(2 years ago)
Grand CommitteeMy Lords, I am very grateful to all noble Lords who have contributed to today’s debate, including my noble friend Lord Lindsay, who spoke in the gap. As the noble Lord, Lord Fox, rightly said, it is quality not quantity that counts. I am glad that noble Lords who took part were unanimous that although the Bill may be small its potential impact is significant.
In my opening remarks I touched on that transformative impact, and I am keen to emphasise the elegant way that the Bill achieves its goal. It is a simple Bill, although I hesitate to use that word because a great deal of consideration and work has gone into making it so. My noble friend Lord Holmes of Richmond is right to pay tribute by name to some of the people who have been involved in that important work. The Bill achieves what it sets out to do in a minimalistic way. As the noble Viscount, Lord Waverley, said, it is also an enabling Bill which leaves people free to sign up to use it if they wish. The opportunity it presents to bring trade law up to date is immense.
English law underpins the laws of global trade, and all eyes will be on us in the UK as we take this legislation forward. As the noble Viscount, Lord Waverley, said, the benefits will be there for others to accrue beyond these shores. The objective of the Bill is for the UK to take the lead in setting an international standard for how electronic trade documents can be defined and recognised under domestic law with the intention that other jurisdictions will adopt similar laws. The more that other countries harmonise their domestic laws to recognise electronic trade documents, the less it will matter whether UK law and this Bill in particular apply, and that is the case with paper trade documents today.
I am grateful to my noble friend Lord Lansley for highlighting some of the areas that he intends to probe in the Special Public Bill Committee. He is right that the Bill requires that scrutiny there.
I will deal with some of the questions that were raised. I hope it will be useful. I will, of course, look to see whether it is worth writing on further points ahead of the Special Public Bill Committee, although I would be grateful to noble Lords for recognising that that is the place to go into some of the deeper detail. I am always happy to speak to noble Lords ahead of that committee if it would be useful.
I agree with my noble friend Lord Holmes that there are many opportunities for technological solutions. One of the underlying principles of the Bill is that it is technology neutral. It would run counter to the objectives of the Bill if it were to prescribe or mandate a particular electronic trade document system. That would be likely to stifle innovation and risk excluding participants on the basis that their system does not satisfy the Bill’s requirements. The Bill does not specify what constitutes a reliable system or mandate a particular type of system. Rather it sets out various factors that a court may take into account when determining reliability. The Bill therefore offers some guidance on how to assess the reliability of electronic systems. We have been working closely with industry, which is developing standards to ensure reliability and verifiable authentication of electronic trade documents.
One issue that is worth investigating further is who is the arbiter of reliability when it comes down to a system. Is it the buyer, the seller, a third party or some accreditation body that says it is reliable?
If I may, I will accept the noble Lord’s invitation to look at this in Committee because it is worthy of the deeper scrutiny that that affords.
A number of noble Lords understandably referred to the United Nations Commission on International Trade Law, or UNCITRAL, and its Model Law on Electronic Transferable Records, or MLETR, which is the international attempt to provide a legal framework for electronic trade documentation that can be adapted and adopted by individual jurisdictions. In developing its recommendations for reform, the Law Commission was particularly cognisant of this model law. The recommendations have been developed with a keen awareness of it, aligning with it where possible and integrating its spirit and objectives into the particularities of the law of the UK. As such, the provisions of the Bill are broadly compatible with the MLETR, but are drafted to cater for the nuances and specificities of UK law.
For example, the Bill expressly and clearly provides that electronic trade documents are capable of possession, while the MLETR provides that control is a functional equivalent to the fact of possession. It is clearer and more direct to extend the application of the concept of possession itself, rather than to use control as a functional equivalent to the fact of possession. That is something that the noble Lord, Lord Fox, touched on in his remarks about restrictions on control.
Within this Bill, control is a question of fact, as reflected by Clause 2(3)(a), which did not feature in the Law Commission’s draft Bill. The Bill does not define possession; it is a common law concept, which is highly flexible. Again, noble Lords will want to discuss this area in Committee, but the Law Commission’s advice, based on extensive research and consultation, is that it would be difficult, if not impossible, to set out in legislation what constitutes possession of an electronic trade document because possession is a fact-specific concept that has always been notoriously difficult to define in abstract terms. Furthermore, it would be impractical to frame legislation to cover the full range of possible solutions that could arise in relation to possessing electronic trade documents, particularly given the potential for technology to develop and give rise to different forms of control and therefore possession. I look forward to discussing this in greater detail in Committee.
The noble Lord, Lord Fox, asked about the territorial extent of the Bill, particularly in relation to Northern Ireland. The Bill is intended to apply UK-wide, as the issues concerning the legal blocker to possessing electronic documents are broadly the same. Apart from the provision in Clause 3(4), which extends only to Scotland and relates to the interaction between the Bill and the Moveable Transactions (Scotland) Bill, the Bill extends UK-wide. It is reserved in relation to Northern Ireland on the basis that the Bill deals with the reserved matter of trade with any place outside the United Kingdom. We have agreed with officials in the Northern Ireland Executive that the legislative consent Motion process is not therefore engaged.
Is this Bill compatible with the Northern Ireland protocol? Is it compatible with the unique position that Northern Ireland has within the United Kingdom in having an open border with the EU?
We do not expect the Bill to have any impact on the operation of the Northern Ireland protocol. It is a measure to digitise business-to-business trade documents. It will allow businesses to use electronic trade documents when buying and selling internationally, and the benefits will be realised irrespective of whether trade is internal to the UK market or is global.
The noble Lord, Lord Fox, also asked some further questions about other jurisdictions. DCMS and the Department for International Trade agreed the digital economy agreement with Singapore, which includes a memorandum of understanding that put in place a pilot project to explore and text the interoperability of electronic trade documents.
The noble Viscount, Lord Waverley, asked about digital ID and e-signatures. I certainly agree that digital signatures and digital ID are areas that would benefit from harmonisation. As noble Lords stated, this Bill is merely the first foundational step towards digitisation and interoperability. The Bill is very specific in removing the legal blocker to possession of electronic trade documents; that really is its core purpose. We want to remove an obstacle for UK businesses that trade internationally. In giving electronic trade documents legal effect, we can unlock their current and future potential.
I will of course consult the Official Report of the debate to see whether there are any further points on which it might be useful to follow up before Committee. I look forward to the further scrutiny that this modest but important Bill will receive then. I am very grateful to noble Lords for their remarks and the questions that they have raised today.
(2 years ago)
Lords ChamberOfficials and Ministers in the department are discussing the recommendations of the fan-led review with all the interested parties, taking into account all those views, and the White Paper will provide the answers which my noble friend and others seek.
My Lords, words such as “discussing” and “reviewing” indicate that the department seems to be kicking this ball into touch. Does the Minister recognise that, with every month and every year that passes, clubs that have been part of communities are being lost, and that more delay will mean that more clubs are lost?
As I said to the noble Lord’s noble friend earlier, football itself can take forward some of the recommendations in the fan-led review which we endorsed in April, such as financial redistribution throughout the leagues. We urge them strongly to do that, and my right honourable friends have done so directly.
(2 years, 5 months ago)
Lords ChamberAs I explained earlier, it is a probing amendment designed not to go into legislation but to get an answer, and the answer was not forthcoming.
First, the code is designed to comply with building safety that has come before it. The Building Safety Act is subsequent to the code so in this respect, that is not a helpful answer. Secondly, there are specific statutory instruments, as a result of the Building Safety Act, which deal with utilities. I asked a very clear question: will the Government be considering this function of digital infrastructure to be a utility? Also, will there be statutory instruments as a result of that Act which cover this issue, or does it need to be covered in another way? It is not covered in the answer the Minister has just given, so this must be specifically opted into the process that the Building Safety Act has ushered in as a result of the Hackitt review.
The Building Safety Act received Royal Assent on 28 April, as the noble Lord knows. It will strengthen oversight and protections for residents in high-rise buildings, it will give a greater say to residents of tall buildings and it will toughen sanctions against those who threaten their safety. Its focus will help owners to manage their buildings in a better way while giving the housebuilding industry the clear and proportionate framework it needs to deliver more and better-quality homes.
Building regulations to be made under the new powers inserted by that Act will provide for more stringent requirements, separate from the Electronic Communications Code, regarding building work on high-rise buildings. People undertaking such work as employees or contractors of companies, including network operators, will have duties to ensure that their work complies with all the relevant building regulations. That will include the provision of information as part of the golden thread which will be handed over to accountable persons on completion of the building work.
I note also that the building regulations already include requirements to install infrastructure to support high-speed electronic communications networks in new buildings. DCMS has consulted on plans further to amend the building regulations to mandate gigabit-ready infrastructure and gigabit-capable connections to new homes. When such work is carried out it is required to meet all relevant requirements of the building regulations, include those for fire safety, so we do think that this is provided for already. I understand that it is a probing amendment; none the less—
Without labouring the point tonight, the Minister can perhaps pander to my curiosity and come back with the specific statutory instruments that are expected to implement this. As I understand it, statutory instruments were laid and then withdrawn, and I do not think that they included digital infrastructure in the initial wording. I have a specific concern that there is a slight falling between the cracks. Perhaps the Minister can reassure me with some specifics in a letter.
