Product Security and Telecommunications Infrastructure Bill
(Limited Text - Ministerial Extracts only)
Read Full debateTuesday 21st June 2022
(1 year, 10 months ago)
Lords ChamberProduct Security and Telecommunications Infrastructure Act 2022 View all Product Security and Telecommunications Infrastructure Act 2022 Debates Read Hansard Text Amendment Paper: HL Bill 16-I(a) Amendment for Committee (Supplementary to the Marshalled List) - (20 Jun 2022)
The Earl of Erroll (CB)
My Lords, I want to say just a couple of words because, having read this and listened, I think the amendment has a very good point. I like the concept of a duty of care, because if we do not have that, who are we worrying about? In fact, Clause 7, on “Relevant persons”, is all about the manufacturers, importers, distributors, et cetera, with nothing about the customer, the poor person who is going to get hit by it. It is a very good idea to put that in at the beginning, setting down some principles and duties, because the other trouble is that by the time that we have done all these bits and pieces, made the regulations and the provisions, we are always acting after the event. What we need is a bit of proactivity, and we get that in this suggested new clause, because manufacturers, importers and distributors would have to make sure that products met certain minimum requirements. They would need to understand what “emerging security threats” there were; in other words, thinking ahead to the next stage and not just saying, “Oh, well, it complied with those things last year”, by which time the horse has bolted and we are far too late. So, I like it.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Parkinson of Whitley Bay) (Con)
I am grateful to the noble Lord, Lord Fox, and, in his absence, the noble Lord, Lord Clement-Jones, for their Amendment 1 and for the wholly positive intention with which it has been tabled. I was grateful to have had the opportunity to talk to them about it before Second Reading as well. As the noble Lord set out today, he has argued that customers deserve some high-level principles setting out the security protections they should expect when purchasing consumer-connectable technology. In fact, Amendment 1 goes further, as noble Lords have noted, and would require manufacturers to owe their customers a “duty of care” to protect them. We are not as keen as the noble Earl, Lord Erroll, on that.
The first problem we have with a duty of care is that it could give consumers a false sense of security. If consumers buy well-designed technology products which meet the best standards, it considerably lowers risk, but with cybersecurity there is no such thing as zero risk: the most aggressive and well-resourced hacker will find a way. Somebody may have a quality product, but have they secured their wi-fi router? Do they have some legacy technology on their network? Manufacturers of a single device do not control the whole range of apparatus which constitutes the attack surface so cannot always provide an absolute security warranty, and they cannot always predict the next attack vector.
The second problem we have is that we have learned that the security of devices is best served by standards rather than principles. If one sets standards, one can send a device to a laboratory and assure oneself that those standards have been met. If one sets principles, that does not apply. That is why the Bill is designed to give force to standards. Those standards, developed here in the UK and now adopted by Governments and jurisdictions across the globe as well as by international standards bodies, are widely recognised significantly to lower risk for consumers.
Of course, we believe that the responsibility for the security of connectable products most effectively lies with the manufacturer. We expect manufacturers to take security seriously, to implement measures to develop and maintain an awareness of the security of their products, and to be up front with customers about the security support they can expect. We have tried voluntary compliance, with our code of practice which was published in 2018. We now need mandatory requirements, and that needs specific security requirements that can be independently assessed. The legislation must enable the Government to keep pace with market dynamics and the changing technological landscape—as the noble Baroness, Lady Merron, said, it is important that we move with the times. The flexibility to be able to set different security requirements for manufacturers, for importers and for distributors is key to this.
Amendment 1 in the form drafted would place an equal weight on the duties of each of these three groups to secure products. Compelling the Secretary of State to have regard to this general duty could constrain the Government’s ability to set specific security requirements in the future. Crucially, these principles could restrict the use of powers in this part of the Bill, working against the Government’s ability to bring this regime into force and impeding our ability to keep that regime future-proof. I should also say to noble Lords that industry and consumer groups have not raised the need for general principles such as this. Our efforts to engage and communicate our intentions have been clear, and the requirements we have set out for the relevant persons have been widely understood and are in line with international standards.
