps broadband connection [See my prior sceptical commentary here]
  • new powers for Ofcom to help consumers access better information and enable consumers to act on that information through easier switching
  • new provisions to ensure that consumers are automatically compensated if things go wrong with their broadband service

Enabling digital infrastructure

  • new Electronic Communications Code to cut the cost and simplify the building of mobile and superfast broadband infrastructure [See my prior comments here]
  • new and simpler planning rules for building broadband infrastructure
  • new measures to manage radio spectrum to increase the capacity of mobile broadband

Protecting intellectual property

  • further supporting digital industries equalising penalties for online copyright infringement with laws on physical copyright infringement
  • new online design registration system – known as webmarking, to protect valuable rights

Government digital services

  • enabling government to deliver better public services and produce world leading research and statistics
  • enabling technology to manage information by allowing public authorities to connect where the objective has a public benefit
  • new powers for public authorities to share information to combat the public sector fraud which costs the country billions
  • help citizens manage their debt more effectively and reduce the billions of overdue debt owed to government
  • tough safeguards of personal data, reinforcing the Data Protection Act with new offences for unlawful disclosure

Protecting citizens in the digital economy

  • a new statutory code of practice for direct marketing, ensuring the Information Commissioner can better enforce sanctions against nuisance callers and spammers, ensuring that consent is obtained from consumers
  • protecting children from online pornography by requiring age verification for access to all sites and applications containing pornographic material”

I haven’t yet had time to digest the detailed proposals, and will comment on the various aspects in future posts.

Posted in Broadband, Data protection, Fixed, Government policy, Mobile, Regulatory action, Telecoms, UK, WiMax | Tagged | Leave a comment

Europe consults on implementation of net neutrality

From 30 April 2016, Europe has been subject to net neutrality rules set out in the Connected Continent Regulation. However  those rules, set out in Articles 3 and 4 of the Regulation and reproduced below for easy reference, are framed at such a high level of abstraction as to be almost useless in assessing whether any particular practice is compliant or not.

In an attempt to clarify what the rules actually mean, on the 6 June 2016 BEREC (the association of European Member State telecom regulators ) published draft guidelines for consultation. The consultation runs until 18 July and details of how to submit comments can be found on the BEREC site. BEREC’s intention is to finalise and adopt the guidelines by 31 August, although this may be ambitious given the level of interest from interested stakeholders and (always a factor with European institutions) the July and August summer break.

It is clear from press reports that as with the debate in the US, the network and internet operators are be concerned that the rules are over intrusive and prescriptive whilst providers of services, applications and content have exactly the opposite concern.

When finalised and adopted the Guidelines will constitute  recommendations to the national regulators who are then required to take ‘utmost account’ of the guidelines.

“Connected Continent Regulation extract:

Article 3 – Safeguarding of open internet access

1. End-users shall have the right to access and distribute information and content, use and provide applications and services, and use terminal equipment of their choice, irrespective of the end-user’s or provider’s location or the location, origin or destination of the information, content, application or service, via their internet access service.

This paragraph is without prejudice to Union law, or national law that complies with Union law, related to the lawfulness of the content, applications or services.

2. Agreements between providers of internet access services and end-users on commercial and technical conditions and the characteristics of internet access services such as price, data volumes or speed, and any commercial practices conducted by providers of internet access services, shall not limit the exercise of the rights of end-users laid down in paragraph 1.

3. Providers of internet access services shall treat all traffic equally, when providing internet access services, without discrimination, restriction or interference, and irrespective of the sender and receiver, the content accessed or distributed, the applications or services used or provided, or the terminal equipment used.

The first subparagraph shall not prevent providers of internet access services from implementing reasonable traffic management measures. In order to be deemed to be reasonable, such measures shall be transparent, non-discriminatory and proportionate, and shall not be based on commercial considerations but on objectively different technical quality of service requirements of specific categories of traffic. Such measures shall not monitor the specific content and shall not be maintained for longer than necessary.

