Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) Regulations 2024
Debate between Lord Clement-Jones and Lord Leong(3 weeks, 1 day ago)
Grand CommitteeRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Sharpe of Epsom (Con)
My Lords, I thank the Minister for his explanation. I would say to the noble Lord, Lord Clement-Jones, that something did happen, and that was the general election, which we, unfortunately, lost. That no doubt explains something of the delay.
The noble Lord, Lord Clement-Jones, has asked some pertinent questions. I will keep mine a little more general, because this SI amends the original regulations and broadens the exceptions under Schedule 3. The most notable change concerns the automotive sector, as has been noted, where vehicles were previously exempt from certain cybersecurity provisions.
The new regulations align the UK’s approach with international standards. They recognise the unique nature of vehicle systems and the need for specialised cybersecurity measures. UN Regulation No. 155 on cyber security and cybersecurity management systems, which governs the security of vehicles, is now set to be the primary framework for automotive security. As far as it goes, that would obviously seem eminently sensible, but the noble Lord, Lord Clement-Jones, has highlighted that there are a number of broader, perhaps more philosophical, questions about the direction of travel—that is not a pun—with regard to EVs, self-driving vehicles and vehicle autonomy, which we will have to grapple with at some point in the future. I imagine that this is a subject to which we will return.
My questions are a little more general. The regulations are undoubtedly important for protecting consumers and securing digital infrastructure, but we must consider the broader implications. The automotive sector is rapidly evolving, as has been noted, and the development of automated vehicles holds significant economic and societal potential. However, with innovation comes the risk of regulatory frameworks that struggle to keep pace; that is self-evident. How do we ensure that these cybersecurity measures do not inadvertently stifle technological advancement in areas and sectors such as the automotive sector? How do we end up striking the right balance between securing the technologies and enabling them to flourish?
There is also a question here around consumer awareness; again, this was highlighted by the noble Lord, Lord Clement-Jones. How long would an individual’s data be attached to a particular vehicle, for example, even after it is sold? These regulations require manufacturers to disclose the duration of product security support, but how well are consumers equipped to understand and act on this information? Are we confident that the public are sufficiently informed about the critical nature of cybersecurity? Will the Government commit to taking the necessary steps to help customers and consumers protect their devices and data? It seems to us that this is an area where the education of the public must go beyond the bare minimum. We need to ensure that consumers are not left in the dark about the sorts of security risks that they may face.
We must also consider enforcement. With the proliferation of smart products entering the market at such an unprecedented rate, how will we ensure consistent and effective compliance across such a diverse range of industries, from household appliances to vehicles? As new technologies emerge and evolve, the enforcement mechanisms that are in place today may not be enough. Are we allocating the necessary resources to monitor and enforce these standards effectively? Are the Government allocating additional resources to help those things along? Does the current enforcement mechanism system adequately address the rising complexity and scale of the challenges ahead?
As I said, these are broader, more philosophical questions—I do not expect the Minister to be in a position to answer them and there is no need to write—but these are the sorts of things that we all need to consider as a society. Obviously, that will have political, economic and societal ramifications that we all need to consider, but the Opposition have no objection to these regulations; they make perfect sense for now. I suspect, however, that this is a subject to which we will return.
Lord Leong (Lab)
My Lords, I thank the noble Lords, Lord Clement-Jones and Lord Sharpe, for their contributions.
I will first address the question asked by the noble Lord, Lord Clement-Jones: why the delay? As the noble Lord, Lord Sharpe, mentioned, it was a result of the general election. At the same time, we were waiting for the Department for Transport to progress UN regulation No. 155, until such time as we knew that we must take this exception out of the current regulations. That is the reason for the delay, basically; it was also about finding parliamentary time to table these regulations. That is that on the delay.
Lord Clement-Jones (LD)
I am sorry to interrupt the Minister but, frankly, this is the same instrument as the one that was debated last May. Nothing has changed apart from the lack of parliamentary time. We could have done this in September, October or whenever. I forget quite when we had the King’s Speech—in July? We could have done this at any time in the past few months.
Lord Leong (Lab)
This is beyond my pay grade, I am afraid. I will need to ask my leader, the Chief Whip, why we could not allocate any parliamentary time for this legislation.
As far as personal data is concerned, the GDPR is still the lead legislation. I respectfully say to the noble Lord that, for the purposes of today’s regulations, the whole issue of such data is outside the scope of this instrument for now. However, I am sure that we will be talking about personal data in the months and, probably, years to come in other forms of legislation, or even about it being regulated itself.