The noble Lord, Lord Fox, asked why the Government have chosen these three specific security requirements rather than others. During the consultation in 2019, we explored a number of options including mandating that all consumer-connectable products meet all 13 guide- lines in the code of practice. They are all important, but the majority of respondents supported the option that the top three security requirements represented the most appropriate baseline, by balancing the important requirements that are testable, being applicable across a range of devices and creating the right incentives to improve security in these products. That is why the Government are initially mandating the implementation of security requirements that will make the most fundamental impact on the risks posed by insecure consumer-connectable products for consumers, businesses and the wider economy.
The noble Lord also asked about where products end and apps begin. The powers in Part 1 allow Ministers to set out requirements that include products and software. The proposals in the consultation he mentioned relate to those who operate app stores. So, while I acknowledge the good intentions behind it, I hope I have been able to set out why the Government feel that this amendment—
Lord Fox (LD)
I thank the Minister for giving way. That does not answer the question of where an app starts. If I am downloading Nest for my heating system, I am getting it from an app store, so where is the regulation coming? Is it the app that is coming from the app store, or is it the connectable device law that is coming through here? In which case, I think some explicit connectivity between the apps that run the connected devices needs to be written into the Bill.
Lord Parkinson of Whitley Bay (Con)
Perhaps, if the noble Lord is happy, we can explore this. The example he gives, as he knows, includes software and technology. Perhaps we can have a detailed discussion where we can work through some of those examples. I would be very happy to talk to him about them because on the question he poses the line is drawn in a different place depending on the product and its nature.
The Earl of Erroll (CB)
The Minister talked about standards a moment ago. If we are going to rely on standards, who is writing them? I presume that he is talking about British standards; to write a standard will take a year or two. I hope that the Government are going to fund it. We got no help from them in trying to fund stuff around age verification, even though that was core to the Digital Economy Act. If we are going to elevate it to an international standard, that will take another year or two, so we will not see any action for a long time if we are going to rely on externally written standards. I have chaired two BSI standards so far, and it does not happen just like that.
Lord Parkinson of Whitley Bay (Con)
Some of the standards in this area have been set in the UK and have already been adopted by other jurisdictions, so I hope that we can give the noble Earl some reassurances. While I acknowledge his point about the time it takes for these to be adopted internationally, in some areas the UK is setting the way, and these are being picked up across the globe.
As I said, while I note the good intentions behind Amendment 1, these are the reasons why the Government are unable to support it. However, I am very happy to pick up the questions about apps and products with the noble Lord and others who wish to join that conversation. I hope that, for now, the noble Lord will be content to withdraw his amendment.
Lord Fox (LD)
My Lords, while that was a relatively disappointing response, I am pleased that we can have the discussion about apps. I thank noble Baroness, Lady Merron, and the noble Earl, Lord Erroll. I think he put his finger on it. If we are to keep pace with the speed of change only through a standards regime without making the companies delivering these products in some way responsible—whether through a code of practice or a duty of care, I am not quibbling—there is no way that a standards regime can keep pace with the innovative speed that international crime is running at on cybercrime.
The idea that we can chase this down the road is wholly wrong. I ask the Minister to sit down with the department and perhaps we can come up with a different way of doing it. I am totally agnostic about how we go about it, but some sense that we are not just chasing this needs to be in this Bill, otherwise it is going to be after the fact. That said, I am happy to beg leave to withdraw Amendment 1.
Lord Fox (LD)
My Lords, I will speak to Amendments 3 and 5 and in support of the other two amendments in this group. All these amendments refer to Clause 1 and seek to add some specificity to its general nature. The first amendment in my name and that of my noble friend Lord Clement-Jones is Amendment 3. This inserts a new paragraph (c) into Clause 1(1), adding the text
“children where they are not primary users of products but are subjects of product use”.
