ECTEL proposes net neutrality language in draft regulations to complement revised Electronic Communications bill

The Eastern Caribbean Telecommunications Authority (ECTEL) is the regional, multi-state telecoms regulator for the Eastern Caribbean.  Recently, ECTEL put forward a slew of recommendations on various regulatory instruments to be enacted in the Eastern Caribbean. The regulations would go hand-in-hand with the proposed revisions to the Electronic Communications bill.

The proposed regulations cover: infrastructure sharing; submarine cables; market assessment; retail pricing regulation; and consumer protection

From an end-user perspective, the Consumer Protection regulations are clearly the most notable. Within those regulations are provisions which, interestingly, tackle net neutrality, protection of consumer data as well as privacy. 

In my estimation, the inclusion of net neutrality is the most impressive aspect of this proposed regulation. In a global context, only Brazil, Chile, the Netherlands and the United States have already expressly put in place substantive net neutrality legislation.

If passed, the Eastern Caribbean would, therefore, join an exclusive club of forward looking nations who have already explicitly enshrined net neutrality in legislative enactments. Pretty heady stuff.

On review, the Electronic Communications bill itself merely defines net neutrality and includes it as an object of the act. Curiously, the bill itself does not enshrine the right per se. Rather, the heavy lifting is left for the proposed consumer protection regulation. This is concerning for two reasons: 

  1. by placing it in the consumer protection regulation, it presumes that net neutrality is primarily about protecting end-users. Indeed, the language used, confirms that this seems to be the aim. This is problematic since it only covers half of the parties who are potentially negatively impacted by interferences with the delivery of content over the internet’s infrastructure. The reality is, it is also digital service providers who’s ability to deliver content over the internet who lose when an ISP decides to intervene.
  2. if it is a substantive right then surely the appropriate place to secure it is in substantive legislation which, at the very least, would require the rigour of two houses of parliament to interfere with in future. With mere subsidiary statutory instruments, it is much easier to amend without rigorous scrutiny. Therefore, it stands to reason that it could easily be amended in future. 

To be sure, I have, in the past, argued that the most effective manner for a country’s legislature to handle changes in technology is to have subsidiary legislation bear the brunt of the particular legislative innovation. Therefore my view here may appear contradictory. However, net neutrality isn’t a fad concept or technology that requires a state to grapple with its shelf life as a consideration in determining the legislative rigour necessary to usher it into society. In 37 years netizens will still argue back and forth about protection of net neutrality as a fundamental internet-related right. It is an enduring principle and its rightful protection mechanism, therefore, is in substantive legislation.

The consultation period for the proposed legislation initially expired on March 11, 2016 but has since been extended to May 12, 2016, so there is time to review and make any comments.

Link: Full Proposed Regulations. (pdf)

Link: Proposed revised Electronic Communications Bill for the Eastern Caribbean (pdf)

Link: Announcement on the ECTEL website.

Cyber security Report on Latin America and the Caribbean

Last Month, the Inter-American Development Bank, in association with the Organisation of American States, launched a publication titled: 

Cybersecurity: Are We Ready in Latin America and the Caribbean

image

According to the blurb on the website: 

The 2016 Cybersecurity Report is the result of the collaboration between the Inter-American Development Bank (IDB), the Organization of American States (OAS), and the Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford. The report presents a complete picture and update on the status of cybersecurity (risks, challenges, and opportunities) of Latin America and the Caribbean countries.

Importantly, the report was the result of self-assessments by key stakeholders within each jurisdiction under review.

In respect of the key findings, a good summary comes from the preface by the current IADB President, Luis Alberto Moreno, who notes that:

The analysis of its 49 indicators shows that several countries in the region are vulnerable to potentially
devastating cyberattacks. Four out of five countries do not have cybersecurity strategies or critical infrastructure
protection plans. Two out of three do not count on command centers and cybersecurity control. The vast
majority of prosecutors lack the legal capacity to pursue cybercrime actions.

 

Among the more interesting aspects of the report is the model developed to assess the state of cybersecurity in LAC. The report applies what they describe as a “Cybersecurity Capability Maturity Model” (CMM). The CMM is based on a model developed by the

Global Cyber
Security Capacity Centre
at Oxford University and has five designations: startup; formative; established; strategic; and dyamic.  After analysing each country’s situation, that country is graded using the CMM designations in respect of 49 specific indicators. In turn, the 59 indicators were grouped into five broad categories:  

  1. National Cybersecurity Policy
    and Strategy (Policy and Strategy); 
  2. Cyber Culture and Society
    (Culture and Society); 
  3. Cybersecurity Education, Training and
    Skills (Education); 
  4. Legal and Regulatory Frameworks (Legal
    Frameworks); and 
  5. Standards, Organizations and Technologies
    (Technologies).
image

From a Caribbean perspective, the report is very comprehensive. All 12 Commonwealth Caribbean Countries and 14 CARICOM-party states overall (Haiti and Suriname are also included) are covered in the report. For context, 32 Latin America and Caribbean countries were surveyed in total.

To my mind, the biggest value of this report for Caribbean states is the quick diagnosis it provides of the weak area(s) in various states. This understanding should significantly assist in determining which areas should be prioritised by governments in the region and, by extension, where scarce state resources should be directed. Similarly, it should also be useful to civil society actors and organisations in determining which cybersecurity and ICT issues need flagging and actioning the most in their respective territories.

Implicit in the foregoing, is another important purpose that this report serves: it underscored the nuanced challenges we face from jurisdiction to jurisdiction in respect of not just cybersecurity but ICT issues generally. By extension, the findings confirm that the one-size-fits-all-in-the-region approach to analysing and addressing challenges is woefully outdated.

You can directly download the report as a pdf (English | Español

Also, I should mention that the IADB has shared the dataset that was mined to create the report. If you are interested in sifting through the data yourself

(and have the time), you can grab it here.