Product Security and Telecommunications Infrastructure Bill Debate
Full Debate: Read Full DebateLord Bassam of Brighton
Main Page: Lord Bassam of Brighton (Labour - Life peer)Department Debates - View all Lord Bassam of Brighton's debates with the Department for Digital, Culture, Media & Sport
(2 years, 6 months ago)
Lords ChamberMy Lords, I am happy to move Amendment 2 in this group and will speak also to Amendment 4. I am grateful to the noble Lord, Lord Fox, for signing up to our Amendment 2. Part 1, as we have said, represents a step in the right direction on product security. The Bill is, as is increasingly the case with this Administration, a general framework Bill which will have much of the detail filled in later by regulations—a point that the noble Lord, Lord Fox, among others, has persistently made, and we have made from our Benches.
Noble Lords might say that Amendment 2 is a rather crude way of discussing the processes and timescales attached to the regulation-making powers in this part of the Bill but, as was mentioned in the previous group, we need much more information about when these regulations are going to be brought forward. Have some already been drafted? If so, can we see them in advance of Report and certainly before Third Reading? If not, why not? Do any of them need to be consulted on, and if so, what implications will this have on the implementation of new rules and systems? This is, as we have heard before, a time-critical Bill so the regulations are time critical as well and, we argue, need an early airing.
Colleagues in the Commons expressed concern that it has taken too long to get to this stage. We, too, regret that the Government have not worked to introduce some of these measures at greater speed and that more of the detail is not in the legislation, a point which the noble Lord, Lord Fox, eloquently made earlier. Surely it would have been possible to do this, given that the Bill was carried over from the previous Session.
Turning to Amendment 4, it
“seeks to place certain product security minimum standards, including the prohibition of so-called ‘default” passwords, on the face of the Bill.”
We think this is an important amendment. I credit Which? as where it draws its inspiration from. It is right that we have some core security principles in the Bill. We know that the Government have form on overpromising and underdelivering. Surely these important security matters should not be left to the whim of the Secretary of State at an undetermined point in the future. This process provides a perfectly good opportunity for us to enshrine the requirements in primary legislation, whether in the form of Amendment 4 or Amendment 5 or something else. We believe that there is a strong case for action
I do not think that they are quite analogous. As I say, it is about the requirement to keep the last available updates available to consumers for eight years rather than evolving them. We do not yet consider that there is sufficient evidence to justify minimum security update periods for connectable products, including display equipment—certainly not before the impact of the initial security requirements is known.
It is important to stress that, as consumers learn more, they will expect more. This will drive industry to respond to market pressure. If the market does not respond to this effectively, the Government have been clear that they will consider the case for further action at that point, but we think that consumer expectation will drive the action we want to see in this area.
Amendment 3, tabled by the noble Lords, Lord Clement-Jones and Lord Fox, refers to children. All noble Lords will agree, I am sure, that protecting children from the risks associated with connectable products is vital. I assure noble Lords that the security requirements we will introduce are designed with consideration for the security of all users, including children, alongside businesses and infrastructure. The Bill already gives the Government the flexibility to introduce further measures to protect children, whether they are the users of the products or subject to other people’s use of a product. We therefore do not think that this amendment is necessary as this issue is already covered in the Bill.
The Bill, and forthcoming secondary legislation, will cover products specifically designed to be used by or around children, such as baby monitors and connectable toys; they include Hello Barbie, which I was not familiar with but on which I will certainly brief myself further. However, we recognise that the cyber risks to children are not limited to the connectable products in the scope of this Bill; indeed, a lot of the issues referred to by the noble Lord, Lord Fox, were about the data captured by some of the technology, rather than the security of the products themselves. That is precisely why the Government have implemented a broader strategy to offer more comprehensive protection to children—including through the Online Safety Bill, to which the noble Lord, Lord Bassam, referred.
I hope noble Lords will agree that Amendment 3 is not needed to make a difference to the Bill’s ability to protect children from the risks associated with insecure connectable products—this is already provided for—and will be willing either to withdraw their amendments or not move them.
My Lords, this has been a useful and interesting exchange.
In my lordly world, “may” and “must” are sort of interchangeable; they were a useful peg on which to hang our discussion about the statutory instrument nature of this piece of legislation. I am somewhat reassured by what the Minister had to say about that, and acknowledge that some of the regulations were brought forward and consulted on at an earlier stage. However, we on this side of the House—I am sure that I speak for the noble Lord, Lord Fox, as well—want to see increased transparency throughout this process. So much of what is in front of us will be in secondary legislation; it is essential that we, the industry and the sector are properly consulted so that we understand exactly what we are dealing with. I make that plea at the outset.
I was pleased to hear what the Minister said about children as the primary users of particular products. I am glad that we have got beyond the “Peppa Pig” world that the Prime Minister occasionally occupies and are giving this issue proper, serious consideration. It certainly needs to be that way.
I am not entirely convinced by what the Minister said on Amendment 4. I look at our amendment; it is pretty basic, actually. It is hard to argue against setting out a particular prohibition in legislation. The ones that we have picked out for prohibition and restriction are quite important and essential. Of course, the Minister is right that those subjects will change and technology will overtake the words we use. We understand that point but we are trying to secure some basic minimum standards and protections here. Clearly, we will retreat with our amendment and give it some further thought before Report, but we may need some further persuasion on this. That said, I am quite happy to withdraw Amendment 2 and not move Amendment 4.