Why is this necessary? Here I am indebted to a report on cybersecurity, the UK Code of Practice for Consumer IoT Security produced by the PETRAS National Centre of Excellence for IoT Systems Cybersecurity. Noble Lords may be aware of this group; it has a very strong record in this area. It is a consortium of leading UK universities dedicated to understanding the critical issues of the privacy, ethics, trust, reliability, acceptability and security of IoT. I commend this organisation to the small number of noble Lords in this Chamber interested in this area.
This report highlighted, among other things, the importance of children’s connected toys receiving the necessary scrutiny, due to the implications of embedded cameras and microphones, with the aim of ensuring the child’s and the parents’ protection and right to privacy. Such devices include a wide range of everyday artefacts with internet connectivity intended for use by children or in caring for them, such as interactive toys, learning development devices and baby or child monitors.
These connected toys and tools have the potential for misuse and unauthorised contact with vulnerable minors. The British Toy & Hobby Association has responded by offering a range of guidance notes and by interpreting the code of practice, but with SMEs manufacturing most of these devices, there is much more to be done to ensure that those organisations are sufficiently informed and equipped to produce and market toys that are secure.
Security is not straightforward, as the Minister has already pointed out. While these devices offer a range of advantages through their connectivity, they also potentially expose children and their families to risks that have not yet been fully articulated to many of the consumers who are buying these toys.
A real-life example is that the toy giant Mattel launched Hello Barbie. The Minister may be familiar with it—I do not know. This was as far back as 2015. It was a very innovative toy which it launched with a start-up business called ToyTalk. The principle of this toy was that it could converse using internet connectivity with speech recognition, so as well as talking it could listen. Hello Barbie also allowed parents to log in later and eavesdrop on their children’s conversations with their toys. I will leave your Lordships to decide the ethics of that.
But this connectivity raised some concerns, primarily around who could listen in and record these devices and store conversations and behavioural and location data, and for what purpose this data could be used. Toys like these are now prevalent and they raise significant questions about the appropriate support and guidance for the toy manufacturers, which understand an awful lot about conventional safety—they know how to make physically safe toys—but do not have a track record on developing informationally and data-safe toys because they have never been asked to do that before. This is a new venture for them, and it requires a totally new set of skills and standards, as the Minister might say.
As technology evolves hacking is increasing in sophistication, so it is necessary to keep moving forward. The challenge for cybersecurity in remaining ahead of the risks is inevitably a technological one, and the Minister may remember that the Hello Barbie toy, having been launched and lauded for its security, was ultimately found at some point to have serious security issues. Even that toy, from a very large manufacturer, fell foul of the progress of information crime.
Nevertheless, it is clear that today some toy manufacturers are releasing connected toys without adequate safety and security features. This is a competitive and dynamic marketplace—a lot of it is to do with price—and first movers are rewarded. In addition, the skillset and knowledge base, as I have just said, for conventional toy safety is mismatched with these new toys and we need to find a way of addressing that divergence. This is going to require investment and new learning and will not happen unless the toy manufacturers are required to do it.
Secure software development and cybersecurity are novel demands on this sector. However, the fact remains that these toy manufacturers are potentially placing consumer safety and privacy at risk. It does not matter whether this occurs due to the immaturity of the sector, market pressures or the lack of sectoral attention to the problem.
In the view of the Petras report,
“there are no indications that this will be addressed through market forces. Instead, the certainty of legislation to maintain standards would level the playing field and make clear for SMEs where they need to invest to make their toys market ready.”
Thus, more than the technological challenge of staying ahead of hackers, what is salient here are the challenges to the implementation of basic security features in manufacturing such as basic authentication and encryption, without which children’s safety and security is at risk.
This amendment explicitly places child security front and centre in this Bill. In other legislation involving the internet and digital issues, such as the Online Safety Bill, the Government have imposed more onerous duties on those delivering services to children than to adults. This amendment would be entirely consistent with that approach—very much in the spirit of understanding that our children and young people are more vulnerable and therefore need more protection from harms.
