Artificial Intelligence: Regulation
Lord Clement-Jones Excerpts(11 months, 3 weeks ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Viscount Camrose (Con)
I think I would regret a characterisation of AI regulation in this country as non-existent. All regulators and their sponsoring government departments are empowered to act on AI and are actively doing so. They are supported and co-ordinated in this activity by new and existing central AI functions: the central AI risk function, the CDEI, the AI standards hub and others. That is ongoing. It is an adaptive model which puts us not behind anyone in regulating AI that I am aware of. It is an adaptive model, and as evidence emerges we will adapt it further, which will allow us to maintain the balance of AI safety and innovation. With respect to the noble Lord’s second question, I will happily write to him.
Lord Clement-Jones (LD)
My Lords, the Government have just conducted a whole summit about the risks of AI, so why in the new data protection Bill are they weakening the already limited legal safeguards that currently exist to protect individuals from AI systems making automated decisions about them in ways that could lead to discrimination or disadvantage? Is this not perverse even by this Government’s standards?
Viscount Camrose (Con)
I do not think “perverse” is justified. GDPR Article 22 addresses automated individual decision-making, but, as I am sure the noble Lord knows, the DPDI Bill recasts Article 22 as the right to specific safeguards rather than a general prohibition on automated decision-making, so that subjects have to be informed about it and can seek a human review of decisions. It also defines meaningful human involvement.
Data Protection (Adequacy) (United States of America) Regulations 2023
Lord Clement-Jones Excerpts(1 year ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Clement-Jones
That this House regrets the Data Protection (Adequacy) (United States of America) Regulations 2023 and regrets in particular (1) the absence of an Impact Assessment at the time it was laid; (2) the lack of any public consultation; and (3) that the explanatory material laid in support does not provide sufficient information to gain a necessary understanding of the instrument’s policy objective and intended implementation.
Relevant document: 53rd Report from the Secondary Legislation Scrutiny Committee, Session 2022-23
Lord Clement-Jones (LD)
My Lords, this is clearly box-office this evening. As soon as I saw the Secondary Legislation Scrutiny Committee’s report and its comments, I thought these regulations were a prime candidate for a regret Motion. This does not mean that the Minister has to be quite as persuasive as he would be if they were subject to the affirmative process, but it does mean that he has to recognise they we are not just going to let this kind of important secondary legislation go through on the nod—especially where his department has not excelled itself in giving the necessary explanatory and impact assessment material.
On purely procedural grounds, the tale of how DSIT has dealt with this SI is not a happy one. These are regulations made under Section 17A of the Data Protection Act 2018 to establish a data bridge with United States of America through the UK extension to the EU-US data privacy framework. The impact assessment for the regulations was first submitted on 4 August for Regulatory Policy Committee scrutiny, and the RPC’s initial review of it, sent to DSIT on 15 September, found that it was not sufficiently robust and identified areas where improvements should be made. As the RPC states:
“We considered that the points raised would generate a red-rated opinion, if not addressed adequately”.
Following discussions, DSIT submitted a revised impact assessment on 20 September. The data protection adequacy regulations were laid before Parliament the day following, 21 September.
In its report of 17 October, the SLSC said:
“We regret the absence of the IA and of a public consultation and recommend that the EM be revised to include the missing contextual information”.
The regulations are drawn to the special attention of the House on the ground that the explanatory material laid in support provides insufficient information to gain a clear understanding of the instrument’s policy objective and intended implementation.
The SLSC also said:
“We regret that … important context to the UK Extension to the EU-US Data Privacy Framework was not included in the EM. While the purpose of the Regulations is made clear by the EM, without the additional information provided by the Department and the link to the Government’s analysis, it is not possible for a reader of the EM to understand fully the policy context and framework of the adequacy decision and how this policy was developed. We therefore ask the Department to revise the EM to include the contextual information and the links to relevant external material. We are disappointed that the Department was unable to provide a final, green-rated IA when the Regulations were laid before Parliament … We regret—
and this is a broad point which comes up time and again—
“that this is a further example of relevant impact information not being shared with Parliament at the right time … We take the view therefore that it would have been desirable to carry out a public consultation”.
The SLSC concludes:
“We regret the absence of the IA and of a public consultation and recommend that the EM be revised to include the missing contextual information”.
If it had not been for the noble Baroness, Lady Jones, bumping into me today, I would not have realised that the Explanatory Memorandum that I read to prepare my speech today had been switched from 20 September to 21 November. I have the two versions in front of me, thanks to the noble Baroness, and they do differ. It seems extraordinary that two months should elapse before we get the revised memorandum. When I actually looked at it, I realised that it is considerably different. I am not surprised that the SLSC had something to say about this.
All the basic data protection principles that the US is meant to observe are set out in paragraph 7.7 of the new Explanatory Memorandum. They appear nowhere in the original memorandum. There is a whole slew of things: international data transfers, the need to consult expert counsel, and the fact that the Information Commissioner has produced an opinion, which I shall go on to talk about. There is also a third element of considerable importance: the impact on monetary net present value, under paragraph 12.3.
These are considerable changes, and it has taken two months and this regret Motion to elicit that kind of response from the department. That is not a happy start to these regulations: are these teething troubles at the new department, or something more serious? What is the Minister’s response to all these criticisms, in particular the lack of public engagement and the whole process by which these Explanatory Memorandums are produced?
This new arrangement is designed to be compatible with the EU-US data privacy framework and is what we must now call the UK-US data bridge. It came into force on 12 October 2023: from then on UK businesses may transfer personal data to US organisations certified under the UK extension to the EU-US data privacy framework without the need for alternative safeguards such as standard contractual clauses. Those US organisations that have committed to complying—and this is important—with the enforceable principles and requirements under the UK extension to the EU-US data privacy framework can be identified on the data privacy framework list. Organisations not subject to the jurisdiction of the US FTC or the US DoT are not eligible to participate, and that includes major institutions such as banks and insurance and telecommunication companies.
This is what a prominent firm of lawyers has said about the new regulations and the bridge:
“Organisations should take care to review the nature and scope of transfers permitted in practice and to consider the steps that should be taken to effectively make those transfers in accordance with the new arrangements. For example, certain journalistic personal data may not be transferred in reliance on the UK-US data bridge. It will also be necessary to actively indicate to the US recipient organisation that it must treat genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning sexual orientation as sensitive information. Whilst these types of data are special categories of data under Article 9(1) UK GDPR, they are not designated as sensitive information under the UK Extension to the EU-US Data Privacy Framework. Specific identification to the data recipient is therefore required. There are also specific requirements regarding the transfer of certain criminal offence data.”
The deeper you dig, it still remains potentially very complicated, and I wonder what guidance the department is giving in detail on this. For example, how exactly do the UK and the EU data bridge agreements translate to a US state basis? Do they require state ratification of some kind, or verification of the principles they adopt? If we are comfortable with the data adequacy aspects of the UK-US data bridge, there are clear advantages in terms of participating organisations being exempted from the need to conduct a transfer impact assessment, rather than having standard contractual clauses where TIAs needs to be made.
However, what is the response of the Minister and his department to the Information Commissioner’s Office’s opinion on these regulations: that there are areas that could pose risks to UK data subjects if the protections identified are not properly applied? He identifies several potential issues with the UK-US data bridge: it does not contain substantially similar rights to the UK GDPR’s right to be forgotten, right to withdraw consent, and right to obtain a review by a human of an automated decision. He says:
“As a result, UK data subjects might not have the same level of control over their data as they do under UK GDPR.”
Secondly:
“The definition of sensitive information,”
much like the legal opinion,
“under the UK-US Data Bridge does not specify all the ‘special categories of personal data’ of the UK GDPR. Instead, the framework has a broad ‘umbrella’ concept providing that sensitive information can be any data regarded as sensitive by the transferring entity. UK businesses will have to clearly label certain types of data as ‘sensitive’ when transferring to a US organisation certified under the UK Extension to ensure adequate protection.”
Thirdly:
“For data on criminal offences, the ICO highlights potential vulnerabilities, even when tagged as sensitive. Since the UK places restrictions on the use of ‘spent’ convictions, there are concerns about a lack of comparable protections in the US for transferred data”.