My Lords, Amendment 7 is also in the name of my noble friend Lady Merron. This amendment, as the notes to the Bill’s amendments set out, brings online marketplaces which allow relevant products to be listed for sale within the scope of the security requirements outlined in the Bill. We wish to express again our gratitude to Which? and others for their work in relation to online marketplaces, including, but not limited to, Amazon and eBay, which facilitate the sale of many of these products.
Research suggests that a significant number of products listed on online marketplaces could have security and privacy risks. This is prior to the introduction of the new rules for producers, importers and distributors, but it does highlight the importance of ensuring that marketplaces are subject to at least some of the new measures. Following Second Reading, the Minister kindly wrote to noble Lords, as he promised he would, and suggested that in many cases these websites will fall under “at least one” of the categories and, even if they do not, earlier parts of the supply chain will be subject to the new duties. On that basis, the Government say they will not explicitly bring marketplaces within scope of these measures but will keep the matter under review. It is disappointing that the Minister decided to rule out this change without even having this Committee debate. I hope the Minister’s response will go into more detail than the letter, and he will outline exactly what this review process will look like. Importantly, if it becomes apparent that obligations need to be imposed on these businesses, can he outline the process for achieving this? Can it be done under existing powers, or would it require an additional, albeit simple, piece of primary legislation?
This may not be a gaping hole in the Bill, but it does feel like a gap that needs to be addressed. We hope the Government will be persuaded of that in the run-up to Report stage. It is important because we do not often get legislation on this subject and we do not often get the opportunity to deal with issues such as this. I say to the Minister that we need considerable reassurance on this point because of that very fact. The Minister may say that it is all going to be down to regulations. That is not really a complete answer but we look forward to hearing his response.
My Lords, I rise to speak to Amendment 8 in my name and that of my noble friend Lord Clement-Jones. These are two ways of doing the same thing so I support the spirit of Amendment 7, about which we have just heard from the noble Lord, Lord Bassam.
This amendment adds the following wording to Clause 7:
“Any person who is a provider of an internet service that allows or facilitates the making by consumers of distance contracts with traders or other consumers for the sale or supply of a relevant connectable product is to be regarded as a distributor for the purposes of this Act, if not a manufacturer or an importer of the product.”
This amends the language that defines a distributor in the scope of the Bill. Online marketplaces are a mainstream form of today’s retail. Which? research in 2019 found that more than 90% of the UK population had shopped through an online marketplace within the month it was polling. That has increased during the pandemic. However, its research also consistently highlighted how online marketplaces are flooded with insecure products. It has previously demonstrated issues with the lack of legal responsibility of online marketplaces for the security and safety of products sold through their platforms.
The Government have recognised the problem, in their response to the call for evidence on product safety, that current safety rules were designed to fit supply chains as they operated before the world of internet shopping. In the realm of product safety, the Government have acknowledged that this can result in the peculiar situation where no actor is responsible for ensuring product safety. This has resulted in organisations such as Electrical Safety First repeatedly finding unsafe and non-compliant products listed on online marketplaces. Therefore, the traditional conception of actors in the supply chain is now outdated.
The Bill defines “distributor” as
“any person who … makes the product available in the United Kingdom, and … is not a manufacturer or an importer of the product.”
At present, it seems unlikely that certain online marketplaces, including eBay, Amazon Marketplace and Wish.com, will be included within the scope of that definition of distributors in the Bill. This will leave, without overstating it, a sizeable gap in the regulatory scope of this market.
Given the amount of insecure tech readily available on online marketplaces, it is paramount that these platforms are given obligations in the Bill to ensure the safety and security of the products sold on their sites, regardless of whether the seller is a third party. However, the Clause 7(5) definition of “distributor” in terms of making products available on the market is in line with existing product safety law, so we know that certain marketplaces are not classed as distributors and hence not obligated to take action. Amazon Marketplace, Wish.com and eBay are marketplaces where other people are selling; this is the issue.
This amendment seeks to expand the definition of distributors in Clause 7 to include appropriate online retailers, such as listings platforms and auction sites, including eBay, Amazon Marketplace and AliExpress. I feel sure that the Minister did not intend for the legislation to miss these marketplaces out; rather than risk this loophole going any further, we will work with the Minister and Her Majesty’s loyal Opposition to come up with some wording that absolutely iron-clads the Bill to ensure that these sorts of marketplaces are also included.
I am happy to include my noble friend in the replies and the letter I send. This touches on work which falls under the Department for Business, Energy and Industrial Strategy, and the points he raised, of course, fall to Her Majesty’s Revenue and Customs. We will make sure that, having consulted officials there, we provide some details of the work those departments are doing as well.
My Lords, I am looking forward to the correspondence on this; I fancy that the noble Lord’s civil servants will have a tricky job on their hands. I do not think I quite got a response to what the nature of “being kept under review” really meant, but I await word in the future.
I have been reading the Explanatory Notes, as the Minister will probably be unhappy to hear, and I can see the difficulties. In trying to ensure that the legislation is focused, rightly, on the producers, manufacturers, importers and distributors, it is hard to work round that and not capture people who are simply installers of a product. On the other hand, there are circumstances where installers are primarily responsible for the effectiveness and working of the product, and if it was not for the way they install it, it would not be effective. The terms of the contract are such that it makes that difficult.
I can see the difficulty here, but for now I am happy to withdraw our amendment. In doing so, we are equally supportive of the amendment in the name of the noble Lord, Lord Fox, because the two are contiguous in their formulation.