I turn next to Amendment 5. The eagle-eyed among your Lordships will spot that it is very similar to Amendment 4, proposed by the noble Baroness, Lady Merron, and set out very elegantly by the noble Lord, Lord Bassam. In fact, I would suggest that, largely, its construction is better than ours because they managed to do the same thing in fewer words. I will speak to Amendment 5 but my comments apply to Amendment 4 as well.
Amendment 5 seeks to ensure that:
“Regulations under this section must include provision that all security requirements specified in accordance with this Act are included as essential requirements in statutory conformity assessments and marking procedures under the Radio Equipment Regulations 2017 … and in any other such assessments and procedures applicable to relevant connectable products.”
I am speaking to the spirit of both these amendments. Amendment 5—similar to that of the noble Lord, Lord Bassam—follows on from the advice and help of Which? I thank that organisation, which has really been at the forefront of the consumer issues involved. In essence, the amendment picks up on three of the issues that the Minister tells us will be dealt with in SIs as soon as the Bill becomes an Act, but it takes the rather stronger approach of placing them in the Bill.
Paragraph (a) of proposed new subsection (2A) goes further than the general principle in specifying that passwords are not to be weak. As Which? explains, many smart products push the user to create a password themselves, rather than use a default password. However, they then allow weak and easily guessable passwords to be created, meaning that the risk of compromise stays high.
One of the outcomes of this amendment would be the introduction of a requirement for responsible password policy guidance to be adopted by the industry to ensure that security liability is not simply passed from the device manufacturer to the consumer. The Bill and associated guidance should be amended to clarify that every individual device must have a unique or user-set password that meets effective complexity requirements.
Paragraph (b) of proposed new subsection (2A) seeks to avoid the risk of disclosures going into a black hole or taking many years to fix. The Bill and associated guidance should be amended to make clear what is required of manufacturers, importers and distributors on provision of disclosure policy information, particularly around vulnerabilities. The appointed regulator should also clearly define and distribute a risk assessment framework for vulnerabilities that removes any sense of subjectivity and ensures that the response is effectively mandated.
Paragraphs (c) and (d) of our proposed new subsection concern the length of time a product is supported. The Government should introduce mandatory minimum support periods for smart products and consider whether these periods should reflect how long consumers, on average, continue to use such products. There is a precedent here. New ecodesign and energy labelling requirements came into force in England, Scotland and Wales in 2021. They include a requirement for electronic display items, including televisions, to be provided with firmware and security update support for a minimum of eight years after the last unit of a model has been placed on the market. A consistent approach to support periods for a range of products therefore needs to be considered, and it has already been considered in this other legislation.
Customers need absolute clarity on the support period manufacturers will offer, so that they are able to make more informed purchasing decisions. There must be a clear definition of what the “point of sale” means and how this relates to the definitions of “supply” in Clause 55. Without clearer specifications on what form the transparency requirements will take, there is a risk that this information could be hidden, obfuscated or even mislead. This amendment is designed to probe the Government’s thinking on these very important issues.
Finally, and very briefly, as a signatory to Amendment 2, I give it my full support.
Lord Parkinson of Whitley Bay (Con)
I am very grateful to noble Lords for setting out the cases for Amendments 2, 4 and 5. Since January 2020 the Government have been clear on introducing security requirements based on the three guidelines to which I referred in the previous group.
The commitment to set requirements has been made in response to consultations, published strategies and indeed to the Explanatory Notes to this Bill. Our notification to the World Trade Organization also contained reference to some of these documents. We have put manufacturers, trade bodies and industry representatives on notice. Supply chains are long and surprises unwelcome, so the Government have been very clear on whither we are heading.
Amendment 2 would remove any discretion the Secretary of State has to make regulations. I appreciate that the intention behind tabling it is to explore this issue, and I hope I can assure noble Lords that it is not needed. The regulations will be made, and swiftly. Indeed, we have already consulted on them, in 2020, which I hope gives noble Lords some reassurance that we intend to move swiftly in this area.