I am very happy to consult my colleagues at the Department for Levelling Up, Housing and Communities and to provide the letter the noble Lord requires. I invite him now to withdraw his probing amendment, and other noble Lords not to move theirs.
(2 years, 5 months ago)
Lords ChamberMy Lords, if there is an abiding theme in this group, it is transparent reporting and then using the data within those reports to make sensible decisions.
Notwithstanding the Minister’s special day tomorrow, I am guessing that he is quite a lot younger than me, so he might be able to remember his childhood. I can remember a game that we used to play, of running down hills with our eyes closed. This was tremendous fun, until it stopped—and it usually stopped when you fell over or hit something. The argument advanced by the Government is, “We mustn’t do a review. We can’t have data because it’ll upset the market”—in other words, we cannot open our eyes because it will stop us running down the hill fast enough. That is the nature of what we are doing. In order to make sure that we do not fall over and that we are running in the right direction, we need to have our eyes open. In their different ways, these amendments seek to open our eyes to the effect that the Bill and all of this public and private investment will have on the objective that we all share: putting fibre in every home in this country. Without information, and without transparency in that information, we will not know how fast we are going and in which direction.
I care little about whether the Government accept the words in these amendments, but I do care about a Government who have enough sense to get the information, publish it and then act on it.
My Lords, I am particularly grateful to my noble friend Lady Stowell for her early birthday wishes. Finishing Committee a day ahead of schedule is a delightful early present. There are still to hours to go before tomorrow, and I hope that we will rise before noble Lords have to sing “Happy Birthday”.
Amendments 45, 47 and 49 seek to impose duties on the Government to assess and report on various impacts of the 2017 code reforms and, indeed, of this Bill once brought into force. I certainly appreciate the spirit of these amendments, which are designed to ensure that the Government are held to account; the noble Baroness, Lady Merron, referred to the conversations we had right at the beginning of our discussions on the Bill. Noble Lords will know that there are already ways in which some or all of the effects of these amendments can be achieved. For instance, Ofcom publishes its annual Connected Nations report, which it updates a further two times a year; this provides a clear assessment of the progress in both fixed and mobile connectivity. I hope that noble Lords will agree that the independent regulator is well placed to provide information on the progress of gigabit-capable broadband. Moreover, the Government continue to answer questions and provide clarity on all aspects of their work in this area, both in your Lordships’ House and in another place.
Amendment 45, tabled by the noble Baroness, Lady Merron, and the noble Lords, Lord Bassam of Brighton and Lord Blunkett, seeks an assessment of the legislation passed in 2017 to update the code, and particularly the impact of changes to the valuation regime. When the 2017 reforms were introduced, we recognised that the market would need time to adapt and settle. We have engaged with interested parties since the reforms came into force to identify any emerging issues. In our view, there is not yet enough evidence for a properly robust and comprehensive analysis to be made of the impacts that the 2017 reforms have had, of which the valuation framework was only one aspect. That is particularly the case given the impact of the Covid-19 pandemic, which has caused major shifts both in the demands on telecommunications operators and on their ways of working. However, in light of the feedback we have received through our engagement and our public consultation, the Government believe that the changes we are making in the Bill are needed to ensure that the 2017 reforms have their intended effect. That is not to say that we think the 2017 reforms failed—much progress has been made; we simply think that more can and must be done to maximise their impact. Making these changes now through the Bill will help to meet the Government’s 2025 connectivity target for at least 85% of homes and businesses to have access to gigabit broadband.
The noble Baroness, Lady Merron, asked how often our engagement has taken place. The access to land workshops is one part of it; there are in fact three separate groups which have been going for over a year. They met this month and will meet again in July, so we are undertaking that engagement on a regular basis.
Amendment 47, tabled by the noble Lords, Lord Fox and Lord Clement-Jones, asks the Government to review and report on the impact of Part 2 of the Bill against our gigabit delivery targets. Again, I appreciate that noble Lords will be keen to ensure, as they should, that the Government are on track with their commitments. DCMS currently carries out monitoring, and regular updates are published on a quarterly basis by Building Digital UK. That monitoring and reporting will naturally capture and reflect any accelerations that occur after this Bill comes into force.
The most recent Project Gigabit quarterly update highlighted the progress we are making. This includes reaching a milestone of over 100,000 broadband vouchers issued, worth more than £185 million, with 65,000 claimed to date to support households and businesses with the additional costs of securing gigabit-capable connections; launching two new regional procurements in Norfolk and Suffolk and two local supplier procurements in Cornwall, bringing our total live procurements to 10 and extending gigabit-capable connectivity to up to around 380,000 premises; completing over 20 market engagement exercises across the UK further to inform our future procurement pipeline; and launching as an executive agency of DCMS and publishing our first corporate plan setting out our key strategic objectives for 2022-23 and how Building Digital UK will drive the expansion of gigabit connectivity to all parts of the country.
Briefly, if it is going so well, why are the Government changing everything? The Minister has just told us how well it is going, and now they are changing everything.
From our engagement, to which I have referred, we believe it is going well and progress has been made, but our engagement with stakeholders suggests that the reforms that we are putting forward through this Bill are needed. We are extending that progress following consultation.
With such an accelerating market, thanks to the pro-investment environment that the Government are creating, it is quite challenging to quantify the extent to which progress is attributable to any single piece of legislation in a market that reflects so many factors. That is one reason why we think it would be of limited value.
My noble friend Lord Northbrook asked me to comment on the Centre for Economics and Business Research report on the 2017 reforms. We believe that the CEBR report does not provide a sufficiently rounded picture in its assessment of how the 2017 reforms have affected the pace of telecommunications delivery. The Government, as I have said, acknowledged in 2017 that reductions in payments could make landowners less keen to enter into agreements to host apparatus on their land. We expected an initial slowdown following the implementation of the 2017 reforms while the market adapted to them, but our understanding, informed by our conversations and consultation, is that both new and renewal agreements are now being successfully concluded. For instance, we were informed in January this year that, since 2017, 900 agreements had been renewed and that 83.5% of those agreements were concluded consensually, to give noble Lords some data.
By extension, is the Minister expecting a slowdown again as the market gets used to these changes? Clearly, the Government expected a slowdown when they made the last set of changes; are they anticipating a similar slowdown this time?
These changes build on the changes of 2017, so we do not expect there to be such an impact, because there is not such a change for the market.
We think it is too simplistic to attribute the changes in the market since 2017 solely to the valuation framework. The reforms in 2017 also made it easier for operators to share equipment, which will have reduced the demand for new mast sites to be built. Of course, we all hope that there will not be disruptive effects of a pandemic, as we have seen in the years since 2017.
Amendment 49, tabled by the noble Lords, Lord Clement-Jones and Lord Fox, and the noble Earl, Lord Lytton, asks the Government to conduct an implementation review of the Act after it is brought into force. However, we believe including such a requirement in the legislation is not necessary. The Government will of course monitor the effect of this legislation to understand how it is working in practice. Requiring an assessment at a specific time and which is focused on such specific elements would fetter the Government’s ability to judge when a meaningful review of progress can most sensibly be completed and what information it should include. I am happy to reassure my noble friend Lady Stowell that of course we want to monitor the effect of this legislation and to see and understand how it is working in practice.
Amendment 50, tabled by the noble Lords, Lord Clement-Jones and Lord Fox, the noble Earl, Lord Lytton, and the noble Baroness, Lady Merron, seeks to impose duties on telecommunications operators to provide a variety of annual data to Ofcom. It must be remembered that imposing reporting obligations on the industry necessarily diverts resources away from delivering the very targets that the Government have challenged them to deliver and on which noble Lords are rightly pressing us for progress. Any such obligations must therefore be proportionate.
The Communications Act 2003 already gives Ofcom substantial powers to collect and publish data. Procedures are therefore in place to monitor the progress that is being made and to ensure that details of this progress are published. For example, licence obligations for the shared rural network require mobile network operators to report on coverage and the number of new sites built through the programme. Operators also provide Ofcom with information on the geographic availability of coverage to enable consumers to make informed decisions. This is all data that is, or will be, published in Ofcom’s Connected Nations report.
(2 years, 5 months ago)
Lords ChamberI am grateful to the noble Lord, Lord Fox, and, in his absence, the noble Lord, Lord Clement-Jones, for their Amendment 1 and for the wholly positive intention with which it has been tabled. I was grateful to have had the opportunity to talk to them about it before Second Reading as well. As the noble Lord set out today, he has argued that customers deserve some high-level principles setting out the security protections they should expect when purchasing consumer-connectable technology. In fact, Amendment 1 goes further, as noble Lords have noted, and would require manufacturers to owe their customers a “duty of care” to protect them. We are not as keen as the noble Earl, Lord Erroll, on that.
The first problem we have with a duty of care is that it could give consumers a false sense of security. If consumers buy well-designed technology products which meet the best standards, it considerably lowers risk, but with cybersecurity there is no such thing as zero risk: the most aggressive and well-resourced hacker will find a way. Somebody may have a quality product, but have they secured their wi-fi router? Do they have some legacy technology on their network? Manufacturers of a single device do not control the whole range of apparatus which constitutes the attack surface so cannot always provide an absolute security warranty, and they cannot always predict the next attack vector.
