(10 months, 2 weeks ago)
General CommitteesI beg to move,
That the Committee has considered the draft Online Safety (List of Overseas Regulators) Regulations 2024.
It is a pleasure to serve under your chairmanship, Mr Betts. I put on the record my gratitude to hon. Members for their campaigning and collaboration throughout the passage of the Online Safety Act 2023 and their contribution to making the UK the safest place in the world to be online. The Government are working at pace to ensure that the Act is fully operational as quickly as possible. I am therefore pleased to debate this statutory instrument, which was laid before the House in draft on 28 November last year.
The draft instrument is one of several that will enable Ofcom’s implementation of the Act. It concerns Ofcom’s co-operation with and disclosure of information to overseas online safety regulators under section 114 of the Act. Given the global nature of the regulated service providers, it is vital that Ofcom can co-operate and share information with its regulatory counterparts in other jurisdictions to support co-ordinated international online safety regulation.
In certain circumstances, it may be appropriate for Ofcom to support overseas regulators in carrying out their regulatory functions. For example, it may be beneficial for Ofcom to share information that it holds to inform supervisory activity or an investigation being carried out by an overseas regulator. That could support successful enforcement action, which in turn could have direct or indirect benefits for UK users such as preventing malign actors from disseminating illegal content on regulated services.
International collaboration will also make online safety regulation more efficient. In carrying out regulatory oversight activity, Ofcom and its international counterparts will be able to gather extensive information about regulated service providers. In some instances, it may be more efficient for regulators to share information directly, where that information has already been collected by a counterpart regulator. International regulatory co-operation and co-ordination are likely to reduce the regulatory burden on both international regulators and regulated service providers.
Section 114 of the Act builds on the existing information gateways available to Ofcom under the Communications Act 2003 by permitting Ofcom to co-operate with an overseas regulator for specified purposes. It includes powers to disclose online safety information to a regulator
“for the purposes of…facilitating the exercise by the overseas regulator of any of that regulator’s online regulatory functions, or…criminal investigations or proceedings relating to a matter to which the overseas regulator’s online regulatory functions relate.”
The information gateway addresses a small legislative gap, because in the absence of section 114, Ofcom could not share information for those specified purposes. Under section 1(3) of the Communications Act, Ofcom can share information only where it is
“incidental or conducive to the carrying out”
of its functions, subject to the general restrictions on the disclosure of information under section 393 of that Act.
The draft regulations designate the overseas regulators with which Ofcom can co-operate and share information under section 114 of the Online Safety Act. It is important to note that Ofcom will retain discretion over whether to co-operate and share information with the overseas regulators specified. The regulations designate the following overseas regulators: Arcom in France, the Netherlands Authority for Consumers and Markets, the Federal Network Agency in Germany, the Media Commission in Ireland, the eSafety Commissioner in Australia, and the European Commission.
In compiling the list of specified overseas regulators, the Department has consulted Ofcom and carefully considered its operational needs and existing relationships with overseas regulators. That will mean that the designated regulators are those with which Ofcom will be able to share information in an efficient and mutually beneficial manner. We have also considered whether the overseas regulator is a designated regulator of a bespoke online safety regulatory framework, ensuring that any information sharing is proportionate.
Another important consideration is the protection of fundamental freedoms online. For that reason, we have considered whether the autonomy of the regulator is protected in law and whether the overseas regulator and the jurisdiction that empowers it uphold international human rights.
Ofcom is an organisation experienced in handling confidential and sensitive information obtained from the services that it regulates, and there are strong legislative safeguards and limitations on the disclosure of such material. Overseas regulators that receive any information from Ofcom may use it only for the purpose for which it is disclosed. They may not use it for another purpose, or further disclose it, without express permission from Ofcom, unless ordered by a court or tribunal. Ofcom must also comply with UK data protection law, and would need to show that the processing of any personal data was necessary for a lawful purpose.
There are six bodies on the list. Is it likely that the bodies listed will change, given that the world is rather a dynamic place? It seems quite a short list at the moment.
I can confirm that we will continually review the list and update it as appropriate, in consultation with Ofcom.
As a public body, Ofcom is required to act compatibly with the right to privacy under article 8 of the European convention on human rights. As I said to my hon. Friend, we will continue to review the list of designated regulators, particularly as new online safety regimes are developed and operationalised around the world. I commend the draft regulations to the Committee and open the matter for debate.
(1 year, 2 months ago)
General CommitteesMy right hon. Friend makes an important point. Perhaps I can come back to it in a bit more detail at the end of my comments, but I will make this point now: as I described, the measures will give a minimum level of security assurance to customers. This draft instrument is not the frontline, the arrowhead, of UK international counter-espionage; this is about ensuring that when people buy an iPhone or some such device, they can be confident that basic minimum standards have been met. It is not the basis on which we can all go to bed at night safe and secure, with the whole of UK critical national infrastructure secure. That work is being led by my right hon. Friend the Chancellor of the Duchy of Lancaster and Deputy Prime Minister.