Amendments 4 and 5 would insert specific security requirements into the Bill. As several noble Lords mentioned at Second Reading, it is important that technology regulation enables the Government to respond to changes in threat and technology, and to the regulatory landscape. That is precisely why the Bill does not contain details of the requirements that the Government have assured industry they will set out.
Lord Fox (LD)
Perhaps the Minister should consult whoever drew up the legislation that managed to mandate that televisions should be updated for firmware and software for up to eight years after they have stopped being manufactured. Clearly, those people managed to find consensus among the industry—or decided to ignore consensus—and deliver something. If it can be done for electrical display devices, such as televisions, I do not see why it cannot be done here if there is a will to do it. However, I think the Minister is telling us that there is no will to do it.
Lord Parkinson of Whitley Bay (Con)
The noble Lord referred to mandatory minimum support periods for electronic display items and the Ecodesign for Energy-Related Products and Energy Information Regulations 2021. It is not quite correct to say that those requirements are applicable. They ensure that the last available security update continues to be available for at least eight years after the last unit of a product has been placed on the market but the requirement does not ensure that manufacturers continue to provide new security updates over that period to ensure that the product remains secure in response to changing threats.
Lord Fox (LD)
I did not say that those requirements are applicable; I implied that they are analogous. Frankly, the fact that there is some mandating of security support after the product has stopped being manufactured is a heck of a lot better than the situation for all the connectable devices we are currently talking about, where there is no requirement at the moment.
Lord Parkinson of Whitley Bay (Con)
I do not think that they are quite analogous. As I say, it is about the requirement to keep the last available updates available to consumers for eight years rather than evolving them. We do not yet consider that there is sufficient evidence to justify minimum security update periods for connectable products, including display equipment—certainly not before the impact of the initial security requirements is known.
It is important to stress that, as consumers learn more, they will expect more. This will drive industry to respond to market pressure. If the market does not respond to this effectively, the Government have been clear that they will consider the case for further action at that point, but we think that consumer expectation will drive the action we want to see in this area.
Amendment 3, tabled by the noble Lords, Lord Clement-Jones and Lord Fox, refers to children. All noble Lords will agree, I am sure, that protecting children from the risks associated with connectable products is vital. I assure noble Lords that the security requirements we will introduce are designed with consideration for the security of all users, including children, alongside businesses and infrastructure. The Bill already gives the Government the flexibility to introduce further measures to protect children, whether they are the users of the products or subject to other people’s use of a product. We therefore do not think that this amendment is necessary as this issue is already covered in the Bill.
The Bill, and forthcoming secondary legislation, will cover products specifically designed to be used by or around children, such as baby monitors and connectable toys; they include Hello Barbie, which I was not familiar with but on which I will certainly brief myself further. However, we recognise that the cyber risks to children are not limited to the connectable products in the scope of this Bill; indeed, a lot of the issues referred to by the noble Lord, Lord Fox, were about the data captured by some of the technology, rather than the security of the products themselves. That is precisely why the Government have implemented a broader strategy to offer more comprehensive protection to children—including through the Online Safety Bill, to which the noble Lord, Lord Bassam, referred.
I hope noble Lords will agree that Amendment 3 is not needed to make a difference to the Bill’s ability to protect children from the risks associated with insecure connectable products—this is already provided for—and will be willing either to withdraw their amendments or not move them.
Lord Bassam of Brighton (Lab)
My Lords, this has been a useful and interesting exchange.
In my lordly world, “may” and “must” are sort of interchangeable; they were a useful peg on which to hang our discussion about the statutory instrument nature of this piece of legislation. I am somewhat reassured by what the Minister had to say about that, and acknowledge that some of the regulations were brought forward and consulted on at an earlier stage. However, we on this side of the House—I am sure that I speak for the noble Lord, Lord Fox, as well—want to see increased transparency throughout this process. So much of what is in front of us will be in secondary legislation; it is essential that we, the industry and the sector are properly consulted so that we understand exactly what we are dealing with. I make that plea at the outset.