The second problem we have is that we have learned that the security of devices is best served by standards rather than principles. If one sets standards, one can send a device to a laboratory and assure oneself that those standards have been met. If one sets principles, that does not apply. That is why the Bill is designed to give force to standards. Those standards, developed here in the UK and now adopted by Governments and jurisdictions across the globe as well as by international standards bodies, are widely recognised significantly to lower risk for consumers.
Of course, we believe that the responsibility for the security of connectable products most effectively lies with the manufacturer. We expect manufacturers to take security seriously, to implement measures to develop and maintain an awareness of the security of their products, and to be up front with customers about the security support they can expect. We have tried voluntary compliance, with our code of practice which was published in 2018. We now need mandatory requirements, and that needs specific security requirements that can be independently assessed. The legislation must enable the Government to keep pace with market dynamics and the changing technological landscape—as the noble Baroness, Lady Merron, said, it is important that we move with the times. The flexibility to be able to set different security requirements for manufacturers, for importers and for distributors is key to this.
Amendment 1 in the form drafted would place an equal weight on the duties of each of these three groups to secure products. Compelling the Secretary of State to have regard to this general duty could constrain the Government’s ability to set specific security requirements in the future. Crucially, these principles could restrict the use of powers in this part of the Bill, working against the Government’s ability to bring this regime into force and impeding our ability to keep that regime future-proof. I should also say to noble Lords that industry and consumer groups have not raised the need for general principles such as this. Our efforts to engage and communicate our intentions have been clear, and the requirements we have set out for the relevant persons have been widely understood and are in line with international standards.
The noble Lord, Lord Fox, asked why the Government have chosen these three specific security requirements rather than others. During the consultation in 2019, we explored a number of options including mandating that all consumer-connectable products meet all 13 guide- lines in the code of practice. They are all important, but the majority of respondents supported the option that the top three security requirements represented the most appropriate baseline, by balancing the important requirements that are testable, being applicable across a range of devices and creating the right incentives to improve security in these products. That is why the Government are initially mandating the implementation of security requirements that will make the most fundamental impact on the risks posed by insecure consumer-connectable products for consumers, businesses and the wider economy.
The noble Lord also asked about where products end and apps begin. The powers in Part 1 allow Ministers to set out requirements that include products and software. The proposals in the consultation he mentioned relate to those who operate app stores. So, while I acknowledge the good intentions behind it, I hope I have been able to set out why the Government feel that this amendment—
I thank the Minister for giving way. That does not answer the question of where an app starts. If I am downloading Nest for my heating system, I am getting it from an app store, so where is the regulation coming? Is it the app that is coming from the app store, or is it the connectable device law that is coming through here? In which case, I think some explicit connectivity between the apps that run the connected devices needs to be written into the Bill.
Perhaps, if the noble Lord is happy, we can explore this. The example he gives, as he knows, includes software and technology. Perhaps we can have a detailed discussion where we can work through some of those examples. I would be very happy to talk to him about them because on the question he poses the line is drawn in a different place depending on the product and its nature.
Some of the standards in this area have been set in the UK and have already been adopted by other jurisdictions, so I hope that we can give the noble Earl some reassurances. While I acknowledge his point about the time it takes for these to be adopted internationally, in some areas the UK is setting the way, and these are being picked up across the globe.
As I said, while I note the good intentions behind Amendment 1, these are the reasons why the Government are unable to support it. However, I am very happy to pick up the questions about apps and products with the noble Lord and others who wish to join that conversation. I hope that, for now, the noble Lord will be content to withdraw his amendment.
My Lords, while that was a relatively disappointing response, I am pleased that we can have the discussion about apps. I thank noble Baroness, Lady Merron, and the noble Earl, Lord Erroll. I think he put his finger on it. If we are to keep pace with the speed of change only through a standards regime without making the companies delivering these products in some way responsible—whether through a code of practice or a duty of care, I am not quibbling—there is no way that a standards regime can keep pace with the innovative speed that international crime is running at on cybercrime.
The idea that we can chase this down the road is wholly wrong. I ask the Minister to sit down with the department and perhaps we can come up with a different way of doing it. I am totally agnostic about how we go about it, but some sense that we are not just chasing this needs to be in this Bill, otherwise it is going to be after the fact. That said, I am happy to beg leave to withdraw Amendment 1.
My Lords, I will speak to Amendments 3 and 5 and in support of the other two amendments in this group. All these amendments refer to Clause 1 and seek to add some specificity to its general nature. The first amendment in my name and that of my noble friend Lord Clement-Jones is Amendment 3. This inserts a new paragraph (c) into Clause 1(1), adding the text
“children where they are not primary users of products but are subjects of product use”.
Why is this necessary? Here I am indebted to a report on cybersecurity, the UK Code of Practice for Consumer IoT Security produced by the PETRAS National Centre of Excellence for IoT Systems Cybersecurity. Noble Lords may be aware of this group; it has a very strong record in this area. It is a consortium of leading UK universities dedicated to understanding the critical issues of the privacy, ethics, trust, reliability, acceptability and security of IoT. I commend this organisation to the small number of noble Lords in this Chamber interested in this area.
This report highlighted, among other things, the importance of children’s connected toys receiving the necessary scrutiny, due to the implications of embedded cameras and microphones, with the aim of ensuring the child’s and the parents’ protection and right to privacy. Such devices include a wide range of everyday artefacts with internet connectivity intended for use by children or in caring for them, such as interactive toys, learning development devices and baby or child monitors.
These connected toys and tools have the potential for misuse and unauthorised contact with vulnerable minors. The British Toy & Hobby Association has responded by offering a range of guidance notes and by interpreting the code of practice, but with SMEs manufacturing most of these devices, there is much more to be done to ensure that those organisations are sufficiently informed and equipped to produce and market toys that are secure.
Security is not straightforward, as the Minister has already pointed out. While these devices offer a range of advantages through their connectivity, they also potentially expose children and their families to risks that have not yet been fully articulated to many of the consumers who are buying these toys.
A real-life example is that the toy giant Mattel launched Hello Barbie. The Minister may be familiar with it—I do not know. This was as far back as 2015. It was a very innovative toy which it launched with a start-up business called ToyTalk. The principle of this toy was that it could converse using internet connectivity with speech recognition, so as well as talking it could listen. Hello Barbie also allowed parents to log in later and eavesdrop on their children’s conversations with their toys. I will leave your Lordships to decide the ethics of that.
But this connectivity raised some concerns, primarily around who could listen in and record these devices and store conversations and behavioural and location data, and for what purpose this data could be used. Toys like these are now prevalent and they raise significant questions about the appropriate support and guidance for the toy manufacturers, which understand an awful lot about conventional safety—they know how to make physically safe toys—but do not have a track record on developing informationally and data-safe toys because they have never been asked to do that before. This is a new venture for them, and it requires a totally new set of skills and standards, as the Minister might say.
As technology evolves hacking is increasing in sophistication, so it is necessary to keep moving forward. The challenge for cybersecurity in remaining ahead of the risks is inevitably a technological one, and the Minister may remember that the Hello Barbie toy, having been launched and lauded for its security, was ultimately found at some point to have serious security issues. Even that toy, from a very large manufacturer, fell foul of the progress of information crime.
Nevertheless, it is clear that today some toy manufacturers are releasing connected toys without adequate safety and security features. This is a competitive and dynamic marketplace—a lot of it is to do with price—and first movers are rewarded. In addition, the skillset and knowledge base, as I have just said, for conventional toy safety is mismatched with these new toys and we need to find a way of addressing that divergence. This is going to require investment and new learning and will not happen unless the toy manufacturers are required to do it.
Secure software development and cybersecurity are novel demands on this sector. However, the fact remains that these toy manufacturers are potentially placing consumer safety and privacy at risk. It does not matter whether this occurs due to the immaturity of the sector, market pressures or the lack of sectoral attention to the problem.
In the view of the Petras report,
“there are no indications that this will be addressed through market forces. Instead, the certainty of legislation to maintain standards would level the playing field and make clear for SMEs where they need to invest to make their toys market ready.”
Thus, more than the technological challenge of staying ahead of hackers, what is salient here are the challenges to the implementation of basic security features in manufacturing such as basic authentication and encryption, without which children’s safety and security is at risk.
This amendment explicitly places child security front and centre in this Bill. In other legislation involving the internet and digital issues, such as the Online Safety Bill, the Government have imposed more onerous duties on those delivering services to children than to adults. This amendment would be entirely consistent with that approach—very much in the spirit of understanding that our children and young people are more vulnerable and therefore need more protection from harms.
I turn next to Amendment 5. The eagle-eyed among your Lordships will spot that it is very similar to Amendment 4, proposed by the noble Baroness, Lady Merron, and set out very elegantly by the noble Lord, Lord Bassam. In fact, I would suggest that, largely, its construction is better than ours because they managed to do the same thing in fewer words. I will speak to Amendment 5 but my comments apply to Amendment 4 as well.
Amendment 5 seeks to ensure that:
“Regulations under this section must include provision that all security requirements specified in accordance with this Act are included as essential requirements in statutory conformity assessments and marking procedures under the Radio Equipment Regulations 2017 … and in any other such assessments and procedures applicable to relevant connectable products.”