The opinion of the ICO does not even deal with the potential impact of the Data Protection and Digital Information Bill going through Parliament, which will water down data subject rights, especially in the legitimate interest balancing test and Article 22, and in the provisions around DPOs and data protection impact assessments. Our data protection adequacy is not even secure, and the ICO specifically draws attention to this:
“If the Secretary of State becomes aware of a significant change in the level of data protection that applies to personal data transferred from the UK as a result of either the review or ongoing monitoring obligations, the Secretary of State must amend or revoke the regulations to the extent necessary”.
In addition:
“The Secretary of State is also required to monitor, on an ongoing basis, developments in a country, territory or international organisation which is the subject of UK adequacy regulations”.
Where did any of that appear in the Explanatory Memorandum? This is important stuff; it is our personal data.
How do we therefore know that our personal data is safe under these arrangements? How will the data bridge stand up, especially with the new Bill going through Parliament? Perhaps the Minister can also explain how the transfer of legally privileged data will be dealt with.
Even if this were satisfactory, one might ask how long the EU-US DPF will last before Mr Schrems gets to work. What will be the impact on our UK-US data bridge then, given that it is dependent on the EU-US bridge? Given the opinion of the ICO, should we expect litigation along the line of Schrems?
Under the DSIT analysis of last December, it is clear that the department has to take a view on, for instance, the sharing of sensitive data:
“DSIT considers that these exemptions are comparable to exemptions provided for under Article 9(2) of the UK GDPR and do not pose a material risk to UK data subjects”.
It says similarly about HR, and on personal data:
“Therefore, DSIT does not think that the extra protections afforded to criminal offence data … are likely to be undermined”,
and so on. What is DSIT actually advising businesses to do, given its opinion? Would it not be prudent to take some external advice, rather than rely on internal DSIT views about this? Would it not be safer for a business to agree or keep using standard contractual clauses?
Given the limited scope of the UK-US data bridge, a limited number of businesses can take the benefit of it. The impact assessment says: “The assumption that 23.4%”—that seems very granular—
“of those organisations who currently send personal data to the US will be risk averse due to legal uncertainty and continue to use standard data protection clauses is based on evidence from EU transfers. However, the assumption may be too conservative as many businesses reverted to using standard data protection clauses for EU transfers due to the previous risk of no-deal Brexit”.
That sounds like it is both on the one hand and on the other; it is not a very good basis for making assumptions and the figure may be even higher, given the uncertainty and difficulties surrounding some issues, such as the transfer of sensitive data.
I conclude in saying that I strongly agree with this sentence in the impact assessment:
“There is a clear rationale for creating a UK extension to the EU-US Data Privacy Framework”.
I very much believe that, if this works, it can pave the way for many other forms of co-operation with the EU. I just hope that the data protection Bill does not make that impossible.
The Parliamentary Under-Secretary of State, Department for Science, Innovation and Technology (Viscount Camrose) (Con)
I thank the three noble Lords who spoke for their valuable and robust contributions to this debate. Let me start with some general remarks about the SI.
In 2022, the UK exported more than £99 billion in data-enabled services, such as finance and IT, to the US. That amounts to about 30% of the UK’s total data-enabled services exports globally. UK data bridges such as the one established with these regulations ensure that high data standards are upheld when UK individuals’ personal data is transferred internationally while reducing the compliance burdens for businesses, realising responsible innovation and growth. The UK-US data bridge restores a robust and reliable mechanism for transatlantic personal data flows and is expected to benefit around 16,000 UK businesses, 92% of which are small or micro businesses, and provide a combined benefit of an estimated £115 million per year.
The UK-US data bridge has been established following several years of collaboration between both countries and follows a robust assessment by the Secretary of State of the high standards and protections available to UK personal data when it is shared with organisations in the US under the bridge. DSIT published a series of supporting documents alongside the regulations for the US data bridge, including a policy explainer, a fact sheet for UK organisations, a series of letters detailing the operational delivery and enforcement of the frame- work, an analysis of the assessment which underpinned the Secretary of State’s decision and the Information Commissioner’s opinion.
I acknowledge absolutely the disappointment of the Secondary Legislation Scrutiny Committee that an impact assessment was not made available when the regulations were laid. As was remarked on, an initial impact assessment was submitted to the Regulatory Policy Committee in 2022 which was returned to my department with a green rating, meaning it was considered fit for purpose. Deeply regrettably, the updated version containing much of the same content was not reviewed and approved in a timely manner to coincide with the laying of the regulations. My officials worked at pace to address the additional comments from the Regulatory Policy Committee. I am pleased to say that the impact assessment for these regulations, which has been rated as fit for purpose, was published in mid-October. Furthermore, I can assure noble Lords that DSIT takes the concerns raised by the committee seriously.
In relation to the additional material included within the Explanatory Memorandum published alongside these regulations, as the noble Lord, Lord Clement-Jones, mentioned, an updated version of the Explanatory Memorandum addressing the areas raised by the committee in the report was laid, I am afraid as late as Monday 20 November, and is now available online. I am confident that these changes address the issues raised by the committee in its report.
On the concerns raised by the committee about the absence of a public consultation, I agree that these regulations may be an issue of public interest. These regulations have not been developed in isolation. As part of this assessment, the department worked closely with the UK’s independent data protection regulator, the Information Commissioner’s Office, throughout the assessment and the Information Commissioner was consulted by the Secretary of State prior to taking the decision to establish these regulations in accordance with the Data Protection Act 2018. Additionally, on five occasions since 2021, the department has publicly issued statements in relation to the progress made towards establishing these regulations. These include the UK-US comprehensive dialogue on technology and data launched in October 2022 and the Atlantic declaration announced by the Prime Minister and President Biden in June 2023.
Furthermore, the UK’s approach to facilitating international data transfers was the subject of a public consultation under mission five of the UK’s National Data Strategy, published in December 2020. This was focused on plans
“to remove unnecessary barriers to international data flows”,
drive high standards and build trust in the international use of data. These plans and the department’s approach in this area have been strongly and consistently welcomed by businesses of all sizes looking to operate and trade internationally between the US and UK.
I turn to questions specifically raised in this debate. The noble Lord, Lord Clement-Jones, asked what is being done by the department to address these issues in the future. The delays to the impact assessment and issues raised with the Explanatory Memorandum are unfortunate. It was always the department’s intention to publish the impact assessment once reviewed by the Regulatory Policy Committee and update the Explanatory Memorandum following the Secondary Legislation Scrutiny Committee’s report. As I have said, the department takes the concerns of the Secondary Legislation Scrutiny Committee seriously. There are steps being taken to ensure the delivery of high-quality, comprehensive documentation alongside future secondary legislation. This includes setting up a departmental better regulation team in the new year to support policy teams in the development of impact assessments, and providing a comprehensive library of best practice resources to officials and policy teams. I know that these steps do not help with the issues that arose in this statutory instrument, but I hope that it provides some reassurance towards the steps we are taking to prevent any repeat of these issues in future.
The noble Lord also raised how the data bridge agreements translate on to the US and whether they need to be approved on a state-by-state basis. The answer is that they do not need to be approved by individual states; they are arrangements which operate across the US in relation to any organisations which have signed up to the framework.
Regarding what guidance the department has provided to businesses, it has published a fact sheet on GOV.UK which provides additional clarity and information for businesses regarding using the data bridge, including explaining the need to specify certain types of data as sensitive. Additionally, the ICO has published a complaints tool to help businesses and individuals navigate the new redress mechanism which strengthens and protects UK data subjects’ rights when their personal data is transferred to the US.
Regarding the DPDI Bill, the changes to that Bill will not affect the validity of existing data bridges such as this one. They will continue to have effect under the new regime. The Secretary of State will continue to monitor the data bridge on an ongoing basis for any developments in the US which could affect the decision taken to make these regulations and will take such action to amend or revoke them if necessary.
The noble Lords, Lord Clement-Jones and Lord Fox, both raised what the longevity is of the data bridge, given the Max Schrems case, and the robustness of this legislation. We are aware of the stated intentions made by certain individuals such as Max Schrems to challenge the EU’s adequacy decision for the EU-US data privacy framework, as they have done twice previously. Our data bridge for the UK extension to that privacy framework is a separate decision from the EU’s adequacy decision, following the UK’s independent assessment of relevant laws and practices. We are continuing to work with the US now that the data bridge is online to ensure that it functions as intended and will continue to engage should any challenge to the EU’s adequacy decision be successful. Should the EU’s decision be invalidated, that would not directly impact the UK’s data bridge for the US.