I turn briefly to the basics of the draft instrument. First, on security requirements, the regulations mandate that manufacturers comply with the security arrangements that Parliament has set out in schedule 1. The security requirements are backed by security experts and have been consulted on extensively. In the view of the National Cyber Security Centre, which has been very involved, they will make the most fundamental difference to the vulnerability of consumer connectable products through the guidelines in the UK’s code of practice for consumer IOT security.
The first requirement bans businesses from selling to UK customers consumer smart products with universal defaults or easily guessable default passwords. Such passwords expose users to unacceptable risk of cyber-attack and allow malicious actors to compromise products at scale, equipping them with the computing power to launch significantly disruptive cyber-attacks.
Secondly, manufacturers will be required to publish, in an accessible, clear and transparent manner, the details of a point of contact for the reporting of security vulnerabilities. Despite previous Government interventions and the increasing threat of cyber-crime targeted at these products, less than a third of global manufacturers had any policy for how they can be made aware of vulnerabilities as of 2022.
The final security requirement will ensure that the minimum length of time for which a product will receive security updates is not just published, but published in an accessible, clear and transparent manner. Consumers value security and consider it when purchasing products. Equipped with the vital information mandated by this requirement, UK customers and their intermediaries will be able to drive manufacturers to improve the security protections that they offer through market forces.
I will turn to the conditions for deemed compliance. Where the security outcomes that we are seeking to achieve are entirely or partially delivered through broader international standards, the regime allows manufacturers compliant with those standards to more readily demonstrate their compliance with our security requirements. That is the intent of regulation 4, and schedule 2 sets out conditions based on analogous provisions in two leading international standards. Where those conditions are met, a manufacturer is to be treated as having complied with a particular security requirement. Colleagues will be pleased to know that we have tried to take the opportunity to reduce process-driven bureaucracy and make it easy for proper compliance to be demonstrated in the interest of consumer protection.
The excepted products protocol in the instrument sets out a list of products that we have exempted from the scope of the product security regime. First, select product categories made available for supply in Northern Ireland are exempted. That exemption ensures that the regime upholds the UK’s international commitments under the EU withdrawal agreement while extending the protections and benefits offered by the regime to consumers and businesses across the UK. Additionally, smart charge points, medical devices and smart metering devices are exempted to avoid double regulation and to ensure that those products are secured with the measures most appropriate to the particulars of their functions. To answer the point raised by my right hon. Friend the Member for Chipping Barnet, we would not want to rely on these regulations alone for the safety of medical devices; they are covered, quite rightly, by far more extensive regulations through the Medicines and Healthcare products Regulatory Agency.
I welcome the instrument in general terms, but I have a couple of quick questions. The Minister mentioned that Northern Ireland is outwith the scope of this regime because of its interaction with the European Union as it stands today. In effect, that treats Northern Ireland as not part of the United Kingdom for these purposes. Am I correct in thinking that?
Secondly, I completely agree with the cut-outs for medical devices, smart meters and so on. The Minister may need some inspiration on this, but are vehicles included in the minimum standards, given that lots of them now have autopilot systems and software updates to undertake week in, week out, and passcodes included in the software?
Those are two excellent questions. On Northern Ireland, basically the answer is no. This goes with the grain of the Windsor framework that the Prime Minister has negotiated, and it recognises that for the purposes of consumer standards, Northern Ireland is governed by the EU proposals in this space. I am delighted to say that the UK proposals are a little quicker, more agile and fleet of foot, and to some extent that might give Northern Ireland manufacturers an advantage. Perhaps I could come back to the point about vehicles; it is an important point to which the internet of things is very relevant.
The instrument also exempts laptops, desktop computers and tablets without a cellular connection from the regime scope. Engagement with industry highlighted that the manufacturers of those products would face completely unique challenges in complying with the regime. On many occasions where those products are in use, they are already subject to extensive cyber-protection standards. It is therefore not clear at this stage that including those products in the regime scope would be proportionate. However, as with so many of these things, I am happy and keen to keep a watching eye on that to ensure that we are keeping up with technology.
The administrative provisions in the SI, including those relating to statements of compliance, are uncontroversial. The regime will require that those documents are company products serving as an audit trail to enable compliance across the supply chain and to facilitate effective enforcement. We do not expect every single consumer to read all of that every time they buy a pair of speakers or any digital device, but the active intermediaries on behalf of consumers will be able to access it, and we foresee an active enforcement culture, not least online.
The product security regime, including these regulations, is the first in the world to recognise that the public has a right to expect that the products available for them to purchase are secure, and that the Government have a duty to enforce that. The measures will cement the UK as a world leader in responsibly embracing the enormous potential of emerging technology. They are a first step in the development of a framework that will keep pace with technology. I commend the regulations to the Committee.