I am speaking to the spirit of both these amendments. Amendment 5—similar to that of the noble Lord, Lord Bassam—follows on from the advice and help of Which? I thank that organisation, which has really been at the forefront of the consumer issues involved. In essence, the amendment picks up on three of the issues that the Minister tells us will be dealt with in SIs as soon as the Bill becomes an Act, but it takes the rather stronger approach of placing them in the Bill.
Paragraph (a) of proposed new subsection (2A) goes further than the general principle in specifying that passwords are not to be weak. As Which? explains, many smart products push the user to create a password themselves, rather than use a default password. However, they then allow weak and easily guessable passwords to be created, meaning that the risk of compromise stays high.
One of the outcomes of this amendment would be the introduction of a requirement for responsible password policy guidance to be adopted by the industry to ensure that security liability is not simply passed from the device manufacturer to the consumer. The Bill and associated guidance should be amended to clarify that every individual device must have a unique or user-set password that meets effective complexity requirements.
Paragraph (b) of proposed new subsection (2A) seeks to avoid the risk of disclosures going into a black hole or taking many years to fix. The Bill and associated guidance should be amended to make clear what is required of manufacturers, importers and distributors on provision of disclosure policy information, particularly around vulnerabilities. The appointed regulator should also clearly define and distribute a risk assessment framework for vulnerabilities that removes any sense of subjectivity and ensures that the response is effectively mandated.
Paragraphs (c) and (d) of our proposed new subsection concern the length of time a product is supported. The Government should introduce mandatory minimum support periods for smart products and consider whether these periods should reflect how long consumers, on average, continue to use such products. There is a precedent here. New ecodesign and energy labelling requirements came into force in England, Scotland and Wales in 2021. They include a requirement for electronic display items, including televisions, to be provided with firmware and security update support for a minimum of eight years after the last unit of a model has been placed on the market. A consistent approach to support periods for a range of products therefore needs to be considered, and it has already been considered in this other legislation.
Customers need absolute clarity on the support period manufacturers will offer, so that they are able to make more informed purchasing decisions. There must be a clear definition of what the “point of sale” means and how this relates to the definitions of “supply” in Clause 55. Without clearer specifications on what form the transparency requirements will take, there is a risk that this information could be hidden, obfuscated or even mislead. This amendment is designed to probe the Government’s thinking on these very important issues.
Finally, and very briefly, as a signatory to Amendment 2, I give it my full support.
I am very grateful to noble Lords for setting out the cases for Amendments 2, 4 and 5. Since January 2020 the Government have been clear on introducing security requirements based on the three guidelines to which I referred in the previous group.
The commitment to set requirements has been made in response to consultations, published strategies and indeed to the Explanatory Notes to this Bill. Our notification to the World Trade Organization also contained reference to some of these documents. We have put manufacturers, trade bodies and industry representatives on notice. Supply chains are long and surprises unwelcome, so the Government have been very clear on whither we are heading.
Amendment 2 would remove any discretion the Secretary of State has to make regulations. I appreciate that the intention behind tabling it is to explore this issue, and I hope I can assure noble Lords that it is not needed. The regulations will be made, and swiftly. Indeed, we have already consulted on them, in 2020, which I hope gives noble Lords some reassurance that we intend to move swiftly in this area.
Amendments 4 and 5 would insert specific security requirements into the Bill. As several noble Lords mentioned at Second Reading, it is important that technology regulation enables the Government to respond to changes in threat and technology, and to the regulatory landscape. That is precisely why the Bill does not contain details of the requirements that the Government have assured industry they will set out.
Perhaps the Minister should consult whoever drew up the legislation that managed to mandate that televisions should be updated for firmware and software for up to eight years after they have stopped being manufactured. Clearly, those people managed to find consensus among the industry—or decided to ignore consensus—and deliver something. If it can be done for electrical display devices, such as televisions, I do not see why it cannot be done here if there is a will to do it. However, I think the Minister is telling us that there is no will to do it.
The noble Lord referred to mandatory minimum support periods for electronic display items and the Ecodesign for Energy-Related Products and Energy Information Regulations 2021. It is not quite correct to say that those requirements are applicable. They ensure that the last available security update continues to be available for at least eight years after the last unit of a product has been placed on the market but the requirement does not ensure that manufacturers continue to provide new security updates over that period to ensure that the product remains secure in response to changing threats.
I did not say that those requirements are applicable; I implied that they are analogous. Frankly, the fact that there is some mandating of security support after the product has stopped being manufactured is a heck of a lot better than the situation for all the connectable devices we are currently talking about, where there is no requirement at the moment.
I do not think that they are quite analogous. As I say, it is about the requirement to keep the last available updates available to consumers for eight years rather than evolving them. We do not yet consider that there is sufficient evidence to justify minimum security update periods for connectable products, including display equipment—certainly not before the impact of the initial security requirements is known.
It is important to stress that, as consumers learn more, they will expect more. This will drive industry to respond to market pressure. If the market does not respond to this effectively, the Government have been clear that they will consider the case for further action at that point, but we think that consumer expectation will drive the action we want to see in this area.
Amendment 3, tabled by the noble Lords, Lord Clement-Jones and Lord Fox, refers to children. All noble Lords will agree, I am sure, that protecting children from the risks associated with connectable products is vital. I assure noble Lords that the security requirements we will introduce are designed with consideration for the security of all users, including children, alongside businesses and infrastructure. The Bill already gives the Government the flexibility to introduce further measures to protect children, whether they are the users of the products or subject to other people’s use of a product. We therefore do not think that this amendment is necessary as this issue is already covered in the Bill.
The Bill, and forthcoming secondary legislation, will cover products specifically designed to be used by or around children, such as baby monitors and connectable toys; they include Hello Barbie, which I was not familiar with but on which I will certainly brief myself further. However, we recognise that the cyber risks to children are not limited to the connectable products in the scope of this Bill; indeed, a lot of the issues referred to by the noble Lord, Lord Fox, were about the data captured by some of the technology, rather than the security of the products themselves. That is precisely why the Government have implemented a broader strategy to offer more comprehensive protection to children—including through the Online Safety Bill, to which the noble Lord, Lord Bassam, referred.
I hope noble Lords will agree that Amendment 3 is not needed to make a difference to the Bill’s ability to protect children from the risks associated with insecure connectable products—this is already provided for—and will be willing either to withdraw their amendments or not move them.
The feast of amendments in this group aim to implement the recommendations of your Lordships’ Delegated Powers and Regulatory Reform Committee. We welcome the committee’s report and are considering its recommendations, as we always do. It will infuriate the noble Lords who have asked detailed questions when I say that, ahead of setting out our response to the committee, I will not be able to cover all the issues they have pressed the Government on today. I am happy to say that we will set out our response in writing ahead of Report. Perhaps once we have done that, and noble Lords have seen the Government’s full thinking in their response to the committee, it might be helpful for us to speak in detail.
The legislation has been designed to protect people, networks and infrastructure from the harms of insecure consumer connectable products, while minimising the unnecessary regulatory burden on businesses. It does so in the context of rapid technological and regulatory change, evolving cybercriminal activities and a growing impact on people in businesses, all of which require us to ensure that the legislation can evolve quickly and effectively. The UK, as I have noted, is leading the world with its approach to regulating connectable products. As other jurisdictions increasingly turn their attention to this important issue, we will use this flexibility to achieve alignment with equivalent regulatory regimes, avoiding unnecessary duplication. These powers, and the others conferred by the Bill to make delegated legislation, are crucial for it to remain effective. We have carefully considered the number, scope and necessity of these powers, and believe we have struck the right balance between the need for that flexibility and the importance of Parliamentary scrutiny, which noble Lords rightly stressed again today.
We welcome the report of your Lordships’ committee and are considering its recommendations. I am afraid I cannot, at this stage, pre-empt our response, which has to be made while considering the recommendations’ impact on the broader framework. We will return to these matters on Report, and I am very happy to have a detailed conversation with the noble Lords about our response after we have responded to the DPRRC.
The noble Lord, Lord Fox, focused on Clauses 9 and 11. I am happy to confirm that nothing about how the powers are drawn in Clause 9 is inadvertent; this was our intent. Clause 9 contains four delegated powers; they will be used predominantly to provide administrative detail deemed too technical for primary legislation. For example, they will explain what must be included as a minimum in a statement of compliance, what steps must be taken to determine compliance, where appropriate, and for how long a manufacturer should keep a statement of compliance. They will also provide flexibility to respond swiftly to changes in the market. In addition, the delegated powers in this clause may be used in the future to provide that the statement of compliance is equivalent to certain product markings, or external conformity assessments, such that a manufacturer may be deemed to have provided a statement of compliance where such markings or assessments have been made or completed. This is dependent on regulatory changes to product markings and on the development of the assurance sector for product security.
At this stage, and awaiting our response to your Lordships’ committee, I hope noble Lords will agree that it goes without saying that the Government feel these clauses should stand part of the Bill.
I sort of thank the Minister for his response, which is really no response at all. He did say that it would infuriate me and he is fairly accurate about that.