In response to the noble Baroness, Lady Jones, I can confirm as above that the published impact assessment has a green rating. With regard to her question on how the data bridge differs from the EU framework, the UK is relying on our own extension to the EU-US data privacy framework, which mirrors the EU framework.
The noble Baroness asked whether individuals can opt out from the data bridge and about its robustness, including the important point about Palantir. UK individuals’ data is protected to the high standards expected within the UK under the UK GDPR and Data Protection Act 2018. We have conducted a robust and detailed assessment of the new US framework, which is published online on GOV.UK, and which the Secretary of State has decided meets the high standards necessary to establish a data bridge. This includes strict requirements and rules surrounding how US organisations should use, process and disclose personal data that they hold. When deciding whether to share personal data with a US organisation under the data bridge, the transferring organisation in the UK still needs to comply with all the requirements of the UK GDPR, including the need to have a lawful basis for sharing the personal data.
In response to the noble Lord, Lord Fox, who asked who the department engaged with in the US and which regulatory bodies are responsible for the US framework, this is a federal rather than a state government-level framework. The US Department of Commerce administers the framework and is our main counterpart, and the US Federal Trade Commission and US Department of Transportation enforce the framework. We also engaged with the US Department of Justice where there were questions in relation to US national security laws and practices. We have received reassurances from each of these bodies with regard to their commitments to upholding the principles and protecting the rights and protections of UK personal data shared with the US. These have been published online along with our full analysis detailing our assessment of the US data bridge and explaining the role of the different US bodies mentioned, which is on GOV.UK for anyone to view.
On the collection of data by UK political parties and the possibility of transfer to a server outside the UK, the policy governing this aspect falls outside the scope of data bridge policy, and so my department will follow up on that question.
Finally, on the question from the noble Lord, Lord Fox, about the self-certifying annual process for US companies and how the department can be sure that the process is being monitored, the US Department of Commerce has committed in the aforementioned reassurances to conduct verification checks on organisations certified to the framework, as well as to participate in periodic discussions with the UK Government about the operation of the framework, to ensure that the expectations and new practices of the data privacy framework are being met. This includes, where necessary, input from US enforcement bodies, the Federal Trade Commission and the US Department of Transportation, as well as from the UK’s independent data protection regulator, the Information Commissioner’s Office. Additionally, the Secretary of State is obliged to monitor on an ongoing basis any developments in the US or with the US framework that could affect the decision taken to make these regulations and to take such action to amend or revoke them as necessary.
I thank the noble Lord, Lord Clement-Jones, for bringing forward the debate today. The importance of proper scrutiny by parliamentarians for new legislation is paramount, and the department will continue to move forward with renewed determination to ensure that all necessary documentation is provided, not just to a high standard but at the point when regulations are laid. I believe and hope that I have answered all the questions. If not, I am of course more than happy to write with further detail. For now, I am once again grateful to the noble Lord.
Lord Clement-Jones (LD)
My Lords, I thank the Minister for that response. I congratulate him on managing to pick up nearly all the questions and provide them with answers. He probably never thought that quite so many questions could be asked about a single SI, and there are a couple of areas where I think there is further inquiry to be made. This is a salutary lesson in how the SLSC really needs to get the information that it needs to scrutinise regulations, otherwise we all jump up and down and spend our evenings on regret Motions.
This has been a very useful debate. The record, and how the Minister unpacked and answered some of the questions, might be helpful for those who want to take advantage of the UK-US data bridge. It is a great illustration also as to why affirmative SIs, rather than negative ones, are actually rather useful. Why rely on me producing a regret Motion? Would not it have been better to have a proper affirmative procedure in this case, as this is a very important instrument? The Minister talked about its value, and, if it works, we will all agree.
I also very much appreciate the fact that there is a level of humility about this, in that the department is looking at its procedures and setting its house in order with a new regulatory policy process. We look forward, I am sure, to seeing how effective that will be in the future. When the Minister talks about fact sheets and the sensitive data aspects, the fact that the ICO is gearing itself on the complaints and redress side is appreciated as well.
Design Right, Artist’s Resale Right and Copyright (Amendment) Regulations 2023
Lord Clement-Jones Excerpts(1 year ago)
Grand CommitteeRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Clement-Jones (LD)
My Lords, it is a pleasure to follow the noble Earl, Lord Clancarty; I wholeheartedly agree with everything that he said. I should say from the outset that we on these Benches support both sets of regulations, which will, I hope, gladden the Minister’s heart as we start debating them.
There are, however, a number of points to be made in relation to them. I very much support what the noble Earl had to say about DACS, the not-for-profit visual artists’ rights management organisation. It recently helpfully published a report that highlights the pivotal role that artists’ resale rights play in supporting artists and the wider art market. As the noble Earl said, they have been somewhat controversial in the past, but, now that they have been included in trade agreements, I feel confident that they are now bolted fully into our intellectual and moral property rights. They are an absolutely vital source of income for many artists. The noble Earl talked about more than £120 million in ARR royalties, directly benefiting more than 6,000 artists and their heirs. Artists selling at the lower end of the art market benefit in particular from ARR: two-thirds of ARR payments in 2021 were less than £500 and 10% of artists received ARR royalties for the first time that year.
I will not repeat most of the rest of what the noble Earl had to say, just that I very much agree with a great deal of what he said. More than 90 countries worldwide have implemented some form of ARR legislation so we are in good company as regards what I see as this moral right. We have heard about the trade agreements; it would be useful to get from the Minister an idea of which agreements we have included this in. Christian Zimmermann, the CEO of DACS is definitely worth quoting. He said:
“The Artist’s Resale Right is more than a legislative mandate—it is a commitment to fairness, a recognition of the value of artists’ contributions, and an indispensable support for artists and their estates.”
The Minister may notice that I have used pounds sterling in my figures throughout so, naturally, I support that aspect of these regulations and, of course, the other aspects that are provided for in the regulations.
The Intellectual Property (Exhaustion of Rights) (Amendment) Regulations 2023 are, in many senses, a much weightier aspect of the regulations we are considering today. I am grateful to the Alliance for Intellectual Property and the British Brands Group for providing briefings and, indeed, their strong views on these issues. I know that the Minister will have heard many of their arguments in person but I want to put on record those views, with which, I should say, I and the All-Party Parliamentary Group for Intellectual Property strongly agree.
Members of both groups strongly consider that the status quo will deliver the strongest overall outcomes for shoppers, business and the UK economy. Following the UK’s departure from the EU, the UK Government now have control over the exhaustion regime. As the Alliance for Intellectual Property says, the importance of the decision on which exhaustion regime the Government choose cannot be underestimated. Although it seems a technical area of policy, it will have a real-life impact on businesses, consumers and regulatory authorities across the UK. Exhaustion regimes have the greatest impact on export-driven UK sectors as they underpin their ability to determine when, how and what goods to sell in international markets and at what price.
The noble Earl quoted the publishing sector. Industries of that kind are particularly successful at exporting; for example, the UK book sector derives 60% of its income from exports. We have heard that the Government have consulted on which regime the UK should select. In January 2022, the Government made an interim decision to select a UK+ regime that would maintain existing protections. As we have heard, this statutory instrument is being introduced by the Government relating to that interim decision. As the Minister said, though, the Government have not made a final decision on which regime to choose but are likely to announce their decision in the next few months. I hope that the Minister will give us some idea of the time in which he expects that decision to be made.
The British Brands Group believes that advice from officials is to make the interim decision permanent—at least, that is its impression—which would be widely welcomed. I want to take this opportunity to voice support for the interim decision and express concerns regarding any shift to an international regime that might arise in future. I am not going to explain what the alternatives are; I do not think I need to. National exhaustion is one alternative and international exhaustion is another; neither is practical nor attractive.
The current regime is regional exhaustion, an approach that has been working well for 50 years. Rights are exhausted once goods are placed on the UK or EU market, although they can be used to prevent the distribution of goods placed on markets outside those countries. This status quo operates well, as we know; it strikes us on these Benches and those organisations as proportionate, hence our strong support. The SI rightly provides for an IP exhaustion regime meaning that the holders of trademarks would not be able to object to the further distribution of their goods once they are placed on the market in the UK and the EU. They would, however, be able to object to imports from other countries.