I was pleased to hear what the Minister said about children as the primary users of particular products. I am glad that we have got beyond the “Peppa Pig” world that the Prime Minister occasionally occupies and are giving this issue proper, serious consideration. It certainly needs to be that way.
I am not entirely convinced by what the Minister said on Amendment 4. I look at our amendment; it is pretty basic, actually. It is hard to argue against setting out a particular prohibition in legislation. The ones that we have picked out for prohibition and restriction are quite important and essential. Of course, the Minister is right that those subjects will change and technology will overtake the words we use. We understand that point but we are trying to secure some basic minimum standards and protections here. Clearly, we will retreat with our amendment and give it some further thought before Report, but we may need some further persuasion on this. That said, I am quite happy to withdraw Amendment 2 and not move Amendment 4.
Lord Parkinson of Whitley Bay (Con)
The feast of amendments in this group aim to implement the recommendations of your Lordships’ Delegated Powers and Regulatory Reform Committee. We welcome the committee’s report and are considering its recommendations, as we always do. It will infuriate the noble Lords who have asked detailed questions when I say that, ahead of setting out our response to the committee, I will not be able to cover all the issues they have pressed the Government on today. I am happy to say that we will set out our response in writing ahead of Report. Perhaps once we have done that, and noble Lords have seen the Government’s full thinking in their response to the committee, it might be helpful for us to speak in detail.
The legislation has been designed to protect people, networks and infrastructure from the harms of insecure consumer connectable products, while minimising the unnecessary regulatory burden on businesses. It does so in the context of rapid technological and regulatory change, evolving cybercriminal activities and a growing impact on people in businesses, all of which require us to ensure that the legislation can evolve quickly and effectively. The UK, as I have noted, is leading the world with its approach to regulating connectable products. As other jurisdictions increasingly turn their attention to this important issue, we will use this flexibility to achieve alignment with equivalent regulatory regimes, avoiding unnecessary duplication. These powers, and the others conferred by the Bill to make delegated legislation, are crucial for it to remain effective. We have carefully considered the number, scope and necessity of these powers, and believe we have struck the right balance between the need for that flexibility and the importance of Parliamentary scrutiny, which noble Lords rightly stressed again today.
We welcome the report of your Lordships’ committee and are considering its recommendations. I am afraid I cannot, at this stage, pre-empt our response, which has to be made while considering the recommendations’ impact on the broader framework. We will return to these matters on Report, and I am very happy to have a detailed conversation with the noble Lords about our response after we have responded to the DPRRC.
The noble Lord, Lord Fox, focused on Clauses 9 and 11. I am happy to confirm that nothing about how the powers are drawn in Clause 9 is inadvertent; this was our intent. Clause 9 contains four delegated powers; they will be used predominantly to provide administrative detail deemed too technical for primary legislation. For example, they will explain what must be included as a minimum in a statement of compliance, what steps must be taken to determine compliance, where appropriate, and for how long a manufacturer should keep a statement of compliance. They will also provide flexibility to respond swiftly to changes in the market. In addition, the delegated powers in this clause may be used in the future to provide that the statement of compliance is equivalent to certain product markings, or external conformity assessments, such that a manufacturer may be deemed to have provided a statement of compliance where such markings or assessments have been made or completed. This is dependent on regulatory changes to product markings and on the development of the assurance sector for product security.
At this stage, and awaiting our response to your Lordships’ committee, I hope noble Lords will agree that it goes without saying that the Government feel these clauses should stand part of the Bill.
Lord Fox (LD)
I sort of thank the Minister for his response, which is really no response at all. He did say that it would infuriate me and he is fairly accurate about that.
As correctly noted, I am merely a cipher for the DPRRC, a very serious committee that does not produce these reports lightly. The point it is making, particularly on Clause 27, is front and centre to this Bill. Who is going to enforce it? Who decides who will enforce the Bill, and how will Parliament know if the Secretary of State decides not to tell it, under the current regulations? These are very serious matters and not ones that your Lordships’ House should step back from. I am sure that the Minister will, on reflection, understand that the DPRRC has a very important point to make. The others are important points, particularly around Clause 3, but the Clause 27 piece is absolutely central to the future of this Bill. That said, I beg leave to withdraw Amendment 6.