As correctly noted, I am merely a cipher for the DPRRC, a very serious committee that does not produce these reports lightly. The point it is making, particularly on Clause 27, is front and centre to this Bill. Who is going to enforce it? Who decides who will enforce the Bill, and how will Parliament know if the Secretary of State decides not to tell it, under the current regulations? These are very serious matters and not ones that your Lordships’ House should step back from. I am sure that the Minister will, on reflection, understand that the DPRRC has a very important point to make. The others are important points, particularly around Clause 3, but the Clause 27 piece is absolutely central to the future of this Bill. That said, I beg leave to withdraw Amendment 6.
My Lords, I rise to speak to Amendment 8 in my name and that of my noble friend Lord Clement-Jones. These are two ways of doing the same thing so I support the spirit of Amendment 7, about which we have just heard from the noble Lord, Lord Bassam.
This amendment adds the following wording to Clause 7:
“Any person who is a provider of an internet service that allows or facilitates the making by consumers of distance contracts with traders or other consumers for the sale or supply of a relevant connectable product is to be regarded as a distributor for the purposes of this Act, if not a manufacturer or an importer of the product.”
This amends the language that defines a distributor in the scope of the Bill. Online marketplaces are a mainstream form of today’s retail. Which? research in 2019 found that more than 90% of the UK population had shopped through an online marketplace within the month it was polling. That has increased during the pandemic. However, its research also consistently highlighted how online marketplaces are flooded with insecure products. It has previously demonstrated issues with the lack of legal responsibility of online marketplaces for the security and safety of products sold through their platforms.
The Government have recognised the problem, in their response to the call for evidence on product safety, that current safety rules were designed to fit supply chains as they operated before the world of internet shopping. In the realm of product safety, the Government have acknowledged that this can result in the peculiar situation where no actor is responsible for ensuring product safety. This has resulted in organisations such as Electrical Safety First repeatedly finding unsafe and non-compliant products listed on online marketplaces. Therefore, the traditional conception of actors in the supply chain is now outdated.
The Bill defines “distributor” as
“any person who … makes the product available in the United Kingdom, and … is not a manufacturer or an importer of the product.”
At present, it seems unlikely that certain online marketplaces, including eBay, Amazon Marketplace and Wish.com, will be included within the scope of that definition of distributors in the Bill. This will leave, without overstating it, a sizeable gap in the regulatory scope of this market.
Given the amount of insecure tech readily available on online marketplaces, it is paramount that these platforms are given obligations in the Bill to ensure the safety and security of the products sold on their sites, regardless of whether the seller is a third party. However, the Clause 7(5) definition of “distributor” in terms of making products available on the market is in line with existing product safety law, so we know that certain marketplaces are not classed as distributors and hence not obligated to take action. Amazon Marketplace, Wish.com and eBay are marketplaces where other people are selling; this is the issue.
This amendment seeks to expand the definition of distributors in Clause 7 to include appropriate online retailers, such as listings platforms and auction sites, including eBay, Amazon Marketplace and AliExpress. I feel sure that the Minister did not intend for the legislation to miss these marketplaces out; rather than risk this loophole going any further, we will work with the Minister and Her Majesty’s loyal Opposition to come up with some wording that absolutely iron-clads the Bill to ensure that these sorts of marketplaces are also included.
I am grateful to noble Lords for speaking to their amendments in this group, both of which seek to make online marketplaces a “distributor”. It is vital that all products offered to consumers are secure, including those listed through online marketplaces, and we want to ensure that this is achieved in the most efficient way.
The explanatory statement for Amendment 7 suggests that products listed on online marketplaces might not be protected by the security requirements set out in the Bill. I reassure noble Lords, particularly those who tabled Amendment 7, that the security requirements will need to be met for all new connectable products offered to consumers in the UK, including those offered through online marketplaces. These marketplaces often act as a manufacturer, importer or distributor and, in those cases, they are subject to the same duties and security requirements as those three types of economic actor. If, however, the online marketplace does not fall into one of these three categories, the manufacturers, importers and distributors of those products are all still fully responsible for complying with security requirements.
This has piqued my interest; how does this exercise relate to the Bill? This process of dealing with the online acquisition of unsafe products would seem to be what the Bill is doing front and centre, so what is that process? How do the two connect?
They are complementary; the new product security framework sits alongside existing legislation on product safety, which is why we want to conduct a review of the safety framework and publish the consultation. I am certainly happy to write and endeavour to explain.
The noble Lord asked whether products sold through online marketplaces fall into a gap in the Bill. The Bill requires in-scope products offered for sale through online marketplaces to customers in the UK to be as secure as in-scope products sold, for example, in physical stores. We are mindful of the variety of services offered by different online marketplaces. Some act only as advertising platforms, while others facilitate transactions and store and ship products on behalf of the seller. As noble Lords have noted, this changes all the time. This must be carefully considered to ensure that businesses can comply with their legal obligations and that any regulation is necessary, appropriate and proportionate to provide the best protection to consumers.
I am sorry to keep popping up; being a practical person, I will try to give the Minister a scenario and, if he cannot answer straightaway, he can write. I have bought a product through an online auction that turns out to be unsafe; I go back to the auction site, which tells me, “Not my problem. You have to return to the international manufacturer which made this product”, which turns out to be a brick wall and nothing comes back. First, is that online auction site correct in handing me over to the international manufacturer, which turns out to be a dead end? Secondly, if that site is correct, to whom do I go? Do I go to my local council trading officer or to the person who, under Clause 27, has been mysteriously made the enforcer for the Bill? I may or may not know who they are. How do I seek redress, and from whom?
I will try answer the noble Lord’s question, and I am happy to write with further detail. Products sold on online marketplaces are covered by the Bill. All products sold to customers in the UK will have to comply with the security requirements set out under this framework. Where a product is sold on a third-party online marketplace, the seller will be responsible for ensuring that it is compliant. Third-party sellers who sell new products directly to customers on those platforms will also be covered under the “distributor” definition. I will happily write to the noble Lord with further detail ahead of Report but I hope that, for now, that goes some way towards addressing his question.
(2 years, 5 months ago)
Lords ChamberAt the risk of a philosophical debate on the nature of security versus safety, I accept some of the points that the noble Earl makes. There are distinct differences between our approach to product security and existing product safety as set out in consumer legislation, but I will address myself to that philosophical point in the letter, if I may. For now, I ask the noble Lord to withdraw Amendment 14.
I hope that the Minister will take some time to read my speech in Hansard and address the issues that I have raised, because there are some specific points that have not been touched.
A lot of this has come from Which? whom I thank for its help. Which? is an extraordinarily experienced organisation, with some of the country’s most experienced consumer lawyers dealing with the sharp end of customer consumer problems. The fact that it has gone to the trouble of raising these issues should raise a red flag. It is not doing it out of mischief or political intrigue, but because it cares about the future of consumers. For that reason, the department needs to take this seriously.
If the Minister requires a meeting with Which? I am sure that I, the noble Lord, Lord Bassam, or the noble Baroness, Lady Merron, will be very happy to broker one. We could then go through some of these consumer issues. This is an organisation dedicated to protecting the needs of consumers. It has gone to the trouble of flagging up this and several other issues. For that reason, for the future of this Bill, it would be very sensible to take Which? seriously.
That said, I beg leave to withdraw Amendment 14.
As the noble Baroness says, this begins to anticipate some issues to which I know we will return on the second day of Committee, but it is useful to begin them tonight.
Amendment 17 seeks to insert a new clause after Clause 57 of the Bill. Its purpose is to add an extra element to the test at paragraph 21 of the code, where an operator enters into a new agreement because of the provisions in Clause 57. This is likely to be in circumstances where an operator in occupation of the land on which its apparatus is installed has an existing agreement but wishes to seek an additional code right. The code currently provides that operators in exclusive occupation of land are unable to obtain additional code rights until their existing agreement is about to end or has ended. This is because the code currently provides that only an occupier can grant code rights, and the operator clearly cannot enter into an agreement with itself.
Clause 57 remedies this position and allows an operator to obtain code rights where it is in exclusive occupation of the land. The test at paragraph 21 of the code is often referred to as the public interest test and sets out what a court must consider when deciding whether to impose a code right on a landowner. Paragraph 23 then sets out how the court should determine the remaining terms of the code agreement. Clause 57 simply gives an operator the ability to obtain a new code right or rights that they do not already have. The clause does not allow an operator to force changes to its existing code agreement or to compel the other party to modify any of its terms—for instance, to attempt to reduce the amount of rental payments. Furthermore, the clause does not enable an operator to bring an existing agreement to a premature end in order to take advantage of more favourable terms. Any existing code agreement that the operator has will be expected to continue and operate alongside the agreement relating to the new code right.
Amendment 17 seeks to expand the test at paragraph 21 so that the court also has to consider the terms of any existing agreement and any other method of statutory renewal available. We are, however, of the view that the court can already take such matters into consideration when deciding whether to make an order under paragraph 20 of the code, and again when applying the test at paragraph 23 to determine what terms the code agreement should contain.
This is a topical issue. Clause 57 rectifies an issue in the code that currently prevents operators who are in exclusive occupation of the land being able to obtain new code rights. As I said, three cases have touched on this issue, all of which were heard in the Supreme Court earlier this year, and the Supreme Court is due to hand down its judgment tomorrow.
At present we believe that Clause 57, as drafted, achieves its intended objective, but we recognise that this is a complex and technical area, on which the noble Lord, Lord Fox, valiantly conveyed the expert view of the noble Earl, Lord Lytton, and it is imperative that any unintended consequences are avoided. We will of course look closely at the Supreme Court’s judgment and carefully consider whether further amendments are needed, engaging with interested parties as required to ensure that the aim of the clause is fully realised.
