My Lords, this group contains two amendments that have been tabled by my noble friend Lord Clement-Jones, and I rise to move Amendment 14 and to speak to Amendment 14A on his behalf and my own. These are probing amendments to understand consumer law with this and other legislation.
It seems that the Government’s intention is that consumers will be entitled to redress under the Consumer Rights Act 2015 for breaches of the product security requirements in Part 1 of this Bill and the requirements of related future secondary legislation where breaches amount to a product not being of satisfactory quality as described or fit for purpose. However, for clarity, this will require the specific inclusion in this Bill of amendments to the CRA and other related consumer legislation. So I ask the Minister to clarify how redress will work in practice. As Which? has strongly urged in relation to the current consultation on reform of consumer law generally, collective redress should also be available for groups of consumers that have suffered breaches of the CRA relating to product security.
To help your Lordships, let us look at a typical scenario where the consumer reads a report about a security issue with a product that they own and considers it insecure and hence faulty. They try to take the product back to the retailer as redress, as per CRA 2015 rights, but under the CRA, after the first six months of ownership, the burden falls on them to prove that the fault was not of their making. It is unclear what burden of proof would be required at this stage for the consumer to get redress for security faults as described in this Bill.
The CRA places the primary obligation on retailers—as “traders” concluding contracts with consumers—not manufacturers, to remedy products found to be in breach. Due to the unique nature of security faults, it is currently unclear whether a retailer would have the ability to verify reports of faults to facilitate effective redress. Experience has shown that it has been hard when reporting security issues to retailers, and that can often result in pushback. There is a risk that the consumer will find it very hard to enact their CRA rights in practice to get redress on insecure products. In that regard, proper legal guidance for what classifies a security fault is absolutely vital for redress to work effectively.
At present, it is unclear how security updates—and hence a commitment to fix security faults that occur with smart products—interact with the CRA 2015. For example, a manufacturer could claim that it will provide four years of updates on a product at the point of sale but then renege on that; perhaps because it has gone out of business or some such reason. The product then develops a security fault that the manufacturer will not fix. It is unclear what the consumer rights would be in this scenario.
Moreover, it is unclear if the Bill effectively waters down consumer rights under the CRA. If the manufacturer claims that it will give four years of support in which it will fix security faults, how does this impact on a claim that a consumer may have under the CRA to have faults addressed—which they may be able to bring for up to six years from when they purchased the goods? If the Government are not willing to mandate minimum support periods for at least six years, this could become a commonplace problem to consumers seeking redress. The Bill must make it clear how it interacts with the CRA 2015 and associated consumer legislation in a way that gives maximum protection to consumers and does not water it down.
Finally, under the CRA 2015, after the first six months of ownership, the burden falls on the consumer to prove that a fault was not of their making. Consideration should be given to extending this period and making it easier for consumers to obtain redress for insecure products. The 2019 EU sale of goods directive has extended the burden of proof in EU member states to one year—extendable to two years by member states—from delivery of the goods. For goods with digital elements supplied on a continuous basis, the burden of proof for conformity is on the seller in relation to any non-conformity that becomes apparent during a minimum of two years, or the period of supply where longer than two years, effectively providing a minimum of two years of security support. The directive also has specific provisions requiring sellers to keep consumers informed about and supplied with updates, including security updates. Similar protections should be introduced for UK consumers.
So there is a whole heap of issues here, and these two amendments try to get some clarity. Amendment 14 seeks to clarify the relationship between the provisions proposed in the Bill and those already in law under the Consumer Rights Act 2015 and other consumer legislation. This would include defining a security issue as a fault for the purposes of consumer law and ensuring that the liability for a defective connectable product is properly defined. Amendment 14A would ensure that the provisions of the Bill will not conflict with any existing legal rights regarding the enforcement of consumer law, ensuring that redress for defective connectable products can be sought by individual consumers, as opposed to solely leaving the redress procedure to the designated enforcement body to ensure compliance.
We await detailed exposition on all this, either now or in a letter from the Minister. I beg to move.