Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) Regulations 2024
(Limited Text - Ministerial Extracts only)
Read Full debate
Lord Clement-Jones (LD)
My Lords, I thank the noble Lord, Lord Leong, for his introduction, but I am slightly baffled by this SI. I looked up whether the Commons had had its debate on it and found that it took place on 21 May 2024. Then I looked at the impact assessment, which seems to be dated 2023. I do not quite know why we are dealing with a historic SI almost a year later. What has happened in the intervening period? The Minister did not mention anything to do with that. Is this some oversight by the department? Has something happened? Was somebody ill and could not deal with this in the House of Lords? It is a rather peculiar situation.
The second rather strange aspect of this is that, when the Automated Vehicles Bill was going through, my noble friend the late Baroness Randerson, who was mentioned by my noble friend Lady Smith—it is rather coincidental that this was one of her big issues: automated vehicles and the data relating to them—raised questions about protection of personal privacy and the national security implications of the data being retained by manufacturers of automated vehicles. She also raised the possibility of a cyberattack that could paralyse traffic over a considerable area. Those concerns were also raised by my honourable friend Wera Hobhouse in the Commons at the same time. I think the noble Lord, Lord Sharpe, might be interested in this: we were assured at that time by Ministers in the previous Government that GDPR was good enough protection in respect of automated vehicles, despite the concerns expressed by my late noble friend Baroness Randerson. Now it turns out, as set out in the Explanatory Memorandum, that special provisions are needed.
Again, this is rather baffling. We seem to be hearing either that we have an administrative problem or that there was a misunderstanding about the intended policy. In some respects, I should be pleased that the Explanatory Memorandum sets out more safeguards, because if we are going to exempt these three areas—in particular, automated vehicles—we need to know that those safeguards will be in place through other mechanisms. I will go through what those might be and put questions to the Minister about them.
How will the collection, storage and use of personal data by automated vehicles be regulated to ensure compliance with data protection laws? What specific criteria must be met for a person or body to be authorised as a self-driving entity, particularly concerning data protection? Do they need to obtain a certificate of compliance with data protection legislation from the ICO, for instance? How can the public be reassured that their personal data will be protected? How will the regulations ensure that personal data is protected, not only during vehicle operation but after the ownership of a vehicle has ended? What are these robust personal data practices that need to be in place for companies to be authorised as self-driving entities?
What information about the data for the authorisation of automated vehicles must be provided and to whom? Will the Secretary of State consult the Information Commissioner’s Office before making regulations relating to the provision of personal data in automated vehicles, and will the ICO be including elements to do with personal data and automated vehicles in its annual report to Parliament? How will the Government protect against potential cyberattacks on automated vehicle systems?
Specifically, how do the regulations for consumer connectable products under the Product Security and Telecommunications Infrastructure Act interact with those that apply to automated vehicles and their components? Does this exempt the whole of the automated vehicle or, rather, particular connectable items in automated vehicles that would in fact be covered by the PSTI Act? How will the regulations prevent anti-competitive practices by vehicle manufacturers who might use data to restrict competition between them and independent operators?
The Explanatory Memorandum talks about the CAVPASS programme, which provides some information that is relevant. Currently, however, it does not deal directly with these specific questions regarding data handling in automated vehicles. We are promised, I think, that something is coming down the track in 2025. There is mention of a staged approach to regulations, which suggests that future measures will be introduced. When can we expect more information of the kind that I have raised? Is it not long overdue, given the speed of development of these vehicles? They are already in pilot form and we need to know that our data is secure. We are still left with questions, despite all that. I doubt whether CAVPASS is necessarily going to cover how data is collected in relation to cybersecurity and how they will be protected in that respect.
There are quite a lot of questions here, and it is rather peculiar that we were not in a position to ask these questions at the same time as the House of Commons last May. I am therefore looking forward to what the Minister has to say in reply.
Lord Sharpe of Epsom (Con)
My Lords, I thank the Minister for his explanation. I would say to the noble Lord, Lord Clement-Jones, that something did happen, and that was the general election, which we, unfortunately, lost. That no doubt explains something of the delay.
The noble Lord, Lord Clement-Jones, has asked some pertinent questions. I will keep mine a little more general, because this SI amends the original regulations and broadens the exceptions under Schedule 3. The most notable change concerns the automotive sector, as has been noted, where vehicles were previously exempt from certain cybersecurity provisions.
The new regulations align the UK’s approach with international standards. They recognise the unique nature of vehicle systems and the need for specialised cybersecurity measures. UN Regulation No. 155 on cyber security and cybersecurity management systems, which governs the security of vehicles, is now set to be the primary framework for automotive security. As far as it goes, that would obviously seem eminently sensible, but the noble Lord, Lord Clement-Jones, has highlighted that there are a number of broader, perhaps more philosophical, questions about the direction of travel—that is not a pun—with regard to EVs, self-driving vehicles and vehicle autonomy, which we will have to grapple with at some point in the future. I imagine that this is a subject to which we will return.
My questions are a little more general. The regulations are undoubtedly important for protecting consumers and securing digital infrastructure, but we must consider the broader implications. The automotive sector is rapidly evolving, as has been noted, and the development of automated vehicles holds significant economic and societal potential. However, with innovation comes the risk of regulatory frameworks that struggle to keep pace; that is self-evident. How do we ensure that these cybersecurity measures do not inadvertently stifle technological advancement in areas and sectors such as the automotive sector? How do we end up striking the right balance between securing the technologies and enabling them to flourish?
There is also a question here around consumer awareness; again, this was highlighted by the noble Lord, Lord Clement-Jones. How long would an individual’s data be attached to a particular vehicle, for example, even after it is sold? These regulations require manufacturers to disclose the duration of product security support, but how well are consumers equipped to understand and act on this information? Are we confident that the public are sufficiently informed about the critical nature of cybersecurity? Will the Government commit to taking the necessary steps to help customers and consumers protect their devices and data? It seems to us that this is an area where the education of the public must go beyond the bare minimum. We need to ensure that consumers are not left in the dark about the sorts of security risks that they may face.
We must also consider enforcement. With the proliferation of smart products entering the market at such an unprecedented rate, how will we ensure consistent and effective compliance across such a diverse range of industries, from household appliances to vehicles? As new technologies emerge and evolve, the enforcement mechanisms that are in place today may not be enough. Are we allocating the necessary resources to monitor and enforce these standards effectively? Are the Government allocating additional resources to help those things along? Does the current enforcement mechanism system adequately address the rising complexity and scale of the challenges ahead?
As I said, these are broader, more philosophical questions—I do not expect the Minister to be in a position to answer them and there is no need to write—but these are the sorts of things that we all need to consider as a society. Obviously, that will have political, economic and societal ramifications that we all need to consider, but the Opposition have no objection to these regulations; they make perfect sense for now. I suspect, however, that this is a subject to which we will return.
Lord Leong (Lab)
My Lords, I thank the noble Lords, Lord Clement-Jones and Lord Sharpe, for their contributions.
I will first address the question asked by the noble Lord, Lord Clement-Jones: why the delay? As the noble Lord, Lord Sharpe, mentioned, it was a result of the general election. At the same time, we were waiting for the Department for Transport to progress UN regulation No. 155, until such time as we knew that we must take this exception out of the current regulations. That is the reason for the delay, basically; it was also about finding parliamentary time to table these regulations. That is that on the delay.