The Government’s decision on the UK’s future exhaustion regime will be among the most important taken in relation to intellectual property policy during this Parliament. Its impact will affect businesses, consumers and regulatory authorities across the UK; as I have said, it will particularly affect export-driven UK sectors as it underpins their ability to determine how and what goods to sell in international markets and at what price.
Any shift to an international regime would also affect many of the UK’s leading design and branded goods companies. This would make it significantly more difficult to launch new products in countries around the world as those firms would not be able to vary pricing at launch for fear of those products re-entering the UK. A move to an international regime would also lead to consumer confusion since product and regulatory standards differ across countries internationally. Any “free for all” in parallel imports to the UK would undermine the UK’s product standards regulatory framework and would create uncertainty and confusion for the public.
Opponents of maintaining the status quo and supporters of an international regime suggest that there would be a reduction in pricing for consumers from an increase in parallel imports. Where parallel imports occur currently, in contravention of our regime, prices are not lower. As an example, you occasionally see bottles of Coca-Cola with foreign language labelling in some small shops but at the same pricing as compliant products.
We believe that the retail supply chain, including wholesalers and parallel importers, would therefore be the major beneficiary, rather than the UK public. The cost-benefit equation is likely to be between established creative industry sectors that find their home in the UK market but could choose to move elsewhere against a parallel import sector that does not currently exist and would not even need to be located on UK shores, nor to create UK jobs.
In summary, an international exhaustion regime would represent a significant policy shift away from innovation and growth. It would weaken competition, harm consumers and not help lower consumer prices, in our view. The SI as drafted sustains the current exhaustion regime until the Government confirm their long-term policy approach. The most recent government consultation identified no evidence at all to support a change in regime, so this debate is important.
I hope that the Minister, IPO and others in government resist calls for any change that could reduce IP rights holders’ ability to influence the distribution of their products in markets outside the EU and weaken their IP rights. A change in the UK’s trademark exhaustion regime would be a significant policy shift negatively affecting consumers, brand owners, UK exporters and public enforcement agencies, while not reducing inflation. I hope the Minister has got my message that this would not be a welcome change away from the current exhaustion regime.
Lord Stevenson of Balmacara (Lab)
I apologise for my slightly late arrival at the Committee. I hope that it was not noted too carefully, but we are doing two SIs as one group and I was here for the whole second part. I hope that that qualifies me to speak.
Also, it would be a terrible shame not to recapture the spirit of a few years ago, when a little group of three of four colleagues, including the noble Baroness, Lady Neville-Rolfe, debated a number of issues to do with intellectual property that came up at that time. It was interesting that a group from within the confines of Parliament then was able to get together and become quite expert at some of these issues. We had some very enjoyable debates and some of these issues have played out again today. Those who benefited from going on that journey gained a lot of knowledge and expertise, so I am not able to stun the Committee with some new insights; they have largely been covered by those who have built up their expertise from the same route that I have been on, so what I would say would be otiose.
I will congratulate both the noble Earl, Lord Clancarty, and the noble Lord, Lord Clement-Jones, for covering the points I would otherwise have made and piggyback on them to save the time of the Committee, which is a good thing.
However, it is interesting that we are still talking about issues that were live three or four years ago. I am sure the noble Baroness, Lady Neville-Rolfe, remembers them with some interest. We are still not clear what distinguishes our particular configuration of design rights. I still worry about those and hope that the department is working on a way forward with some of them. We had some clarity when we were thinking, within the EU context, of a way of trying to balance the difference between those which operated within the UK only and those that were being developed in Europe but were not able to go back to that. I do not think we quite got over the variations that can occur between the triad of patent, trademark and intellectual property in other forms, because they bump into each other. Although they have been dealt with rather well within these statutory instruments, there are occasions when they point in different directions and it is very hard to get a sense of the Government’s policy on them. There is still a need to do more work on that.
In turning to the SIs before us today, I want to raise a very narrow point on design right, ARR and copyright, from the Explanatory Memorandum. Although the noble Viscount touched on this in his introduction, he did not spend a lot of time on it. It is a question of broadly taking forward the arrangements that existed before we left the EU and making them slightly up to date as we go forward. I have no problem with the Design Right (Semiconductor Topographies) Regulations 1989, which were notably not mentioned by my two colleagues nor dealt with in any detail. That is a sensible move forward. We covered ARR and the copyright tribunal rules in some detail. That is a good change and an important way forward.
Viscount Camrose (Con)
Perhaps I had better write to all noble Lords present to say exactly what form that will take.
Lord Clement-Jones (LD)
I am sorry to interrupt the Minister as well. In addition to the timing, it would be useful to know what the instrument is going to be. Will it be another consultation? We have had a consultation, which finished last year, and now we have the SI. Is there going to be another consultation with another SI? The whole process needs unpacking a bit.
Viscount Camrose (Con)
That is fair enough. What I am hearing is that noble Lords want to know not just when it will be but what it will look like when it happens. That is an entirely reasonable request, to which I am happy to accede.
I note the views of the noble Lord, Lord Clement-Jones, on how the UK-plus regime supports the publishing industry in particular. I recognise the importance of this issue to a variety of businesses, which have provided extensive contributions to the public consultation on this matter. On behalf of the Government, I thank those businesses for their constructive engagement during the consultation and since. The noble Lord also—no, I am getting ahead of myself. I will move on, except to note that this issue has the potential to impact so many business sectors and therefore it is important for the Government to take the time to get it right.
The noble Lord also mentioned his concerns about a potential move to an international exhaustion regime. As I mentioned, no decision has been made. However, I should advise noble Lords that we intend a future regime to strike the right balance between consumer choice, fair market pricing, protecting creators and promoting competition.
I turn to the matters raised by the noble Lord, Lord Stevenson. I am grateful for his and his colleagues’ expertise on this important area of policy. He raised the review of design rights. The IPO began a review of that legislation last year, with a call for views published in January 2022. We want to make sure that the UK design system best meets the needs of designers and businesses. The IPO is now working on policy proposals on which to consult, which will likely happen in the first half of 2024. The review is fairly wide ranging, as the law around designs is complex and has not been reformed in any meaningful way for some time. It is important to do this work properly to make sure that any changes work for users and all stakeholders.
The noble Lord raised concerns about transparency reports issued by collective management organisations not being audited. The purpose here is to align the treatment of CMOs with that of other organisations in Companies House of similar size; to not treat them differently simply because of the nature of the work they do as CMOs, and therefore not to require organisations that qualify as small to conduct a formal audit in that way, along with other organisations of their size, scope and scale.
Small CMOs will still be required to produce annual transparency reports and to abide by the regulations that govern their conduct and operations. Removing the statutory audit requirement strikes a fairer, more proportionate balance between risk and cost for these small entities. The changes to the audit requirements were in recommendations evidenced by the additional burden imposed on them during a 2021 post-implementation review of the regulations. To provide some reassurance, I hope: this change affects just seven of the smallest CMOs.
The noble Lord, Lord Stevenson, also mentioned the expansion of the European Economic Area and how it would affect our exhaustion regime. Currently, the geographical scope of our exhaustion regime covers the UK and the European Economic Area. If the European Economic Area expanded the Government would consider how that would affect our exhaustion regime, but we would not wish to prejudice such a decision.
I hope all noble Lords will recognise that these proposed changes support a balanced, consistent and stable IP framework that is crucial for businesses, consumers and investors. I absolutely recognise the strength of feeling and argument in favour of maintaining this regime, but meanwhile I commend these regulations to the Committee.
King’s Speech
Lord Clement-Jones Excerpts(1 year ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Clement-Jones (LD)
My Lords, I declare an interest as chair of the council of Queen Mary University of London, with its major research interests. It is a pleasure to follow the noble Baroness, Lady Jones of Whitchurch, in her new role.
I want to start on a positive note by celebrating the recent Royal Assent of the Online Safety Act and the publication of the first draft code for consultation. I also very much welcome that we now have a dedicated science and technology department in the form of DSIT, although I very much regret the loss of Minister George Freeman yesterday.
Sadly, there are many other less positive aspects to mention. Given the Question on AI regulation today, all I will say is that despite all the hype surrounding the summit, including the PM’s rather bizarre interview with Mr Musk, in reality the Government are giving minimal attention to AI, despite the Secretary of State saying that the world is standing at the inflection point of a technological revolution. Where are we on adjusting ourselves to the kinds of risk that AI represents? Is it not clear that the Science, Innovation and Technology Committee is correct in recommending in its interim report that the Government
“accelerate, not … pause, the establishment of a governance regime for AI, including whatever statutory measures as may be needed”?
