Transparency data

Telecommunications (Security) Act 2021: draft designation notice consultation

Updated 13 October 2022

Overview of consultation

Aim

In accordance with the provisions of the Communications Act 2003 (as amended by the Telecommunications (Security) Act 2021), this consultation seeks the views of Huawei Technologies (UK) Co., Ltd. (“Huawei UK”) on the draft designation notice, designating Huawei UK and its affiliated companies for the purposes of a designated vendor direction. Responses received through this consultation will be taken into account in any future decision by the Secretary of State to issue a designation notice regarding Huawei.

Section 105Z9 of the Communications Act 2003 requires the Secretary of State to consult on a proposed designation notice with the vendor to whom the designation notice would be issued, so far as it is reasonably practicable to do so. This consultation fulfils that legislative requirement.

Views sought

Section 105Z8 of the Communications Act 2003 specifies that a designation notice can only be issued where it is necessary in the interests of national security. The draft designation notice, which will be sent directly to Huawei and published on GOV.UK, sets out the proposal to designate Huawei for the purposes of a designated vendor direction and sets out the reasons why the government considers this is in the UK’s national security interests.

We are seeking your views on the contents of the draft designation notice.

Background

The Telecommunications (Security) Act 2021 amends the Communications Act 2003 to provide the Secretary of State with new national security powers to:

• issue directions, in the interests of national security, to public communications providers placing controls on their use of goods, services or facilities supplied, provided or made available by a designated vendor specified in the direction (designated vendor directions).
• issue notices, in the interests of national security, designating a person for the purpose of issuing a designated vendor direction (designation notices).

Over the course of 2020, the government made a series of announcements in relation to the use of Huawei goods and services, which have informed the proposed application of these powers. Previous Secretaries of State made oral statements regarding public telecoms providers’ use of high risk vendors in January 2020, July 2020 and November 2020.

Previous publications

The Telecommunications (Security) Act 2021 was developed in close collaboration with the National Cyber Security Centre (NCSC) following the publication of the UK Telecoms Supply Chain Review Report in 2019. The Report set out the Review’s conclusions and recommendations, and was followed by an announcement in January 2020 relating to high risk vendors. The NCSC has published a wide range of material in relation to telecoms security, and the use of high risk vendors specifically, including the following documents:

• NCSC’s security analysis for the UK telecoms sector (January 2020).
• NCSC’s advice on the use of equipment from high risk vendors in UK telecoms networks (January 2020, as updated in July 2020).

Designation notices

The Telecommunications (Security) Act 2021 amended the Communications Act 2003 to insert, amongst others, new sections 105Z8 and 105Z9.

Section 105Z8 provides that the Secretary of State may issue a designation notice, designating a person for the purposes of a designated vendor direction. The Act specifies that the Secretary of State may issue a designation notice only if the Secretary of State considers that the notice is necessary in the interests of national security, and that a designation notice must specify the reasons for the designation.

Section 105Z9 requires that, before issuing a designation notice, the Secretary of State must consult the person or persons proposed to be designated in the notice, so far as it is reasonably practicable to do so. This consultation fulfils that legislative requirement.

Responding to this consultation

Consultees

This consultation is directed at Huawei UK. While the draft designation notice designates a number of international Huawei affiliates (listed in the Annex to the draft notice), we have only approached Huawei Technologies (UK) Co., Ltd. for the purposes of this consultation, on the understanding that they will provide a response on behalf of the wider Huawei corporate group. It remains open to any Huawei affiliate to respond separately if it considers it is necessary and appropriate to do so. While we are not inviting responses from other parties, we have published consultation documents, alongside the draft designation notice and designated vendor direction, on GOV.UK, in the interests of transparency.

Consultation duration

This consultation is open for four weeks from Friday 18 February 2022. The deadline for responses is 23:45 on Monday 21 March 2022. Once the consultation has closed, we will aim to publish a response within 12 weeks, in line with the Cabinet Office’s Consultation Principles.

How to respond

We are inviting Huawei UK to provide comments on the draft designation notice by responding to the question set out below. As well as this consultation document, we have sent Huawei UK a copy of the draft designation notice.

Huawei Technologies (UK) Co., Ltd. can respond to this consultation by replying to the commissioning email.

Consultation principles

This consultation is being conducted in line with the Cabinet Office Consultation Principles, published in March 2018.

Consultation question

The draft designation notice sets out the reasons for which the Secretary of State proposes it is necessary, in the interests of national security, to designate Huawei. In particular, these reasons relate to:

a) The past conduct of the Chinese State and associated actors in carrying out cyber attacks against the UK.

b) The possibility that Huawei could be compelled by the Chinese State to act in a manner that is contrary to the UK’s national security interests.

c) The low engineering and security quality of Huawei’s goods and services.

d) The manner in which US sanctions may affect the reliability of goods and services manufactured or provided by Huawei.

e) The risk of national dependency on Huawei, if action were not taken to limit its share of the market.

Please provide any representations you may wish to make as to whether the proposed designation notice is necessary in the interests of national security. In particular, please provide any comments you may have regarding the reasons given in the draft designation notice.

Glossary

The Act: The Telecommunications (Security) Act 2021.

Designation notice: A designation notice designates a person (or people) for the purposes of a designated vendor direction (section 105Z8 of the Communications Act 2003).

Designated vendor: A designated vendor is a person designated by a designation notice (section 151(1) of the Communications Act 2003).

Designated vendor directions: A designated vendor direction may impose requirements on a public communications provider with respect to the use, in connection with a purpose mentioned below, of goods, services or facilities supplied, provided or made available by a designated vendor specified in the direction (section 105Z1 of the Communications Act 2003).