Lord Fox (LD)
My Lords, I rise to speak to Amendment 8 in my name and that of my noble friend Lord Clement-Jones. These are two ways of doing the same thing so I support the spirit of Amendment 7, about which we have just heard from the noble Lord, Lord Bassam.
This amendment adds the following wording to Clause 7:
“Any person who is a provider of an internet service that allows or facilitates the making by consumers of distance contracts with traders or other consumers for the sale or supply of a relevant connectable product is to be regarded as a distributor for the purposes of this Act, if not a manufacturer or an importer of the product.”
This amends the language that defines a distributor in the scope of the Bill. Online marketplaces are a mainstream form of today’s retail. Which? research in 2019 found that more than 90% of the UK population had shopped through an online marketplace within the month it was polling. That has increased during the pandemic. However, its research also consistently highlighted how online marketplaces are flooded with insecure products. It has previously demonstrated issues with the lack of legal responsibility of online marketplaces for the security and safety of products sold through their platforms.
The Government have recognised the problem, in their response to the call for evidence on product safety, that current safety rules were designed to fit supply chains as they operated before the world of internet shopping. In the realm of product safety, the Government have acknowledged that this can result in the peculiar situation where no actor is responsible for ensuring product safety. This has resulted in organisations such as Electrical Safety First repeatedly finding unsafe and non-compliant products listed on online marketplaces. Therefore, the traditional conception of actors in the supply chain is now outdated.
The Bill defines “distributor” as
“any person who … makes the product available in the United Kingdom, and … is not a manufacturer or an importer of the product.”
At present, it seems unlikely that certain online marketplaces, including eBay, Amazon Marketplace and Wish.com, will be included within the scope of that definition of distributors in the Bill. This will leave, without overstating it, a sizeable gap in the regulatory scope of this market.
Given the amount of insecure tech readily available on online marketplaces, it is paramount that these platforms are given obligations in the Bill to ensure the safety and security of the products sold on their sites, regardless of whether the seller is a third party. However, the Clause 7(5) definition of “distributor” in terms of making products available on the market is in line with existing product safety law, so we know that certain marketplaces are not classed as distributors and hence not obligated to take action. Amazon Marketplace, Wish.com and eBay are marketplaces where other people are selling; this is the issue.
This amendment seeks to expand the definition of distributors in Clause 7 to include appropriate online retailers, such as listings platforms and auction sites, including eBay, Amazon Marketplace and AliExpress. I feel sure that the Minister did not intend for the legislation to miss these marketplaces out; rather than risk this loophole going any further, we will work with the Minister and Her Majesty’s loyal Opposition to come up with some wording that absolutely iron-clads the Bill to ensure that these sorts of marketplaces are also included.
Lord Parkinson of Whitley Bay (Con)
I am grateful to noble Lords for speaking to their amendments in this group, both of which seek to make online marketplaces a “distributor”. It is vital that all products offered to consumers are secure, including those listed through online marketplaces, and we want to ensure that this is achieved in the most efficient way.
The explanatory statement for Amendment 7 suggests that products listed on online marketplaces might not be protected by the security requirements set out in the Bill. I reassure noble Lords, particularly those who tabled Amendment 7, that the security requirements will need to be met for all new connectable products offered to consumers in the UK, including those offered through online marketplaces. These marketplaces often act as a manufacturer, importer or distributor and, in those cases, they are subject to the same duties and security requirements as those three types of economic actor. If, however, the online marketplace does not fall into one of these three categories, the manufacturers, importers and distributors of those products are all still fully responsible for complying with security requirements.
Lord Fox (LD)
This has piqued my interest; how does this exercise relate to the Bill? This process of dealing with the online acquisition of unsafe products would seem to be what the Bill is doing front and centre, so what is that process? How do the two connect?
