The Telecommunications (Security) Act 2021 came into force on 17 November 2021, amending the Communications Act of 2003, and introducing a new regulatory framework for telecommunications security in the UK. The Act increases the security duties for communications providers (CPs) and requires them to identify and reduce the risks of security compromises.
The Act defines a security compromise as including “anything that compromises the availability, performance or functionality of the network or service”. Under the Act, a CP (i.e. the provider of a public electronic communications or a public electronic communications service network) must now take measures that are appropriate and proportionate for the purposes of:
a. identifying the risks of security compromises occurring; and
b. reducing the risks of security compromises occurring; and
c. preparing for the occurrence of security compromises.
These new security provisions are relevant in the context of SEPs. SEPs are patents relating to standards (such as 3G, 4G, 5G, Zigbee, and WiFi) that must necessarily be infringed when a product or service is used that is compliant with the standard. Therefore, if the patent is valid, infringed and essential, it will not be possible for CPs to design around the patent; as such, a CP will be required to infringe many SEPs in order to provide services and goods in accordance with the relevant technology standard.
There are tens of thousands of SEPs that have been declared to standard setting organisations (SSOs) as being essential to standards, such as 3G, 4G, 5G and WiFi. Whilst most of the patents when tested in court are likely to be invalid or not infringed, many will relate to the provision of the network by the network operator, as well as products, such as handsets, that communicate with the operator networks. UK courts have indicated a willingness to grant injunctions in the UK for SEPs, unless defendants agree the terms imposed by the courts (including the setting by a UK court of global SEP licensing rates).
The provisions in the Act therefore mean that CPs, such as network operators (and mobile virtual network operators) will now need to consider the risks of an injunction being granted for a SEP which might compromise the availability of their network or service. In addition, they will now need to actively take steps to reduce the risk of, and prepare for, such an injunction being granted.
Issues for CPs
A challenge for CPs is that there are so many patents declared essential to standards, such as 4G and 5G, that it will not be possible for operators to assess which of the patents are essential, valid and infringed. Complicating matters further is that many standards relevant to networking technology, such as 3G, 4G, 5G, Zigbee and WiFi, target aspects of data security and privacy in these networking systems, for example encryption, keys, base-stations and device recognition, etc., for which there are many claimed SEPs.
The risk of a security compromise is exacerbated because in a normal supply chain environment a buyer of goods or services would expect their suppliers to be able to obtain licences to patents that are infringed, so the suppliers can ‘pass through’ the IP rights, and buyers would expect the contracts with their suppliers to provide indemnities in their supply agreements.
However, in the telecoms industry there are currently some unusual and unique practices whereby not all suppliers can even obtain licences to SEPs at the moment. This is because a few companies are ‘holding out’ and refusing to license their SEPs to all companies in the supply chain that want a licence, preferring to seek licences from end customers, such as network operators. Vodafone in the UK is already a defendant in proceedings brought by IP Com for alleged infringement of a 4G/LTE SEP, although the asserted patent in that case expired in 2020, so there is no risk of an injunction in that case. However, if a claim is brought against an operator on an unexpired patent, then the injunction issue will be a very live one.
For 5G and Open RAN, the UK government has identified that there is a need to have a diversified supply chain given the duopoly of Nokia and Ericsson for networks and following the exclusion from the UK market of Huawei; see, for example, the UK Government’s 5G Supply Chain Diversification Strategy and the Telecoms Diversification Taskforce Report. Network operators are therefore looking to diversify their supply chains, but the risk of a security compromise is further exacerbated with 5G and Open RAN as suppliers may not be able to obtain licences at all from SEP holders. Even if they are able to obtain the grant of a licence in principle, the licence may not be granted on fair and reasonable and non-discriminatory (FRAND) terms.
How CPs can manage risks
CPs will need to consider how they can reduce the risks of security compromises occurring and how to manage that risk. This might be by contacting the relevant SSO (such as ETSI) and seeking their help in ensuring that companies that have declared patents as essential to ETSI standards grant licences to any company that wants a licence in the supply chain on FRAND terms in accordance with the relevant IPR policy.
Operators could also potentially seek indemnities from their existing suppliers, such as Nokia and Ericsson, but that will be a challenge given the positions presently adopted by Nokia and Ericsson themselves that SEP holders are not required to license SEPs to every company in the supply chain that wants one. Although Nokia and Ericsson have cross-licensed SEPs to each other for hardware and software, they now adopt the same position as part of a group that refuses to license certain companies in the supply chain. If Nokia and Ericsson cannot get SEP licences, then they won’t be able to stop the security compromise occurring. They could find themselves on the reverse end of the same positions they have both adopted.
Those in the network supply chain will also need to consider the position of Huawei, and others that may be excluded from the market in the future, who hold SEPs and who may well seek to monetise those SEPs in markets where they have been excluded.
Complying with duties under the Act
The new Telecommunication (Security) Act provides that the Secretary of State may issue a Code of Practice. If an injunction is granted, the CP has a duty to inform Ofcom as soon as is reasonably practicable of any security compromises that may have an effect. Ofcom has a further duty to inform the Secretary of State if there is a risk of a security compromise occurring. Given that many SEPs will necessarily be infringed when a network operator provides goods or services, there is already a risk of such a security compromise occurring, and the network being unavailable. Ofcom may already be considering the position but, under the Act, Ofcom must seek to ensure that providers comply with the duties imposed upon them, and there is civil liability for failure of service providers to comply with the Act.
The Act unfortunately means more work and risk assessment for CPs. Operators may want to consider making submissions to the UK IPO who have recently issued a Call for Views on SEP issues. The final date for submission of views is 1 March 2022.
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.