Lord Clement-Jones (LD)
Out of scope? On the basis that we are being asked to exempt automated vehicles, is it not proper that we ask for reassurance about automated vehicles and the implications for safety, data or whatever else? We are exempting them from these connected product regulations, so we need to be reassured that there are other ways of regulating them other than through these regulations. So this is not out of scope; the debate is about whether we should be exempting them.
Lord Leong (Lab)
I take the point, but the instrument is about the two amendments to the regulations. I take the noble Lord’s point about data. Yes, it is important, and we must preserve the data, but this instrument is not within that scope.
Moving on to cybersecurity within autonomous vehicles, cybersecurity is at the heart of the Government’s priorities for the rollout of all self-driving vehicles. The Automated Vehicles Act 2024 enables an obligation to be placed on those responsible for self-driving vehicles to maintain a vehicle’s software and ensure that appropriate cybersecurity measures are in place throughout its service life.
In response to the point made by the noble Lord, Lord Sharpe, about innovation, the Government are committed to supporting the development and deployment of self-driving vehicles in the UK. Our permissive trialling regime means that self-driving cars, buses and freight vehicles are already on UK roads with safety drivers. The Automated Vehicles Act will pave the way to scale deployments beyond trials. The Act delivers one of the most comprehensive legal frameworks of its kind anywhere in the world for self-driving vehicles, with safety at its core. It sets out clear legal responsibilities, establishes a safety framework and creates the necessary powers to regulate this new industry.
On the point about cybersecurity from the noble Lord, Lord Clement-Jones, the Government take national security extremely seriously and are actively monitoring threats to the UK. The Department for Transport works closely with the transport sector, the National Cyber Security Centre and other government departments to understand and respond to cybersecurity issues associated with connected vehicles. UN regulation No. 155 more comprehensively addresses cybersecurity risks with automotive vehicles and has adequate provisions to deal with the prospect of self-driving vehicles. The PSTI regime is designed for consumer contactable devices or products and is not fully equipped to address the specific needs and complexities of vehicle cybersecurity. UN regulation No. 155, which was developed through international collaboration, provides a more suitable and rigorous framework for ensuring the security of vehicles.
More everyday products than ever are now connected to the internet. The Government have taken action to ensure that UK consumers and businesses purchasing consumer connectable products are better protected from the risks of cyberattack, fraud, or even, in the most serious cases, physical danger. The PSTI product security regulatory regime builds on the ETSI international standard and is the first of its kind in the world to come into force.
The cybersecurity regulatory landscape will continue to evolve. The Government need to be agile to ensure that there is synergy between existing and new laws. Through this draft instrument, the Government are delivering on the commitment in 2021 to except certain categories of automotive vehicles from the scope of the PSTI products security regulatory regime. This is because the Government, via the Department for Transport, are in the process of introducing sector-specific regulations that have been developed at an international level to address the cybersecurity of these products. These requirements, which are specifically tailored to these vehicles and their functionality, will create a more precise regime for the sector. This draft instrument therefore ensures that the automotive industry, which contributed £13.3 billion to the economy in 2022, will not be placed under undue burdens from dual regulations.
Lord Clement-Jones (LD)
My Lords, the Minister has not mentioned the point raised in the Explanatory Memorandum, which was designed, I think, to give us comfort about cybersecurity and data: the Government’s Connected and Automated Vehicles: Process for Assuring Safety and Security—CAVPASS—which I mentioned. I did not hear him give us an assurance that that will be developed during 2025 to ensure the safety and cybersecurity of self-driving vehicles. As well as reiterating that the GDPR is an absolutely splendid way of regulating these automated vehicles, I hope that he will reiterate that this will be produced, because I have had a look at what CAVPASS currently says in the area of data, and it is not very much. After all, these connected regulations from which we are exempting automated vehicles are about safety, data and everything else.
Lord Leong (Lab)
My Lords, the noble Lord makes a very important point. Rather than waiting for my officials to give me a briefing note, I will ensure that I write to him on all the points that he has just mentioned.
Public Authority Algorithmic and Automated Decision-Making Systems Bill [HL]
Debate between Lord Clement-Jones and Lord LeongFriday 7th February 2025
(3 weeks, 4 days ago)
Lords ChamberRead Full debate Public Authority Algorithmic and Automated Decision-Making Systems Bill [HL] 2024-26 View all Public Authority Algorithmic and Automated Decision-Making Systems Bill [HL] 2024-26 Debates Read Hansard Text
The Earl of Effingham (Con)
My Lords, I thank all noble Lords for their contributions on the Bill, particularly the noble Lord, Lord Clement-Jones, who brought it forward. In an era increasingly shaped by the decisions of automated systems, it is the responsibility of all those using algorithmic and automated decision-making systems to safeguard individuals from the potential harm caused by them. We understand the goals of the Bill: namely, to ensure trustworthy artificial intelligence that garners public confidence, fosters innovation and contributes to economic growth. But His Majesty’s Official Opposition also see certain aspects of the Bill that we believe risk its effectiveness.