Lord Parkinson of Whitley Bay (Con)
They are complementary; the new product security framework sits alongside existing legislation on product safety, which is why we want to conduct a review of the safety framework and publish the consultation. I am certainly happy to write and endeavour to explain.
The noble Lord asked whether products sold through online marketplaces fall into a gap in the Bill. The Bill requires in-scope products offered for sale through online marketplaces to customers in the UK to be as secure as in-scope products sold, for example, in physical stores. We are mindful of the variety of services offered by different online marketplaces. Some act only as advertising platforms, while others facilitate transactions and store and ship products on behalf of the seller. As noble Lords have noted, this changes all the time. This must be carefully considered to ensure that businesses can comply with their legal obligations and that any regulation is necessary, appropriate and proportionate to provide the best protection to consumers.
Lord Fox (LD)
I am sorry to keep popping up; being a practical person, I will try to give the Minister a scenario and, if he cannot answer straightaway, he can write. I have bought a product through an online auction that turns out to be unsafe; I go back to the auction site, which tells me, “Not my problem. You have to return to the international manufacturer which made this product”, which turns out to be a brick wall and nothing comes back. First, is that online auction site correct in handing me over to the international manufacturer, which turns out to be a dead end? Secondly, if that site is correct, to whom do I go? Do I go to my local council trading officer or to the person who, under Clause 27, has been mysteriously made the enforcer for the Bill? I may or may not know who they are. How do I seek redress, and from whom?
Lord Parkinson of Whitley Bay (Con)
I will try answer the noble Lord’s question, and I am happy to write with further detail. Products sold on online marketplaces are covered by the Bill. All products sold to customers in the UK will have to comply with the security requirements set out under this framework. Where a product is sold on a third-party online marketplace, the seller will be responsible for ensuring that it is compliant. Third-party sellers who sell new products directly to customers on those platforms will also be covered under the “distributor” definition. I will happily write to the noble Lord with further detail ahead of Report but I hope that, for now, that goes some way towards addressing his question.
Lord Lucas (Con)
My Lords, I would be grateful if my noble friend included me in his replies and letters. Is he aware of the lamentable performance of Her Majesty’s Revenue and Customs when it comes to trying to enforce VAT in similar circumstances, and the enormous difficulty it has had with third-party sellers operating out of the Far East in particular? It is extremely difficult, and the volume of VAT lost runs into the billions. This is a large-scale enterprise and it will easily channel a large volume of unsatisfactory products into the UK if we do not take effective action.
I hope that the Government, in their new consultation, which I look forward to learning about, will be taking a robust attitude towards the platforms. For instance, it is entirely unsatisfactory that there should be a way in which unsafe toys can get into the hands of children at Christmas, and for which there is no effective means of prevention or redress. In other jurisdictions, these online marketplaces have proved amenable to a forceful approach by government. I very much hope that we will be joining in with that.
Lord Parkinson of Whitley Bay (Con)
I am happy to include my noble friend in the replies and the letter I send. This touches on work which falls under the Department for Business, Energy and Industrial Strategy, and the points he raised, of course, fall to Her Majesty’s Revenue and Customs. We will make sure that, having consulted officials there, we provide some details of the work those departments are doing as well.
Lord Bassam of Brighton (Lab)
My Lords, I am looking forward to the correspondence on this; I fancy that the noble Lord’s civil servants will have a tricky job on their hands. I do not think I quite got a response to what the nature of “being kept under review” really meant, but I await word in the future.
I have been reading the Explanatory Notes, as the Minister will probably be unhappy to hear, and I can see the difficulties. In trying to ensure that the legislation is focused, rightly, on the producers, manufacturers, importers and distributors, it is hard to work round that and not capture people who are simply installers of a product. On the other hand, there are circumstances where installers are primarily responsible for the effectiveness and working of the product, and if it was not for the way they install it, it would not be effective. The terms of the contract are such that it makes that difficult.
I can see the difficulty here, but for now I am happy to withdraw our amendment. In doing so, we are equally supportive of the amendment in the name of the noble Lord, Lord Fox, because the two are contiguous in their formulation.