That is an excellent recommendation.
I also very much welcome that we are rejoining Horizon, but there was no mention in the Minister’s speech of how we will meet the challenge of getting international research co-operation back to where it was. I am disappointed that the Minister did not give us a progress update on the department’s 10 objectives in its framework for science and technology, and on action on the recommendations of its many reviews, such as the Nurse review. Where are the measurable targets and key outcomes in priority areas that have been called for?
Nor, as we have heard, has there been any mention of progress on Project Gigabit, and no mention either of progress on the new programmes to be undertaken by ARIA. There was no mention of urgent action to mitigate increases to visa fees planned from next year, which the Royal Society has described as “disproportionate” and a “punitive tax on talent”, with top researchers coming to the UK facing costs up to 10 times higher than in other leading science nations. There was no mention of the need for diversity in science and technology. What are we to make of the Secretary of State demanding that UKRI “immediately” close its advisory group on EDI? What progress, too, on life sciences policy? The voluntary and statutory pricing schemes for new medicines currently under consultation are becoming a major impediment to future life sciences investment in the UK.
Additionally, health devices suffer from a lack of development and commercialisation incentives. The UK has a number of existing funding and reimbursement systems, but none is tailored for digital health, which results in national reimbursement. What can DSIT do to encourage investment and innovation in this very important field?
On cybersecurity, the G7 recognises that red teaming, or what is called threat-led penetration testing, is now crucial in identifying vulnerabilities in AI systems. Sir Patrick Vallance’s Pro-innovation Regulation of Technologies Review of March this year recommended amending the Computer Misuse Act 1990 to include a statutory public interest defence that would provide stronger legal protections for cybersecurity researchers and professionals carrying out threat intelligence research. Yet there is still no concrete proposal. This is glacial progress.
However, we on these Benches welcome the Digital Markets, Competition and Consumers Bill. New flexible, pro-competition powers, and the ability to act ex ante and on an interim basis, are crucial. We have already seen the impact on our sovereign cloud capacity through concentration in just two or three US hands. Is this the future of AI, given that these large language models now developed by the likes of OpenAI, Microsoft, Anthropic AI, Google and Meta require massive datasets, vast computing power, advanced semiconductors, and scarce digital and data skills?
As the Lords Communications and Digital Committee has said, which I very much welcome, the Bill must not, however, be watered down in a way that allows big tech to endlessly challenge the regulators in court and incentivise big tech firms to take an adversarial approach to the regulators. In fact, it needs strengthening in a number of respects. In particular, big tech must not be able to use countervailing benefits as a major loophole to avoid regulatory action. Content needs to be properly compensated by the tech platforms. The Bill needs to make clear that platforms profit from content and need to pay properly and fairly on benchmarked terms and with reference to value for end users. Can the Minister, in winding up, confirm at the very least that the Government will not water down the Bill?
We welcome the CMA’s market investigation into cloud services, but it must look broadly at the anti-competitive practices of the service providers, such as vendor lock-in tactics and non-competitive procurement. Competition is important in the provision of broadband services too. Investors in alternative providers to the incumbents need reassurance that their investment is going on to a level playing field and not one tilted in favour of the incumbents. Can the Minister reaffirm the Government’s commitment to infrastructure competition in the UK telecommunications industry?
The Data Protection and Digital Information Bill is another matter. I believe the Government are clouded by the desire to diverge from the EU to get some kind of Brexit dividend. The Bill seems largely designed, contrary to what the Minister said, to dilute the rights of data subjects where it should be strengthening them. For example, there is concern from the National AIDS Trust that permitting intragroup transmission of personal health data
“where that is necessary for internal administrative purposes”
could mean that HIV/AIDS status will be inadequately protected in workplace settings. Even on the Government’s own estimates it will have a minimal positive impact on compliance costs, and in our view it will simply lead to companies doing business in Europe having to comply with two sets of regulation. All this could lead to a lack of EU data adequacy.
The Bill is a dangerous distraction. Far from weakening data rights, as we move into the age of the internet of things and artificial intelligence, the Government should be working to increase public trust in data use and sharing by strengthening those rights. There should be a right to an explanation of automated systems, where AI is only one part of the final decision in certain circumstances—for instance, where policing, justice, health, or personal welfare or finance is concerned. We need new models of personal data controls, which were advocated by the Hall-Pesenti review as long ago as 2017, especially through new data communities and institutions. We need an enhanced ability to exercise our right to data portability. We need a new offence of identity theft and more, not less, regulatory oversight over use of biometrics and biometric technologies.
One of the key concerns we all have as the economy becomes more and more digital is data and digital exclusion. Does DSIT have a strategy in this respect? In particular, as Citizens Advice said,
“consumers faced unprecedented hikes in their monthly mobile and broadband contract prices”
as a result of mid-contract price rises. When will the Government, Ofcom or the CMA ban these?
There are considerable concerns about digital exclusion, for example regarding the switchover of voice services from copper to fibre. It is being carried out before most consumers have been switched on to full fibre infra- structure and puts vulnerable customers at risk.
There are clearly great opportunities to use AI within the creative industries, but there are also challenges, big questions over authorship and intellectual property. Many artists feel threatened, and this was the root cause of the recent Hollywood writers’ and actors’ strike. What are the IPO and government doing, beyond their consultation on licensing in this area, to secure the necessary copyright and performing right reform to protect artists from synthetic versions?
I very much echo what the noble Baroness, Lady Jones, said about misinformation during elections. We have already seen two deepfakes related to senior Front-Bench Members—shadow spokespeople—in the Commons. It is concerning that those senior politicians appear powerless to stop this.
My noble friends will deal with the Media Bill. The Minister did not talk of the pressing need for skilling and upskilling in this context. A massive skills and upskilling agenda is needed, as well as much greater diversity and inclusion in the AI workforce. We should also be celebrating Maths Week England, which I am sure the Minister will do. I look forward to the three maiden speeches and to the Minister’s winding up.
Artificial Intelligence: Regulation
Lord Clement-Jones Excerpts(1 year ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Viscount Camrose (Con)
This is indeed a serious and complex issue, and yesterday I met the Creative Industries Council to discuss it. Officials continue to meet regularly both with creative rights holders and with innovating labs, looking for common ground with the goal of developing a statement of principles and a code of conduct to which all sides can adhere. I am afraid to say that progress is slow on that; there are disagreements that come down to legal interpretations across multiple jurisdictions. Still, we remain convinced that there is a landing zone for all parties, and we are working towards that.
Lord Clement-Jones (LD)
My Lords, I welcome what the Minister has just said, and he clearly understands this technology, its risks and indeed its opportunities, but is he not rather embarrassed by the fact that the Government seem to be placing a rather higher priority on the regulation of pedicabs in London than on AI regulation?
Viscount Camrose (Con)
I am pleased to reassure the noble Lord that I am not embarrassed in the slightest. Perhaps I can come back with a quotation from Yann LeCun, one of the three godfathers of AI, who said in an interview the other week that regulating AI now would be like regulating commercial air travel in 1925. We can more or less theoretically grasp what it might do, but we simply do not have the grounding to regulate properly because we lack the evidence. Our path to the safety of AI is to search for the evidence and, based on the evidence, to regulate accordingly.
Counter-Disinformation Unit: Israel and Palestine
Lord Clement-Jones Excerpts(1 year, 1 month ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Viscount Camrose (Con)
I remember the July debate very well. I made a commitment then to meet with concerned Members, which I am happy to repeat. Again, I ask that concerned Members write to me to indicate that they would like to meet. Those who have written to me, have met with me.
Lord Clement-Jones (LD)
My Lords, the Minister mentioned that the Online Safety Bill will come into law very shortly. Will he commit to setting up the advisory committee on disinformation and misinformation as soon as possible after this? The current situation clearly demonstrates both the need for it and for it to come to swift conclusions.
Viscount Camrose (Con)
I very much share the noble Lord’s analysis of the need for this group to come rapidly into existence. It is, of course, the role of Ofcom to create it. I will undertake to liaise with it to make sure that that is speeded up.