As the noble Viscount, Lord Camrose, pointed out at Second Reading, we suggest the Bill may be prescriptive. The definition of “algorithmic systems” in Clause 2(1) is broad, encompassing any process, even those unrelated to digital or computational systems. While the exemptions in Clause 2(2) and (4) are noted, we believe that adopting our White Paper definitions to focus on autonomous and adaptive systems would provide clarity and align the scope with the Bill’s purpose.
The Bill may also benefit from an alternative approach to addressing the blistering pace of artificial intelligence development. Requiring ongoing assessments for every update under Clause 3(3) could be challenging, given that systems often change daily. We may also find that unintended administrative burdens are created from the Bill. For example, Clause 2(1) requires a detailed assessment even before a system is purchased, which may be unworkable, particularly for pilot projects that may not yet operate in test environments, as described in Clause 2(2)(b). These requirements could risk dampening exploration and innovation within the public sector.
Finally, we might suggest that in order to avoid potentially large amounts of bureaucracy, a more effective approach would be to require public bodies to have due regard for the five principles of artificial intelligence as evidenced in our White Paper, those five principles being: safety, security and robustness; appropriate transparency and explainability; fairness; accountability and governance; and contestability and redress. His Majesty’s Official Opposition do of course value the importance of automated algorithmic tools in the public sector.
Lord in Waiting/Government Whip (Lord Leong) (Lab)
My Lords, I thank the noble Lord, Lord Clement-Jones, for bringing the important issue of public sector algorithmic transparency for debate, both today and through the Data (Use and Access) Bill, and I thank the noble Earl, Lord Effingham, for his contribution.
The algorithmic transparency recording standard, or ATRS, is now mandatory for government departments. It is focused, first, on the 16 largest departments, including HMRC; some 85 ALBs; and local authorities. It has also now been endorsed by the Welsh Government. While visible progress on enforcing this mandate was slow for some time, new records are now being added to the online repository at pace. The first batch of 14 was added in December and a second batch of 10 was added just last week. I am assured that many more will follow shortly.
The blueprint for modern digital government, as mentioned by the noble Lord, Lord Clement-Jones, was published on 21 January, promising explicitly to commit to transparency and accountability by building on the ATRS. The blueprint also makes it clear that part of the new Government Digital Service role will be to offer specialist assurance support, including a service to rigorously test models and products before release.
The Government share the desire of the noble Lord, Lord Clement-Jones, to see algorithmic tools used in the public sector safely and transparently, and they are taking active steps to ensure that that happens. I hope that reassures the noble Lord, and I look forward to continuing to engage with him on this important issue.
Lord Clement-Jones (LD)
My Lords, I thank the noble Earl for taking the trouble to read my Bill quite carefully. I shall obviously dispute various aspects of it with him in due course; however, I welcome the fact that he has taken the trouble to look at its provisions. I thank the Minister for his careful reply. I do not think that the Government are going far enough, but time will tell.
Data (Use and Access) Bill [HL]
Debate between Lord Clement-Jones and Lord LeongTuesday 21st January 2025
(1 month, 1 week ago)
Lords ChamberRead Full debate Data (Use and Access) Bill [HL] 2024-26 View all Data (Use and Access) Bill [HL] 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 57-I Marshalled list for Report - (17 Jan 2025)
Lord Leong (Lab)
My understanding is that “customer” reflects an individual, but I am sure that the Minister will give a better explanation at the meeting with officials next week.
Lord Clement-Jones (LD)
Again before the Minister sits down—I am sure he will not be able to sit down for long—would he open that invitation to a slightly wider group?
Lord Leong (Lab)
I thank the noble Lord for that request, and I am sure my officials would be willing to do that.
Data (Use and Access) Bill [HL]
Debate between Lord Clement-Jones and Lord LeongTuesday 10th December 2024
(2 months, 3 weeks ago)
Grand CommitteeRead Full debate Data (Use and Access) Bill [HL] 2024-26 View all Data (Use and Access) Bill [HL] 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 40-II(a) Amendment for Grand Committee (Supplementary to the Second Marshalled List) - (9 Dec 2024)
Lord Clement-Jones (LD)
My Lords, the problem is that I have a 10-minute speech and there are five minutes left before Hansard leaves us, so is it sensible to draw stumps at this point? I have not counted how many amendments I have, but I also wish to speak to the amendment by the noble and learned Lord, Lord Thomas. I would have thought it sensible to break at this point.