Providers of internet access services shall not engage in traffic management measures going beyond those set out in the second subparagraph, and in particular shall not block, slow down, alter, restrict, interfere with, degrade or discriminate between specific content, applications or services, or specific categories thereof, except as necessary, and only for as long as necessary, in order to:

(a) comply with Union legislative acts, or national legislation that complies with Union law, to which the provider of internet access services is subject, or with measures that comply with Union law giving effect to such Union legislative acts or national legislation, including with orders by courts or public authorities vested with relevant powers;

(b) preserve the integrity and security of the network, of services provided via that network, and of the terminal equipment of end-users;

(c) prevent impending network congestion and mitigate the effects of exceptional or temporary network congestion, provided that equivalent categories of traffic are treated equally.

4. Any traffic management measure may entail processing of personal data only if such processing is necessary and proportionate to achieve the objectives set out in paragraph 3. Such processing shall be carried out in accordance with Directive 95/46/EC of the European Parliament and of the Council (1). Traffic management measures shall also comply with Directive 2002/58/EC of the European Parliament and of the Council (2).

5. Providers of electronic communications to the public, including providers of internet access services, and providers of content, applications and services shall be free to offer services other than internet access services which are optimised for specific content, applications or services, or a combination thereof, where the optimisation is necessary in order to meet requirements of the content, applications or services for a specific level of quality.

Providers of electronic communications to the public, including providers of internet access services, may offer or facilitate such services only if the network capacity is sufficient to provide them in addition to any internet access services provided. Such services shall not be usable or offered as a replacement for internet access services, and shall not be to the detriment of the availability or general quality of internet access services for end-users.

Article 4 – Transparency measures for ensuring open internet access

1. Providers of internet access services shall ensure that any contract which includes internet access services specifies at least the following:

(a) information on how traffic management measures applied by that provider could impact on the quality of the internet access services, on the privacy of end-users and on the protection of their personal data;

(b) a clear and comprehensible explanation as to how any volume limitation, speed and other quality of service parameters may in practice have an impact on internet access services, and in particular on the use of content, applications and services;

(c) a clear and comprehensible explanation of how any services referred to in Article 3(5) to which the end-user subscribes might in practice have an impact on the internet access services provided to that end-user;

(d) a clear and comprehensible explanation of the minimum, normally available, maximum and advertised download and upload speed of the internet access services in the case of fixed networks, or of the estimated maximum and advertised download and upload speed of the internet access services in the case of mobile networks, and how significant deviations from the respective advertised download and upload speeds could impact the exercise of the end-users’ rights laid down in Article 3(1);

(e) a clear and comprehensible explanation of the remedies available to the consumer in accordance with national law in the event of any continuous or regularly recurring discrepancy between the actual performance of the internet access service regarding speed or other quality of service parameters and the performance indicated in accordance with points (a) to (d).

Providers of internet access services shall publish the information referred to in the first subparagraph.

2. Providers of internet access services shall put in place transparent, simple and efficient procedures to address complaints of end-users relating to the rights and obligations laid down in Article 3 and paragraph 1 of this Article.

3. The requirements laid down in paragraphs 1 and 2 are in addition to those provided for in Directive 2002/22/EC and shall not prevent Member States from maintaining or introducing additional monitoring, information and transparency requirements, including those concerning the content, form and manner of the information to be published. Those requirements shall comply with this Regulation and the relevant provisions of Directives 2002/21/EC and 2002/22/EC.

4. Any significant discrepancy, continuous or regularly recurring, between the actual performance of the internet access service regarding speed or other quality of service parameters and the performance indicated by the provider of internet access services in accordance with points (a) to (d) of paragraph 1 shall, where the relevant facts are established by a monitoring mechanism certified by the national regulatory authority, be deemed to constitute non-conformity of performance for the purposes of triggering the remedies available to the consumer in accordance with national law.

This paragraph shall apply only to contracts concluded or renewed from 29 November 2015.”

Posted in Belgium, Broadband, EU, France, Germany, Mobile, Regulatory action, Spain, Telecoms, UK, WiMax | Tagged , , | Leave a comment