Artificial Intelligence: Regulation
Lord Clement-Jones Excerpts(1 year, 1 month ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Viscount Camrose (Con)
My noble friend is absolutely right to highlight the essential need for interoperability of AI given the way that AI is produced across so many jurisdictions. In addition to the global safety summit next week, we continue our very deep engagement with a huge range of multilateral groups. These include the OECD, the Council of Europe, the GPAI, the UN, various standards development groups, the G20 and the G7, along with a range of bilateral groups, including —just signed this year—the Atlantic declaration with the US and the Hiroshima accord with Japan.
Lord Clement-Jones (LD)
My Lords, Professor Stuart Russell memorably said:
“There are more regulations on sandwich shops than there are on AI companies”.
After a disappointing White Paper, in the light of the forthcoming summit will the Government put more risk and regulatory meat in their AI sandwich? Is it not high time that we started addressing the AI risks so clearly identified at the G7 meetings this year with clear, effective and proportionate regulation?
Viscount Camrose (Con)
I am pleased to say that the Government spend more on AI safety than any other Government of any country. We have assembled the greatest concentration of AI safety expertise anywhere and, based on that input, we feel that nobody has sufficient understanding of the risks or potential of AI at this point to regulate in a way that is not premature. The result of premature regulation is regulation that creates unnecessary friction for businesses, or runs the risk of protecting or failing to protect from emerging dangers of which we are as yet unaware.
Semiconductors Manufacturing
Lord Clement-Jones Excerpts(1 year, 2 months ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Baroness Williams of Trafford (Con)
My Lords, shall we allow the noble Lord, Lord Wigley, to contribute and then the noble Lord, Lord Clement-Jones?
Viscount Camrose (Con)
I apologise to the noble Lord for not having reached that bit. The concern about Newport Wafer Fab was that the ultimate owners of the buyer were Chinese investors; hence, under the NSI Act, that was blocked. I cannot comment any further on that specific case because it is under judicial review.
Lord Clement-Jones (LD)
My Lords, the Government may have finally published a strategy on semiconductors, but is investment in our great south Wales compound semiconductor hub going to be encouraged by his ministerial colleague Paul Scully’s remarks about not wanting to recreate Taiwan in south Wales? Also, as has been referred to, there is the very much delayed decision over the future of Newport Wafer Fab.
Viscount Camrose (Con)
What Minister Scully clearly meant was that there is no point attempting to construct an advanced silicon manufactory at the cost of tens of billions of pounds at considerable risk to both investors and the taxpayer when all those who have tried to mimic TSMC have failed at great expense. It is far better to focus on our strengths and on the compound semiconductor strategy that Minister Scully will have spoken about on that occasion. Again, Newport Wafer Fab is under judicial review and I cannot comment further.
Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
Lord Clement-Jones Excerpts(1 year, 2 months ago)
Grand CommitteeRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State, Department for Science, Innovation and Technology (Viscount Camrose) (Con)
My Lords, these regulations were laid before the House on 10 July 2023, and they will be made under the powers provided by the Product Security and Telecommunications Infrastructure Act 2022 and the European Union (Withdrawal Agreement) Act 2020. They will mandate that the manufacturers of consumer connectable products made available to customers in the UK are, unless excepted, required to meet minimum security requirements.
In doing so, this instrument will complete the introduction of the UK’s pioneering product security regime, established by Part 1 of the Product Security and Telecommunications Infrastructure Act 2022. Subject to noble Lords’ approval, this regime will afford UK citizens and businesses with world-leading protections from the threats of cybercrime, as well as equipping the Government with the tools to ensure the long-term security of a vital component of the broader technology ecosystem.
Acting to secure consumer connectable products has never been more critical than it is now, as we cross the threshold of the fourth industrial revolution. Before our eyes, artificial intelligence is rewriting how we live our lives, how we deliver our priorities and the rules of entire industries. AI models are already an inextricable part of the connectable products we use every day, from the convolutional neural networks that recognise the photos of loved ones on our smartphones, to the recurrent neural networks that allow our smart speakers to respond to our requests. The data collected through consumer devices is often also a vital part of a model’s training set.
These regulations are therefore not just crucial if we are to protect our citizens and economy from the array of threats posed by consumer connectable products today but a vital step if we are to mitigate the risks, and therefore fully realise the benefits, of the AI-enabled economy of tomorrow. With the support of this House and Members of another place, this is precisely what the Government aim to achieve with these regulations.
The key provisions of this instrument are as follows. First, the regulations mandate that manufacturers comply with the security requirements set out in Schedule 1. These requirements were selected, following extensive consultation, because they are applicable across a broad range of devices and are commended by security experts as the most fundamental measures for addressing cyber risks to products and their users. This means that businesses will no longer be able to sell consumer smart products with universal default or easily guessable default passwords to UK customers. These passwords not only expose users to unacceptable risks of cyberattack but can also allow malicious actors to compromise products at scale, equipping them with the computing power to launch significantly disruptive cyberattacks.
Manufacturers will also be required to publish, in a manner that is accessible, clear and transparent, the details of a point of contact for the reporting of security vulnerabilities. It pains me to share that, despite our entrusting the security of our data, finances and even homes to the manufacturers of these products, as of 2022, less than one-third of global manufacturers had a policy for how they can be made aware of vulnerabilities. With your support, the UK aims to change that.
The final security requirement in this instrument will ensure that the minimum length of time for which a product will receive security updates is not just published but published in an accessible, clear and transparent manner. We know that consumers value security and consider it when purchasing products. Equipped with the vital information mandated by this requirement, UK consumers will be able to drive manufacturers to improve the security protections they offer through market forces.
We are confident, based on extensive policy development, consultation and advice from the National Cyber Security Centre, that these security requirements will make a fundamental difference to the security of products, their users and the wider connected technology ecosystem.
We also recognise the importance of cutting red tape or, better still, not introducing it in the first place. For this reason, Regulation 4 allows manufacturers that are already compliant with provisions in international standards equivalent to our security requirements to more readily demonstrate their compliance with our security requirements.
The instrument also sets out a list of products excepted from the scope of the product security regime. First, it excepts select product categories where made available for supply in Northern Ireland. This exception ensures that the regime upholds the UK’s international commitments under the EU withdrawal agreement, while extending the protections and benefits offered by the regime to consumers and businesses across the UK.
In addition, smart charge points, medical devices and smart metering devices are excepted to avoid double regulation and to ensure that these products are secured with the measures most appropriate to the particulars of their functions. This instrument also excepts laptops, desktop computers and tablets without a cellular connection from the regime’s scope. Engagement with industry highlighted that the manufacturers of these products would face unique challenges in complying with this regime, and in many cases where these products are in use they are already subject to suitable cyber protections. It is therefore not clear at this stage that including these products in the regime’s scope would be proportionate.
Finally, the regulations also contain uncontroversial administrative provisions, including provisions relating to statements of compliance. The regime will require that these documents accompany products, serving as an audit trail to enable compliance across the supply chain and to facilitate effective enforcement.
These regulations and the regime of which they are a part represent a victory for UK consumers. They are the first in the world to recognise that the public has a right to expect that the products available for them to purchase are secure. These measures solidify the United Kingdom’s position at the forefront of the global cyber agenda, paving the way for other nations to follow in our footsteps. I commend the regulations to the Committee.
Lord Clement-Jones (LD)
My Lords, I thank the Minister for his introduction, which gave us the context for these regulations and the risks they are designed to mitigate and prevent. I agree with him about the importance of regulating in this area but, sadly—clearly—this is not box office today. We must live with that.
I welcome the regulations as far as they go. The one bright spot is that all regulations under the original Act, with one exception, are subject to the affirmative procedure, thanks to amendments put forward by us and accepted by the Government, which were designed to implement the recommendations of the Delegated Powers and Regulatory Reform Committee. That we are discussing the regulations in this way is testimony to that.
However, the regulations do not go far enough, despite being described by the Minister as a “pioneering product security regime”. As I said at Third Reading of the original Bill, last October, we did not specify enough security requirements for IoT devices in primary legislation. There was a commitment to regulate for only the top three guidelines covered by the 2018 Code of Practice for Consumer IoT Security, namely: first, to prohibit the setting of universal default passwords and the ability to set weak or easily guessable passwords; secondly, to implement a vulnerability disclosure policy, requiring the production and maintenance by manufacturers of regularly publicly available reports of security vulnerabilities; and, thirdly, to keep software updated and ensure the provision of information to the consumer before the contract for sale or supply of a relevant connectable product detailing the minimum length of time for which they will receive software or other relevant updates for that product.
