United Kingdom | Publication | September 2023
There is significant interest among investment funds in investing in the roll-out and take up of fibre-to-the-home (FTTH) networks in the UK which, along with incentives from the UK government, has resulted in a boom of regional and national fibre network providers and internet service providers (ISPs), with now over 150 broadband providers in the market, according to USwitch.
Growth in the sector is in large part due to a demand for higher broadband speeds arising from a shift towards remote working and customers’ media usage, as well as a conscious push from the UK government (which has included grant funding in the form of the Building Digital UK voucher scheme).
While investment has slowed recently due to lower than anticipated uptake in customer connections, higher costs of capital and concerns regarding over-build, we are nonetheless seeing a number of new equity and debt financings, as well as a likely uptick in consolidations in the market.
Here we set out the key regulatory and data protection considerations that investors in this sector should bear in mind when investing in the UK fibre space and that should be borne in mind in the context of consolidations in the space, in the following parts:
The UK’s national security regime under the National Security and Investment Act 2021 (NSI) entered into force in January 2022. The NSI introduced a statutory regime for UK government scrutiny of, and intervention in, investments for the purposes of protecting national security.
The practical implication of the NSI is that the UK government will be more likely to intervene in transactions under this new regime than under the previous Enterprise Act 2002 (which fell away when the NSI came into effect). This is particularly the case given the significant expansion of the types of transactions covered by national security reviews.
A mandatory notification to the Investment Security Unit (ISU) within the Department for Business, Energy and Industrial Strategy (BEIS) is required if:
Depending on the exact scope of business of the relevant altnet or ISP, the key sectors relevant to the FTTH sector are likely to be “Communications” and/or “Data Infrastructure”. A full analysis would need to be undertaken in respect of any investment into, or acquisition of, an altnet or ISP to determine whether such sectors are relevant, but we note that the “Communications” sector would require the target group to have a revenue of at least £50m or provide facilities to providers of electronic communications networks or services that have a revenue of at least £50m.
The “Data Infrastructure” sector would typically be relevant if the altnet provides data infrastructure or transmission services to certain named public authorities or provides infrastructure on a wholesale basis only.
The mandatory notifications should not be considered without appropriate professional advice because:
Parties to transactions that do not meet the criteria for mandatory notification may submit a voluntary notification to the Secretary of State if they consider that their acquisition may constitute a trigger event that could raise national security concerns. The following considerations apply:
For further details on the National Security and Investment Act 2021, see our publication, The UK’s new NSI regime: What do you need to know? and One year on: What should you know about the first year of the UK NSI regime?
The Telecommunications (Security) Act 2021 (TSA) received royal assent on 17 November 2021 and amends the Communications Act 2003. Its primary purpose is to strengthen the security framework applicable to technology used in 5G and full-fibre broadband to protect UK telecommunication networks against hostile cyber activity.
Ofcom has the duty to monitor and enforce compliance with the TSA requirements and has been given the power to impose fines up to a maximum of 10% of the provider’s relevant turnover, or £100,000 per day in the case of a continuing failure to comply.
Additional responsibilities relating to protecting data, monitoring of networks and considering supply chain risks are imposed on communication providers under the Electronic Communications (Security Measures) Regulations 2021, which came into force on 1 October 2022. Different levels of oversight will apply to telecommunication providers depending on their size and relative importance. The Telecommunications Security Code of Practice accompanying the regulations came into force in December 2022.
The TSA enables the UK government to issue Designated Vendor Directions in relation to high-risk vendors considered to be a threat to national security. In 2021, the UK government consulted on a Designated Vendor Direction in relation to Huawei. A legal notice was subsequently issued requiring the removal of Huawei equipment from 5G networks by the end of 2027 and the removal of Huawei equipment from the network core by 31 December 2023.
Such notices are rare but their implications are costly, and technical and commercial diligence into altnets should be used to understand the amount of Huawei equipment used in the network and the costs of replacement.
The TSA’s requirements to safeguard data and respond to security compromises arising from data incidents should be considered alongside the requirements of the data protection laws as detailed below.
The NIS Regulations (implementing the European Union’s NIS Directive) came into force in the UK on 10 May 2018 with the purpose of raising levels of cyber security and resilience of key systems. They:
The NIS Regulations apply to OES, which are organisations that meet certain threshold conditions in the energy, transport, healthcare, utilities and digital infrastructure sectors, or which are otherwise designated as being an OES by the applicable appointed “Competent Authority” (which, in the case of digital infrastructure OES, is the Office of Communications), even where the threshold conditions are not met.
Digital infrastructure services that are automatically designated as OES include LD (top-level domain) name registries, DNS (domain name systems) service providers and IXP (Internet exchange point) operators.
OES are required to take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential services rely, taking into account the state of the art and ensuring a level of security appropriate to the risk posed. Measures include:
Providers of essential services must notify their designated Competent Authority within 72 hours of any incident that has a significant impact on the continuity of the essential services that they provide. Such “incidents” may include:
In determining whether an incident has a significant impact, an operator should take into account criteria such as the number of users affected by the disruption, the duration of the incident and the area affected by the incident.
The NIS Regulations impose similar security, monitoring and reporting obligations on RDSPs that provide online marketplaces, search engines or cloud computing services in the UK.
Any entity that is classified as an RDSP must register with, and will be regulated by, the Information Commissioner’s Office (ICO).
In the event of any “incident” (which is defined as “any event having an actual adverse effect on the security of the network and information systems”), a notification must be made to the ICO within 72 hours.
While this requirement will be less relevant to passive network providers and traditional ISPs, it should be considered where an ISP is also providing business-to-business (B2B), cloud and other network-as-a-service (NaaS), platform-as-a-service (PaaS) or software-as-a-service (SaaS) services, depending on the type of services provided.
The Regulation of Investigatory Powers Act 2000 (RIPA):
The Investigatory Powers Act 2016 (IPA) (often referred to as the “Snoopers Charter”):
The following considerations apply in relation to the definition of “telecommunications operators”:
The IPA 2016 reformed the regime under which UK law enforcement bodies and intelligence agencies can be authorised by warrant to conduct interception, equipment interference or bulk communications data acquisition, providing that a warrant will only be issued where it is necessary, proportionate and justified in the interests of national security, the economic wellbeing of the UK, or in support of the prevention or detection of serious crime.
TOs can be compelled under IPA to hack, decrypt or retain internet connection records of their users and/or electronic communications, such as telephone records and emails, to enable access by police, security agencies and other related public bodies.
Certain of the obligations under RIPA and IPA are very invasive and can conflict with requirements under applicable data protection law (discussed in more detail below) including in some cases, the data protection regimes of different jurisdictions. RIPA and IPA can also be costly and disruptive to comply with.
Prior to considering investing in a TO, investors should check whether the TO has any outstanding obligations under RIPA, as well as how many requests it has previously received, to the extent that the relevant warrant does not prohibit such disclosure.
Publication
Miranda Cole, Julien Haverals and Emma Clarke of our Brussels/ London offices are the authors of a chapter on procedural issues in merger control that has been published in the third edition of the Global Competition Review’s The Guide to Life Sciences. This covers a number of significant procedural developments that have affected merger review of life sciences transactions.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023