I too am very conscious that the noble Earl, Lord Lytton, with whom we have already had some discussions on this and broader aspects of the Bill, will want to join those discussions, so I am sure he will be following the official record. But I am very happy to meet the noble Lords who have spoken, as well as the noble Earl, to discuss this issue in further detail, particularly once we have seen the judgment. For now, I urge the noble Lord to withdraw the amendment.
I thank the Minister for his response, during which he said that the department is of a view. When I was speaking for my part, rather than for the noble Earl, I made it clear that there were quite strong opinions that that view might not be correct. Three cases are to be judged tomorrow, before this Bill is enacted, so although it may have some relevance, it will potentially —and in the views of the people we have spoken to, almost certainly will—end up back in the courts.
We share the objective of the noble Baroness, Lady Merron, that the rollout be accelerated, not inhibited. We also share the view, as expressed in the not very veiled threat in the part of my speech on behalf of the noble Earl, Lord Lytton, about what the 1963 rent Act did, which was clog up the system. We do not want to do that—we cannot afford to clog up the rollout. There are strong suspicions that, without giving the legal certainty we need to avoid getting tangled up in the courts, we will be back there again, notwithstanding the judgments of tomorrow. That said, I beg leave to withdraw Amendment 17.
(2 years, 5 months ago)
Lords ChamberThe noble Lord is eager to hear answers to questions to which I may yet turn; on some of them I will write. Work has been done to identify the regulator, but it would not be right to refer to that person at this stage and ahead of Royal Assent. I will write to the noble Lord on the other points he mentioned. I talked just now about our approach, through secondary legislation, to future-proofing and the reasons for not setting out the first three principles in the Bill. We have set out what those standards will be up front.
My noble friend Lord Holmes of Richmond spoke about the important issue of digital inclusion and skills. We run programmes to give young people the opportunity to learn digital skills and to improve their cybersecurity. More than 100,000 young people have participated in these programmes. We have expanded that with a new online training platform, Cyber Explorers, which aims to engage 30,000 young people, and DCMS funded the creation of the UK Cyber Security Council to create professional standards and pathways for cybersecurity.
The noble Lord, Lord Fox, asked about Huawei equipment in our infrastructure. The Government have undertaken a consultation with the industry on the designation of Huawei as a high-risk vendor and proposed directions relating to Huawei goods and services. The responses we receive will inform any final post-consultation decision on whether to issue the designation notice and direction. The Government have also undertaken a public consultation on a set of draft electronic communications security measures regulations and a draft code of practice, the outcome of which will be published in due course.
It was the “in due course” bit that I was interested in. In other words, what is “in due course” in this case—months, weeks, days, years?
I am afraid I am not able to elaborate further than “in due course” at this point, but if I am able to before Committee I will come back with more particulars. The final regulations and code of practice will be laid in Parliament later this year using the negative procedure, as required by the Telecommunications (Security) Act.
The noble Baroness, Lady Merron, asked about the knock-on effect of telecoms operators’ reduced rental payments on the funding of community organisations. It is important to note that the funding for such organisations should not be reliant on telecommunications. There are many funding streams, not least from the Government, to support them and their important work. The National Lottery Community Fund is the largest non-government funder of community activity in the UK and one of the largest arm’s-length bodies that DCMS sponsors. Officials at the department work closely with the National Lottery Community Fund to ensure that it continues to support the evolving needs of civil society organisations. Over the last five years, the fund has distributed £3.4 billion.
The noble Baroness talked particularly about sports clubs. The Government very much agree that sports and physical activity are critical for our mental and physical health, which is why we provided an unprecedented £1 billion of financial support to sport and leisure organisations during the pandemic. We will ensure that community groups continue to get the support they need.
I shall write to the noble Lord, Lord Clement-Jones, on the points that he highlighted that I have not addressed today. I would, of course, be very happy to speak to any noble Lords who would like to talk about any of the issues in the Bill in further detail. I am very grateful to my noble friend Lord Hunt of Wirral and to the noble Baroness, Lady Merron, and the noble Lord, Lord Bassam of Brighton, as well as the noble Lords, Lord Fox and Lord Clement-Jones, for the engagement that we have had in detail already. I would be more than happy to hold further discussions and talk in greater detail between now and Committee.
My noble friend Lady McIntosh of Pickering offered to furnish me with the details of some of the unused masts in North Yorkshire, and I would be very glad to receive them and take them forward to discuss with officials.
(3 years, 1 month ago)
Lords ChamberMy Lords, I thank the noble Lords, Lord Clement-Jones and Lord Fox, for the amendment standing in their names, and I thank the noble Baroness for welcoming me to the Dispatch Box in my new role.
The question underlying this group is whether the new telecoms security framework will have proper scrutiny. Noble Lords have proposed ways to strengthen that scrutiny throughout the passage of the Bill and your Lordships’ Constitution Committee and Delegated Powers and Regulatory Reform Committee have made their own recommendations, and I thank those committees for their work.
In Committee, the noble Lord, Lord Clement-Jones, invited the Government to make a trade-off, a choice, in his words, between
“a loose definition of ‘security compromise’”
and
“a very tight way of agreeing the codes of practice.”—[Official Report, 13/7/21; col. GC 487.]
With that in mind, I turn first to Amendments 3, 4 and 5 in my name—although I should stress, as the noble Baroness, Lady Merron, kindly did, that they also represent the work of my predecessor, my noble friend Lady Barran. We both listened to the arguments put forward in Committee and these amendments represent her views as well as mine.
We have carefully considered the concerns raised and, as the noble Lord, Lord Clement-Jones, invited us to do, we have proposed how to make that trade-off. The government amendments we have brought forward today affect Clause 3. It provides the Secretary of State with the power to issue and revise codes of practice. The code of practice is a fundamental building block of the new telecoms security framework as it will contain specific information on how telecoms providers can meet their legal duties under any regulations made by the Secretary of State.
In its report on the Bill, the DPRRC noted the centrality of codes of practice to the new telecoms security framework. The committee drew attention to the statutory effects of codes of practice and their role in Ofcom’s regulatory oversight, and because of those factors, the committee recommended that the negative procedure should be applied to the issuing of codes of practice. The noble Baroness, Lady Merron, tabled amendments in Committee to implement that recommendation. We are happy to do that. Our amendments today require the Government to lay a draft of any code of practice before Parliament for 40 days. Your Lordships’ House and the other place will then have that period of time to scrutinise a code of practice before it is issued.
We think that these changes strike the balance that noble Lords have called for today and in previous stages. I hope these government amendments demonstrate that we have listened and are committed to appropriate parliamentary scrutiny across all aspects of the framework.
Amendment 1, tabled by the noble Lords, Lord Fox and Lord Clement-Jones, would apply the affirmative procedure to regulations made under new Section 105B in Clause 1. It would require the regulations to be laid in Parliament in draft and subject to a debate and vote in both Houses.
I share the noble Lords’ desire, echoed by the noble Lord, Lord Alton of Liverpool, to ensure that Parliament has a full and effective scrutiny role in this Bill, but I fear we disagree on the best way to achieve it. The only powers in the Bill that are subject to the affirmative procedure are delegated, or Henry VIII, powers that enable the amendment of penalty amounts set out in primary legislation. The Bill currently provides for the negative procedure to be used when laying the statutory instrument containing the regulations.
In the context of these new powers, the use of the negative procedure is appropriate for three reasons. First, Parliament will have had to approve the clauses in the Bill that determine the scope of regulations—Clauses 1 and 2—and the regulations will not amend primary legislation. Secondly, evolving technology and threat landscapes mean that the technical detail in regulations will need to be updated in a timely fashion to protect our networks. Thirdly and finally, as I noted in Committee, the negative procedure is the standard procedure for instruments under Section 402 of the Communications Act. The negative procedure delivers the right balance between a nimble parliamentary procedure and putting appropriate and proportionate measures in place effectively and efficiently to secure our networks.
The two noble Lords will also be aware that the changes they propose in their amendment are not ones that the Delegated Powers and Regulatory Reform Committee made. I accept that they are keen to explore avenues for scrutiny of this framework, but that committee made its recommendation for increasing the scrutiny of this regime, and the Government have brought forward our amendments to accept it. For these reasons, we are not able to accept the noble Lords’ Amendment 1. I hope that they will be content with what we have proposed in our amendment, and may be minded to withdraw theirs.
In conclusion, the Government were asked to make a trade-off. Through the passage of this Bill, we have been invited to provide greater opportunities for Parliament to scrutinise this regime. We have listened to those concerns and we have brought forward an answer. We feel that our amendments maintain our flexibility to adapt to an ever-changing technology environment and give your Lordships’ House and the other place a greater say in its operation, so I invite the noble Lord to withdraw the amendment.
My Lords, it was remiss of me not to welcome the Minister formally; I have welcomed him personally, but not formally. Also, it was helpful that he was the Whip during the process thus far, and I should also welcome the new Whip to his seat. I thank the noble Lord, Lord Alton, and the noble Baroness, Lady Merron, for their contributions. The fact that this has been a short debate does not mean to say that it is not an important one. The reason it is short is because we have had the same debate so many times on so many different Bills, with not just this department but others. That is why it is an important issue and why, when the Minister says that we should strike a balance, we agree, but we think the balance is in the wrong place. That is why I am unable to withdraw this amendment and I should like to test the will of the House.