Those are now all in the regulations and I welcome that, but, sadly, many of the other guidelines were never going to be, and are not now, specifically covered in the regulations. Quite apart from the first three, there are a whole range of others: securely store credentials and security-sensitive data; communicate securely; minimise exposed attack surfaces; ensure software integrity; ensure that personal data is protected; make systems resilient to outages; monitor system telemetry data; make it easier for consumers to delete personal data; make the installation and maintenance of devices easy; and validate input data. All those are standards that should be adhered to in relation to these devices. Two of the guidelines that have not been made mandatory—ensure that personal data is protected, and make it easier for consumers to delete personal data—have been highlighted by Which? this very morning, which has produced research demonstrating that:
“Smart home device owners are being asked to provide swathes of data to manufacturers, which could compromise their privacy and potentially result in them handing their personal information to social media and marketing firms, Which? research has found”.
This is part of its press release.
“The consumer champion found companies appear to hoover up far more data than is needed for the product to function. This includes smart speakers and security cameras that share customer data with Meta and TikTok, smart TVs that insist on knowing users’ viewing habits and a smart washing machine that requires people’s date of birth. The research suggests that, despite consumers having already paid up to thousands of pounds for smart products, they are also having to ‘pay’ with their personal data”.
We need to make sure that the Government and the regulator, whether the ICO or others, are on the case in that respect.
Nor did we see any intention to introduce appropriate minimum periods for the provision of security updates and support, taking into account factors including the reasonable expectations of consumers, the type and purpose of the connectable products concerned and any other relevant considerations. During the passage of the Bill, the Government resisted that—unlike the EU, which has imposed a five-year mandatory minimum period in which products must receive security updates. So consumers in Northern Ireland, for instance, are going to be far better off as a result of the TCA and the Windsor agreement.
That has inevitably followed through into these disappointing regulations, but they are even more disappointing than previously anticipated. Online marketplaces are not covered. Why not? My noble friend Lord Fox tabled an amendment on Report that sought to probe whether online marketplaces would be covered, a question that I think we all agree is of great importance. My noble friend quoted a letter from the noble Lord, Lord Parkinson, dated 21 September 2022 stating that
“businesses need to comply with the security requirements of the product security regime in relation to all new consumer connectable products offered to customers in the UK, including those sold through online marketplaces”.
In response, the then Minister, the noble Lord, Lord Kamall, said:
“The Bill will ensure that where online marketplaces manufacture, import or sell products, they bear responsibility for the security of those products. Where this does not happen, I assure noble Lords that they should make no mistake: the regulator will act promptly to address serious risk from insecure products, and work closely with online marketplaces to ensure effective remedy”.
I accepted that assurance. I said:
“As regards the online marketplaces, I am grateful for those assurances, which are accepted and are very much in line with the letter”.—[Official Report, 12/10/22; cols. 794-95.]
That was the assurance that was given and accepted.
Lord Clement-Jones (LD)
The Minister has moved on from talking about periods of assurance for consumers. I mentioned the EU introducing its five-year rule and the Northern Ireland aspect. That is rather useful for the Government to be able to see the impact of putting down a marker on a five-year period, because there is no alternative under the TCA and the Windsor agreement. Will the Government undertake to review how it is working in Northern Ireland? If it is working well and they think it is practical, will they introduce it across the UK?
Viscount Camrose (Con)
That is an interesting experimental chamber to have, because we can compare the two regimes, so I am happy to make that commitment, yes.
The assurances about online marketplaces from my noble friends Lord Kamall and Lord Parkinson remain true. Products sold through online marketplaces are subject to the same requirements as all other products. No regulation is perfect and, if relevant parties do not comply, the parent Act empowers the Secretary of State, or those whom the Secretary of State has authorised to carry out enforcement functions, with robust powers to address non-compliance, including monitoring the market, warning consumers of risks and, where appropriate, seizing products and recalling products from customers.
The Government have made it clear that they expect online marketplaces to do more to keep unsafe products off their platforms, and are conducting a review of the product safety framework. The product safety review consultation is open until 24 October. Following this, we will review and analyse stakeholder feedback and publish a government response. Any legislation will be brought forward in line with parliamentary procedures and timetables, which will include proposals to tackle the sale of unsafe products online. Officials will continue—
Lord Clement-Jones (LD)
I apologise to the Minister, but what is the reason for having two separate processes for manufacturers and online distributors? The assurance that I quoted could not have been clearer, and we all thought that these regulations would include not only manufacturers but online distributors. It still baffles me and I am sure it baffles the noble Lord, Lord Bassam, as well. The logic of doing it in two separate tranches entirely escapes me.
Viscount Camrose (Con)
The processes we have put here resulted from extensive consultation with the stakeholders, both the manufacturers and the retailers.
Lord Clement-Jones (LD)
So the Minister is saying that the retailers did not like it, did not have the systems required and could not do things quickly enough—despite the fact that some time has elapsed, as the noble Lord, Lord Bassam, mentioned—so they said, “Not now, Josephine”, basically.
Viscount Camrose (Con)
No, the consultation took place with a wide range of civil society and other stakeholders. Mechanisms are in place to update, should it not prove to be as proportionate as we believe it is. The Government are also engaging directly with online marketplaces to explore how they can complement the product security regime and further protect consumers.
On the question of how the regime accounts for the possibility of changing international standards, the instrument references specific versions of ETSI EN 303 645 and ISO/IEC 29147. Were the standards to be updated, the version cited would still be the applicable conditions in Regulation 2. Noble Lords should rest assured that any action by the Government to update the standards referenced in the regime would require further parliamentary scrutiny.
Turning to computers, we do not have evidence that including such products in the scope of the regime would significantly reduce security risk. There is a mature anti-virus software market that empowers customers to secure their own devices. Alongside this, mainstream operating system vendors already include security features in their services. The result is that they are not subject to the same level of risk as other consumer devices.
On smart meters and data, the smart metering product market is already regulated through the Gas Act 1986, the Electricity Act 1989 and the Smart Energy Code. Smart metering products are subject to tailored cyber requirements that reflect their specific risk profile. This exception ensures that smart meter products are not subject to double regulation without compromising their security.
Viscount Camrose (Con)
I have to confess that my familiarity with some of that legislation is a bit limited, but I was attempting to convey that the full extent of the regulation covering those devices is collectively included in those three instruments. I recognise that that is not a wholly satisfactory answer, so I am very happy to write to the noble Lord. That legislation mandates compliance with the code collectively, which is kept up to date and includes robust modern cyber requirements. The UK already has a robust framework for data protection. While I absolutely agree that it is important, it is not the subject of these regulations.
I would like to return to a matter that I addressed earlier and point out that the cyber resilience Act that the noble Lord mentioned will in fact not, as per the current agreed version of the Windsor Framework, come into effect in Northern Ireland. The point remains that we will monitor its impact on the continent. I beg his pardon for not being clear about that.
Turning to the matters raised by the noble Lord, Lord Bassam, we agree that the challenges posed by inadequate consumer connectable product security require urgent action. However, regulating a sector as heterogeneous as connectable technology in its diversity of devices, user cases, threat profiles and extant regulation also requires careful consideration. We feel that we have acted as quickly as was appropriate, and in doing so we acted before any other nation.
On the role of distributors in communicating the defined support period to customers, products made available to consumers in the UK, or those made available to businesses but identical to those made available to consumers, are required to be accompanied by a statement of compliance, which will contain information about the minimum security update period for the product. Retailers are in fact required to ensure that the statement of compliance accompanies their product.
In addition, the SI requires manufacturers to publish information about the minimum security update periods, alongside invitations to purchase the product where certain conditions are met. The Government have no immediate plans to make it mandatory for the distributors of these products to publicise the defined support period. However, we encourage distributors to take this action voluntarily. If the manufacturer fails to publish the defined support period, the enforcement authority can issue notices demanding that the manufacturer make the necessary corrections, or demand that importers or distributors stop selling the product. It can also seize products and recall them from end users.
We will of course be monitoring the effectiveness of the product security regime when it comes into effect. If evidence emerges suggesting that further action to ensure the availability of the defined support period at points of purchase would be appropriate to enhance and protect the security of products and their users, the PSTI product security regime empowers Ministers to take such action.