The purposes referred to above are:

a) in the case of a provider of a public electronic communications network, the provision of that network;

b) in the case of a provider of a public electronic communications service, the provision of that service;

c) in the case of a person who makes available facilities that are associated facilities by reference to a public electronic communications network or public electronic communications service, the making available of those facilities; or

d) in the case of a provider of a public electronic communications network or public electronic communications service, enabling persons to make use of that network or service.

Electronic communications network: A transmission system for the conveyance, by the use of electrical, magnetic or electro-magnetic energy of signals of any description, and associated apparatus, software and stored data (section 32(1) of the Communications Act 2003).

Electronic communications service: A service of any of the following types provided by means of an electronic communications network, except so far as it is a content service:

• an internet access service;
• a number-based interpersonal communications service;
• or any other service consisting in, or having as its principal feature, the conveyance of signals, such as a transmission service used for machine-to-machine services of for broadcasting (section 32(1) of the Communications Act 2003).

NCSC: The National Cyber Security Centre, part of the Government Communications Headquarters.

Public communications provider (PCP): A provider of a public electronic communications network; a provider of a public electronic communications service; or a person who makes available facilities that are associated facilities by reference to a public electronic communications network or a public electronic communications service (section 151(1) of the Communications Act 2003).

Public Electronic Communications Network: An electronic communications network provided wholly or mainly for the purpose of making electronic communications services available to members of the public (section 151(1) of the Communications Act 2003).

Public Electronic Communications Service: Any electronic communications service that is provided so as to be available for use by members of the public (section 151(1) of the Communications Act 2003).

Annex A: Privacy notice

Purpose of this Privacy Notice

The following is to explain your rights and give you the information you are entitled to under the Data Protection Act 2018 and the UK General Data Protection Regulation (“the Data Protection Legislation”).

Our personal information charter explains how we deal with your information. It also explains how you can ask to view, change or remove your information from our records.

This notice only refers to your personal data (e.g. your name, email address, and anything that could be used to identify you personally) not the content of your response to the consultation.

Why are we collecting your personal data?

Your personal data is being collected as an essential part of the consultation process, so that we can determine who has responded to the consultation and contact you regarding your response.

What personal data do we collect?

We collect the following information:

• Personal identifiers
• Contacts and characteristics (for example, name, contact details and name of organisation if relevant).

With whom we will be sharing your personal data?

Copies of responses may be published after the consultation closes. If we do so, unless you indicate otherwise, we will ensure that the individual completing the consultation response is not identifiable.

As regards the content of the response, the Consultation Privacy Statement sets out how respondents to the consultation can mark information in their response as commercially confidential, and how we will handle such information.

For how long we will keep your personal data, or criteria used to determine the retention period?

Your personal data will be held for two years after the consultation is closed. This is so that the department is able to contact you regarding the result of the consultation following analysis of the responses.

Our legal basis for processing your personal data

The Data Protection Legislation states that, as government departments, the departments may process personal data as necessary for the effective performance of a task carried out in the public interest (i.e. a consultation).

We will not:

• Sell or rent your data to third parties
• Share your data with third parties for marketing purposes
• Use your data in analytics.

We will share your data if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.

Consultation privacy statement

Please be aware that, under the Freedom of Information Act 2000 (‘FOIA’), there is a statutory Code of Practice with which public authorities must comply and which deals, amongst other things, with obligations of confidence. We anticipate that some information that is provided to the government by organisations in response to this consultation is likely to be commercially confidential. Section 43(2) of FOIA exempts information the disclosure of which would, or would be likely to, prejudice the commercial interests of any person – including those of the public authority holding the information. In view of this, please tell us in writing what information is confidential and explain to us why you regard the information you have provided as confidential. We ask respondents to clearly distinguish in writing between:

• information that is already published or in the public domain
• information that is unpublished but could be published by the government in any summary of responses to this consultation
• information that is commercially confidential.

If we receive a request for disclosure of the information, we will take account where reasonable of your explanation, but we cannot give an assurance that confidentiality can be maintained in all circumstances. An automatic confidentiality disclaimer generated by your IT system will not, of itself, be regarded as binding on the Department.

Your rights, e.g. access, rectification, erasure

The data we are collecting is your personal data, and you have considerable say over what happens to it. You have the right:

• To see what data we have about you.
• To ask us to stop using your data, but keep it on record.
• To have all or some of your data deleted or corrected.
• To lodge a complaint with the independent Information Commissioner (ICO) if you think we are not handling your data fairly or in accordance with the law.

Your personal data will not be used for any automated decision making.

Your personal data will be stored in a secure government IT system.

We are committed to doing all that we can to keep your data secure. We have set up systems and processes to prevent unauthorised access or disclosure of your data – for example, we protect your data using varying levels of encryption.

We also make sure that any third parties that we deal with keep all personal data they process on our behalf secure.

Changes to this policy

We may change this privacy policy. In that case, the ‘last updated’ date shown below will also change. Any changes to this privacy policy will apply to you and your data immediately.

If these changes affect how your personal data is processed, the controllers will take reasonable steps to let you know.

Last updated: 17/02/2022

How to contact us

The identities of the independent data controller and contact details of our Data Protection Officer

The contact details for the data controller’s Data Protection Officer (DPO) are:

Data Protection Officer
The Department for Digital, Culture, Media & Sport
100 Parliament Street,
London
SW1A 2BQ

Email: DCMSdataprotection@dcms.gov.uk

For more information, see Personal information charter

How to contact the appropriate authorities

If you believe that your personal data has been misused or mishandled, you can make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

ICO
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113
Contact ICO online