My Lords, veterans of the National Security and Investment Bill—I am not sure there are any—will recognise this amendment: it is exactly the same argument that was put forward then. The response from BEIS was to set up a unit, within BEIS, that the relevant Minister said would have the necessary clearance to review potential national security information. It was quite clear to those in your Lordships’ Chamber at that time that that group of people would not get to see the sort of information that the ISC is cleared to see. We are in the same situation now. The Minister will say that there are people in his department who, if necessary, will be able to see the relevant information. That will not be the case and to some extent, those in the Minister’s department making decisions that refer to national security issues will be flying a little bit blind. If this is not recognised, that is regrettable. This is a really important area of security, and decisions should be made on the best available information, with the best available people reviewing that information. The clue is in the name: this is the Telecommunications (Security) Bill, and it is the Intelligence and Security Committee that is best able to review that information. That is why I support the noble Lord’s Amendment 9.
My Lords, I thank the noble Lord, Lord Coaker, for his kind words of welcome and for tabling this amendment. The important matter of parliamentary oversight has been raised a number of times in both your Lordships’ House and another place. I welcome the opportunity to clarify further how appropriate oversight of the Bill’s national security powers will be provided for both in this Bill and through existing mechanisms. The noble Lord’s amendment would require the Secretary of State to provide the Intelligence and Security Committee with copies of a directional notice when such documents, or parts of them, are withheld under Section 105Z11(2) or (3) in the interests of national security.
As regards enforcement, this amendment would also require the Secretary of State to provide the committee with copies of notifications of contraventions and confirmation decisions. Further, it would require the provision of reasons for giving urgent enforcement directions when withheld under Section 105Z22(5), as well as the reasons for confirming or modifying such directions when withheld under Section 105Z23(6).
We thoroughly agree with the need for effective scrutiny of the use of the Bill’s national security powers—that is why we have included measures to facilitate parliamentary oversight of the use of those powers. The Bill requires the Secretary of State to lay before Parliament copies of designation notices, designated vendor directions, and variations or revocations of either, unless doing so would be contrary to the interests of national security. We would expect in the vast majority of cases to lay copies of the directions and notices before Parliament. However, on very rare occasions there may be instances where the Secretary of State chooses not to do so because laying the documents would be contrary to the interests of national security. This would only be done in extremis.
We have already demonstrated our commitment to transparency with the publication of the illustrative draft designated vendor direction and designation notice last November. Indeed, it is in the Government’s interest to publish such documents as it sends a clear message to industry of our intent to use the powers in the Bill where necessary. However, while the presumption is to publish the directions and notices, it is right that we have the option to protect the UK if our national security could be put at risk through their publication.
It is worth noting that, under Section 390 of the Communications Act 2003, the Secretary of State is required to prepare and lay before Parliament annual reports on their functions under that Act. Those reports will show when the Bill’s national security powers have been exercised, whether or not copies of directions or notices are laid before Parliament. This will ensure that Parliament will always be made aware of the Secretary of State’s use of the national security powers to issue designated vendor directions and designation notices.
Having thus been made aware, the Intelligence and Security Committee will be able to request relevant information from the vital organisations it already oversees, such as the National Cyber Security Centre. Moreover, the ISC will be able to request such information at any time from the NCSC in relation to its assessment of high-risk vendors. The noble Lord is right to point to the importance of the committee. Given the cross-party support he enjoys, he knows better than most, as a former Security Minister, the important work it undertakes. The ISC will be able to do the work I have just outlined in line with its remit, as set out in the provisions of the Justice and Security Act 2013 and accompanying memorandum of understanding.
At Second Reading, the Noble Lord, Lord West, noted that the ISC had made a request for its memorandum to be formally reviewed. I understand that the chairman of the ISC has written to the Cabinet Office on these matters and that they are under consideration. Discussions and decisions regarding any changes to the ISC’s remit are of course for the Cabinet Office and the ISC to agree. That is the appropriate route for the ISC’s remit to be considered, not this Bill.
As I am sure noble Lords will appreciate, however, the advice of the security services will not be the only factor that the Secretary of State will take into account when deciding what is proportionate to include in a designated vendor direction. As well as the NCSC’s advice, the Secretary of State will consider, among other things, the economic impact, the cost to industry and the impact on connectivity of the requirements in any designated vendor direction. Those go beyond security matters and indeed fall under the work of DCMS; therefore, the Digital, Culture, Media and Sport Committee is best placed to consider those wider impacts. Hence, that is the appropriate body to oversee the Government’s use of the powers to issue designation notices and designated vendor directions, including where those directions and notices are not laid before Parliament. The Government will work with the committee to ensure that it has access to all the information it needs to carry out that oversight.
Those are the reasons why the Government cannot accept the amendment. I hope that the noble Lord will be content to withdraw it on that basis.
(3 years, 4 months ago)
Grand CommitteeOnce again, this is a short but important debate, and one of a continuing series. In response to the noble and gallant Lord, Lord Stirrup, we had a short discussion that, to some extent, was crying over spilt milk about why industrial capacity in telecommunications in the United Kingdom is where it is. I think the noble Earl, Lord Erroll, largely agrees with me that it is to do with the purchasing decisions made by near-monopolistic private sector companies based on price. If that is not a lesson for the Government to take forward, we are all doomed anyway.
To turn to the detail of these two amendments, as both the noble Baroness, Lady Merron, and the noble and gallant Lord, Lord Stirrup, have set out, they are about people. Without overrepeating it, I come to the point I was talking about earlier, which is that BEIS is going through a similar process. It is setting up a unit that is supposed to scan the entire industrial landscape for supposed security problems and alert the Minister to decisions that should be made about the future of those companies. These people will have many of the same skills and face many of the same issues, going forward.
First, does the Minister think there is a sufficient pool of people available to cover both these units? Is it sensible to have two units operating in parallel to, and probably in isolation from, each other, with the BEIS unit setting up a telecoms capability, which DCMS will also have? Perhaps the Minister can tell us what conversations are going on between DCMS, Ofcom and BEIS to avoid that duplication. We have already heard that there are too few people so, frankly, it does not make much sense to have two departments competing for the same people.
More broadly, the noble Baroness, Lady Merron, is completely correct that there is a huge issue with the availability of people. Unless the Government pick up major programmes to train and retrain people and look at skills that are completely necessary to move forward, we will be left high and dry without the skills we need to create the sorts of industries that the noble and gallant Lord, Lord Stirrup, suggested we need. That will take time, so perhaps the Minister can say what the plan is. What is the process and what discussions are going on with trainers, universities and employers to deliver the skill set we need?
Of course, we would want to review all this annually, which is why these amendments are here, so the Government necessarily come to Parliament to explain how they are getting on and what they are doing. I am sure the Government do not want us to be suspicious of what they are doing, and the best way to avoid that suspicion is to be open and transparent, rather than try to operate in a black box.
My Lords, these amendments, both tabled by the noble Baroness, Lady Merron, highlight the two important issues that our short debate covered—the role of Ofcom in relation to the Bill; and skills and training, and their effect on telecoms security. I am pleased to have the opportunity to outline some of the work that has already been done in these areas, which I hope explains why we consider these amendments not to be needed.
Amendment 26 would require the Government to complete a review of, and publish a report on, the impact of levels of skills and training on the security of the telecoms network and supply chain. It would require the Government to publish the report within six months of Royal Assent.
The Government certainly agree that it is crucial that public telecoms providers and organisations such as Ofcom have access to people with the skills that they need to keep our networks safe. DCMS published research this year as part of its annual survey, Cyber Security Skills in the UK Labour Market, which found that 50% of UK businesses have a basic technical skills gap. It also found that they do not have confidence in their ability to carry out basic cybersecurity functions and do not outsource these skills.
That is why the Government have a range of programmes already in place to support the growth of cybersecurity skills. Over the past five years, work funded by DCMS has supported over 160,000 young people to forge a career in the cyber sphere. The department has also funded a range of schemes to help adults or career changers to acquire new skills, most recently through the Cyber Launchpad initiative and projects sponsored through the fast track digital workforce fund.
Clearly, there is still much more work to be done to close the cyber skills gap. However, we are making progress. When compared with the 2018 survey, Cyber Security Skills in the UK Labour Market 2021 found that organisations were less likely to report a basic cyber skills gap in areas such as firewall configuration, restricting administrator rights and patching.
Specifically on skills in the telecoms sector, we know that telecoms providers need to have access to people with the right skills to ensure that their networks and services are secure, as the noble and gallant Lord, Lord Stirrup, rightly said. That is why we are creating a pipeline of these skills for the future, with telecoms apprenticeships currently available across the sector, and over 4,500 people starting this year alone.
The creation of the UK telecoms lab, as announced by my right honourable friend the Secretary of State in the other place last November, will facilitate knowledge sharing and promote skills development in telecoms security. The lab will collaborate with DCMS, the National Cyber Security Centre, the newly established UK Cyber Security Council and industry. It will develop and deliver training packages and support the establishment of professional bodies and communities. I hope that these initiatives demonstrate how seriously the Government take the task of supporting telecoms skills, and cyber skills in particular, and why we feel that the review proposed in the amendment is not needed.