In conclusion, I hope noble Lords will recognise the benefits that this regime will bring to the UK public and its ground-breaking influence on the world stage.
Lord Clement-Jones (LD)
Before the Minister sits down, I wonder whether he could return to his notes on the cyber resilience Act. I heard what he said but it may have been a slip of the tongue because he said that it has not yet come into effect but we will monitor its impact on the continent. I think—at least, I assume—that he meant we will monitor its impact when it comes into effect in Northern Ireland. It will inevitably come into effect into Northern Ireland, will it not?
Lord Clement-Jones (LD)
Perhaps the Minister could write to me or to us. The fact, as I understand it, is that the Act is a piece of EU legislation that is going to come into effect across the EU under the Windsor agreement and the TCA. Northern Ireland is subject to EU legislation of that kind; it will therefore come into effect in Northern Ireland and we will be able to monitor its impact there. So, it is not just a question of monitoring its impact on the continent. We have a homegrown example of how it will be implemented—a test bed.
Advanced Artificial Intelligence
Lord Clement-Jones Excerpts(1 year, 4 months ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Clement-Jones (LD)
My Lords, I remind the House of my relevant interests in the register. We are all indebted to the noble Lord, Lord Ravensdale, for initiating this very timely debate and for inspiring such a thought-provoking and informed set of speeches today. The narrative around AI swirls back and forwards in this age of generative AI, to an even greater degree than when our AI Select Committee conducted its inquiry in 2017-18—it is very good to see a number of members of that committee here today. For instance, in March more than 1,000 technologists called for a moratorium on AI development. This month, another 1,000 technologists said that AI is a force for good. As the noble Lord, Lord Giddens, said, we need to separate the hype from the reality to an even greater extent.
Our Prime Minister seems to oscillate between various narratives. One month we have an AI governance White Paper suggesting an almost entirely voluntary approach to regulation, and then shortly thereafter he talks about AI as an existential risk. He wants the UK to be a global hub for AI and a world leader in AI safety, with a summit later this year, which a number of noble Lords discussed.
I will not dwell too much on the definition of AI. The fact is that the EU and OECD definitions are now widely accepted, as is the latter’s classification framework, but I very much liked what the noble and right reverend Lord, Lord Chartres, said about our need to decide whether it is tool, partner or competitor. We heard today of the many opportunities AI presents to transform many aspects of people’s lives for the better, from healthcare—mentioned by the noble Lords, Lord Kakkar and Lord Freyberg, in particular—to scientific research, education, trade, agriculture and meeting many of the sustainable development goals. There may be gains in productivity, as the noble Lord, Lord Londesborough, postulated, or in the detection of crime, as the noble Viscount, Lord Waverley, said.
However, AI also clearly presents major risks, especially reflecting and exacerbating social prejudices and bias, the misuse of personal data and undermining the right to privacy, such as in the use of live facial recognition technology. We have the spreading of misinformation, the so-called hallucinations of large language models and the creation of deepfakes and hyper-realistic sexual abuse imagery, as the NSPCC has highlighted, all potentially exacerbated by new open-source large language models that are coming. We have a Select Committee, as we heard today from the noble Lord, Lord Browne, and the noble and gallant Lord, Lord Houghton, looking at the dilemmas posed by lethal autonomous weapons. As the noble Lord, Lord Anderson, said, we have major threats to national security. The noble Lord, Lord Rees, interestingly mentioned the question of overdependence on artificial intelligence—a rather new but very clearly present risk for the future.
We heard from the noble Baroness, Lady Primarolo, that we must have an approach to AI that augments jobs as far as possible and equips people with the skills they need, whether to use new technology or to create it. We should go further on a massive skills and upskilling agenda and much greater diversity and inclusion in the AI workforce. We must enable innovators and entrepreneurs to experiment, while taking on concentrations of power, as the noble Baroness, Lady Stowell, and the noble Lords, Lord Rees and Lord Londesborough, emphasised. We must make sure that they do not stifle and limit choice for consumers and hamper progress. We need to tackle the issues of access to semiconductors, computing power and the datasets necessary to develop large language generative AI models, as the noble Lords, Lord Ravensdale, Lord Bilimoria and Lord Watson, mentioned.
However, the key and most pressing challenge is to build public trust, as we heard from so many noble Lords, and ensure that new technology is developed and deployed ethically, so that it respects people’s fundamental rights, including the rights to privacy and non-discrimination, and so that it enhances rather than substitutes for human creativity and endeavour. Explainability is key, as the noble Lord, Lord Holmes, said. I entirely agree with the right reverend Prelate that we need to make sure that we adopt these high-level ethical principles, but I do not believe that is enough. A long gestation period of national AI policy-making has ended up producing a minimal proposal for:
“A pro-innovation approach to AI regulation”,
which, in substance, will amount to toothless exhortation by sectoral regulators to follow ethical principles and a complete failure to regulate AI development where there is no regulator.
Much of the White Paper’s diagnosis of the risks and opportunities of AI is correct. It emphasises the need for public trust and sets out the attendant risks, but the actual governance prescription falls far short and goes nowhere in ensuring where the benefit of AI should be distributed. There is no recognition that different forms of AI are technologies that need a comprehensive cross-sectoral approach to ensure that they are transparent, explainable, accurate and free of bias, whether they are in a regulated or an unregulated sector. Business needs clear central co-ordination and oversight, not a patchwork of regulation. Existing coverage by legal duties is very patchy: bias may be covered by the Equality Act and data issues by our data protection laws but, for example, there is no existing obligation for ethics by design for transparency, explainability and accountability, and liability for the performance of AI systems is very unclear.
We need to be clear, above all, as organisations such as techUK are, that regulation is not necessarily the enemy of innovation. In fact, it can be the stimulus and the key to gaining and retaining public trust around AI and its adoption, so that we can realise the benefits and minimise the risks. What I believe is needed is a combination of risk-based, cross-sectoral regulation, combined with specific regulation in sectors such as financial services, underpinned by common, trustworthy standards of testing, risk and impact assessment, audit and monitoring. We need, as far as possible, to ensure international convergence, as we heard from the noble Lord, Lord Rees, and interoperability of these standards of AI systems, and to move towards common IP treatment of AI products.
We have world-beating AI researchers and developers. We need to support their international contribution, not fool them that they can operate in isolation. If they have any international ambitions, they will have to decide to conform to EU requirements under the forthcoming AI legislation and ensure that they avoid liability in the US by adopting the AI risk management standards being set by the National Institute of Standards and Technology. Can the Minister tell us what the next steps will be, following the White Paper? When will the global summit be held? What is the AI task force designed to do and how? Does he agree that international convergence on standards is necessary and achievable? Does he agree that we need to regulate before the advent of artificial general intelligence, as a number of noble Lords, such as the noble Lords, Lord Fairfax and Lord Watson, and the noble Viscount, Lord Colville, suggested?
As for the creative industries, there are clearly great opportunities in relation to the use of AI. Many sectors already use the technology in a variety of ways to enhance their creativity and make it easier for the public to discover new content, in the manner described by the noble Lord, Lord Watson.
But there are also big questions over authorship and intellectual property, and many artists feel threatened. Responsible AI developers seek to license content which will bring in valuable income. However, as the noble Earl, Lord Devon, said, many of the large language model developers seem to believe that they do not need to seek permission to ingest content. What discussion has the Minister, or other Ministers, had with these large language model firms in relation to their responsibilities for copyright law? Can he also make a clear statement that the UK Government believe that the ingestion of content requires permission from rights holders, and that, should permission be granted, licences should be sought and paid for? Will he also be able to update us on the code of practice process in relation to text and data-mining licensing, following the Government’s decision to shelve changes to the exemption and the consultation that the Intellectual Property Office has been undertaking?
There are many other issues relating to performing rights, copying of actors, musicians, artists and other creators’ images, voices, likeness, styles and attributes. These are at the root of the Hollywood actors and screenwriters’ strike as well as campaigns here from the Writers’ Guild of Great Britain and from Equity. We need to ensure that creators and artists derive the full benefit of technology, such as AI-made performance synthetisation and streaming. I very much hope that the Minister can comment on that as well.
We have only scratched the surface in tackling the AI governance issues in this excellent debate, but I hope that the Minister’s reply can assure us that the Government are moving forward at pace on this and will ensure that a debate of the kind that the noble Lord, Lord Giddens, has called for goes forward.