I will speak more broadly about our skills agenda. The Department for Education has targeted specific investment in key areas of learning, such as science, technology, engineering and mathematics—STEM—and technical and digital subjects, which could support careers in telecoms. That includes: £2.5 billion of investment in the national skills fund to support adults to retrain and gain the skills they need for the future; nearly £2.5 billion made available for high-quality industry-designed apprenticeships; £500 million a year towards T-levels; up to £290 million to establish institutes of technology across the country, which will be the pinnacle of technical training; and a new £18 million growth fund to support further and higher education providers to expand high-quality higher technical education.
The noble Baroness, Lady Merron, asked about the impact of skills on the removal of Huawei equipment. We have no plans or intention to delay the 2027 target for the removal of Huawei equipment from 5G networks. Indeed, BT, for example, has already shared in the media that it is making good progress on removing Huawei from 5G networks, starting in Hull. We believe that we are on track.
Amendment 23 would require Ofcom to publish an additional statement as part of its annual report, under paragraph 12 of the Schedule to the Office of Communications Act 2002. This statement would contain information about the adequacy of Ofcom’s resourcing, and telecoms providers’ compliance with their security duties. It would also contain Ofcom’s assessment of any future or emerging risks to telecommunications networks, identified by interrogating telecoms providers’ asset registries.
I reassure the Committee that this amendment is also not needed. The Bill already contains a range of reporting mechanisms that will ensure that Ofcom’s role can be properly scrutinised. I will address three of these mechanisms in particular.
First, Ofcom will need regularly to report to the Secretary of State under new Section 105Z, providing information to assist him with the formulation of policy on telecommunications security. New subsection (4)(a) makes it clear that this report must include information on providers’ compliance with the duties imposed on them by the Bill.
Secondly, Ofcom will need to report on telecoms security in its annual infrastructure report. Clause 11 specifies that this should include information on the extent to which providers are complying with their security duties under new Sections 105A to 105D. Thirdly, by virtue of Clause 14, the Secretary of State will need regularly to report to Parliament on the effectiveness and impact of the new telecoms security framework.
The amendment would address three issues. I will take each in turn. The first concerns Ofcom’s resources, on which the noble Baroness, Lady Merron, began. As my noble friend the Minister mentioned at Second Reading, Ofcom’s security budget for this financial year has been increased by £4.6 million. This funding will allow Ofcom more than to double its headcount of people working on telecoms security, ensuring it has the necessary capacity to deliver its new responsibilities under the Bill. The noble Baroness asked specifically about staffing. Ofcom will work with a recruitment partner to secure the specific cyber skills needed to implement this work. This will include seconding in technical expertise to develop its capability further.
As we discussed earlier in the Committee, Ofcom will also work closely with the NCSC, which will share its expertise to support Ofcom’s implementation of the new regime. The noble Baroness mentioned the relationship between Ofcom and the National Cyber Security Centre. As she noted, the two organisations are in the process of developing a memorandum of understanding and have published a statement summarising how they intend to work together. The three key principles set out in that statement are, first, that the NCSC will provide expert technical cybersecurity advice to Ofcom to support implementation of the new telecoms security framework; secondly, that Ofcom and the NCSC will exchange information where necessary and permitted by law; and, thirdly, that the NCSC will continue to provide incident management support during serious cybersecurity incidents to telecoms operators and to Ofcom as necessary. That statement can be found on Ofcom’s website.
The second area of the amendment is a requirement for Ofcom’s annual report to include information on providers’ compliance with their duties under new Sections 105A to 105D. This reporting would duplicate provisions elsewhere in the Bill. Ofcom is already required to report publicly on providers’ compliance with those duties in Clause 11.
The final point in the amendment is about publishing information on emerging and future security risks. This has also been accounted for in the Bill. New Section 105Z(4)(f) already requires that Ofcom report to the Secretary of State any emerging risks it becomes aware of in its annual report on security. The noble Baroness asked about informing the public. It would be at the discretion of the Secretary of State whether to publish this information.
I can assure the Committee that Ofcom takes a forward-looking approach to regulation to ensure that it is robust in the face of market and technological developments. For example, its recent Technology Futures report looked at innovative technologies that will shape the communications industry, with input from the world’s leading technologists.
I hope that I have provided assurance that adequate and detailed reporting requirements for Ofcom are already outlined in the Bill. As I have set out, it already includes provision for reporting on Ofcom’s work, so additional requirements about skills and training are not necessary. I hope that the noble Baroness will therefore be content not to press her amendments.
(3 years, 4 months ago)
Grand CommitteeI thank the Deputy Chairman and apologise for speaking across him. I am a bit intrigued by the comment of the noble Lord, Lord Parkinson, on the subject of legal enforceability. He is correct to say that, as new Section 105H states, the
“provision of a code of practice does not of itself make the provider liable to legal proceedings”
—but it would not be liable only when the provision was not in force in time or when it was not legal. However, you would not bring a legal case anyway when it was not relevant or in force, so, to all intents and purposes, where the code is in force and relevant, it is legally enforceable. Therefore, it is legally enforceable.
First, if I may, I will take back the point made by the noble Lord, Lord Fox, about new Section 105H under Clause 3; I will write to him to, I hope, alleviate any concerns and confusion. There are certain legal effects set out; I will write to him to clarify the point about legal enforceability.
I am grateful to the noble Lord, Lord Clement-Jones, for his appreciation. Part of the confusion here may be that two technical advisory boards are mentioned in these groups of amendments. As I think he noted, the one set up under RIPA has a different function, but we are certainly not being dismissive of the points that have been raised. Indeed, as I said, we have spoken to the industry and received helpful feedback from telecoms providers on the illustrative draft measures that were published in January. We will also be glad to look at the information that he mentioned—the views that have come his way—to make sure that these are reconciled; if he is happy to share them, we will look at them and come back him.
(4 years, 6 months ago)
Lords ChamberI thank noble Lords for their brevity in outlining the purpose of this probing amendment. I shall try to be similarly brief in response.
I certainly welcome the intention behind this amendment—namely, to clarify which premises other than multiple-dwelling buildings such as blocks of flats might be in scope of the Bill and why. The decision initially to include only multiple-dwelling buildings is deliberate. It was informed by careful consideration of the evidence that was made available to us, not least through the consultation that was held before the Bill was drawn up and introduced. That evidence indicated that specifically this type of premises—multiple-dwelling buildings—most needed the sort of targeted intervention that is proposed in the Bill. We were not, by contrast, presented with compelling evidence for other types of property at this stage and certainly not enough to justify legislating at this point. However, we recognise that such evidence might emerge in time and we are mindful that office blocks or business parks, which the noble Lord, Lord Clement Jones, mentioned, could face similar issues. We continue to engage with providers and others about this.
The noble Lord, Lord Clement-Jones, asked how far our ambition stretches: as far as the evidence suggests. This is why we have included a clear power in the Bill for the Secretary of State to make regulations, should they be needed, to widen the scope of the Bill and make it apply to other premises of a specified description. That will allow the Secretary of State to legislate in a flexible and proportionate way, led by the evidence. This approach will allow the Government to continue to engage with interested parties, as well as to consider and balance the evidence that becomes available to us. Crucially, it will also help to guard against any unintended consequences that could arise from widening the scope of the Bill too quickly, before there is sufficient evidence to support doing so.
The noble Lord raised a point about new-build developments. The Government have set out plans to ensure that new-build homes in England are built with gigabit broadband by amending the 2010 building regulations to require developers of new-builds to install the infrastructure necessary to make them gigabit-capable. As we set out in our consultation response published on 17 March this year, the Building Act 1984 contains the necessary primary powers that would mandate the installation of gigabit broadband in new build developments. To include the new-build developments in the Bill in the way proposed by this amendment is therefore unnecessary, and could hamper the simple and proportionate approach we have set out in the consultation response.
I should add that, as housing is a devolved matter, the Government are also working closely with the devolved Administrations on this. I hope that I have been able to demonstrate that we have firm proposals in place to address the issues raised, and that the noble Lord will feel able to withdraw his amendment.
I thank the Minister for his response. I shall be brief. The Minister talked about the absence of overwhelming evidence and said that, if this evidence were to come to light, we would be treated to a statutory instrument in order to implement or extend this Bill. What in the Government’s view is overwhelming evidence? What actually constitutes evidence that people require this? It is quite clear that people living in the wider group of residences as set out by my noble friend Lord Clement-Jones want access, so what do they have to do to overwhelm the Government in order to bring forth one of their statutory instruments?
My Lords, we have tried to strike a balance in the Bill so far between the requirements and the desires of providers and of course the rights of those owning property. At the moment, the evidence suggests that there is a distinction between multiple residential dwellings––where the owner of the building is perhaps not as easily contactable or is not responding––and business parks, for instance, whose owners seem to be more alert to requests from providers and are therefore responding in a more timely fashion to requests. However, if the evidence suggests that they are not, then the secondary power proposed in the Bill will allow the Secretary of State to make provisions and bring forward some statutory instrument to extend the Bill in this way, as the noble Lord, Lord Fox, says.