Product Security and Telecommunications Infrastructure Bill – in a Public Bill Committee at 11:45 am on 17 March 2022.
I beg to move amendment 7, in clause 7, page 5, line 24, at end insert—
“(5A) A person who provides an online facility through which a distributor makes a product available in the United Kingdom is also a distributor.”
This amendment would ensure that online marketplaces are considered to be distributors and are thus subject to the security requirements of the Bill.
With this it will be convenient to discuss clauses 7 to 25 stand part.
The amendment itself is fairly self-explanatory. However, I will take the opportunity to speak briefly on it in the hope of persuading Conservative Members—and indeed the Minister—to support it.
Clause 7 defines the relevant persons subject to the security requirements as being manufacturers, importers and distributors. Crucially, however, online platforms such as eBay and Amazon are not defined as falling under any of those categories. To my mind, that is both deeply concerning and preposterous, given that, under any definition, online platforms such as the two I have just mentioned are without doubt distributors themselves.
I am sure everyone in this Committee has either sold or bought something through eBay or Amazon. The oversight in the Bill has real-world consequences, as products sold on those online platforms will not be policed in the same way. That is problematic, as research by groups such as Which?—which we heard evidence from earlier this week—has consistently shown that online marketplaces are flooded with insecure products, while the Bill would do nothing to increase the legal responsibility online marketplaces have for the safety and security of products sold through them.
In tabling the amendment, we are merely expanding the number of organisations that the security requirements would apply to, in order to better protect all our constituents, which is the expressed aim of the Bill according to the Minister’s opening remarks and indeed those of the Secretary of State at Second Reading. I therefore urge the Minister and all Committee members to support the amendment.
I support my hon. Friend in pressing the amendment to a vote. As we heard from the Minister, the Bill covers quite a lot of different devices. The examples given by the Government in their impact assessment include the following:
“Smartphones; connectable cameras, TVs and speakers; connectable children’s toys and baby monitors; connectable safety-relevant products such as smoke detectors and door locks; Internet of Things base stations and hubs to which multiple devices connect; wearable connectable fitness trackers; outdoor leisure products, such as handheld connectable GPS devices that are not wearables; connectable home automation and alarm systems; connectable appliances, such as washing machines and fridges” and, as we have heard, “smart home assistants”, including things such as Alexa-type smart speaker products.
I would like to understand from the Minister why online marketplaces are not included, and how many of the devices that the Government list in their impact assessment are acquired from online marketplaces and would therefore be outside the Bill’s scope, if my hon. Friend’s amendment and the concerns Which? has expressed are right. Of the products I listed—the Government’s own list—how many are purchased through online markets and how many are purchased in a more traditional fashion? It seems likely that the numbers of products purchased online will only increase over time; I have personally purchased several of the products on that list online, and I am sure other members of the Committee have as well. Can the Minister explain in a bit more detail the Government’s thinking as to why they are excluding online distributors from the Bill, such as those outlined by my hon. Friend and those of concern to consumer organisations such as Which?
I thank the hon. Members for Ogmore and for Cardiff West, and I am happy to address their concerns. The Bill covers obligations on manufacturers, importers and distributors, but I will provide a bit more detail.
Clause 7 specifies which relevant persons will be responsible for ensuring that the security requirements are properly complied with. In that regard, a “relevant person” is defined as a manufacturer, importer or distributor of a relevant connectable product. As a result, amendment 7 is wrong to suggest that online marketplaces are exempt from this new legislation. Online marketplaces do not just offer products on behalf of third parties, but are often acting as the retailer, so in those cases the full security requirements apply. I accept that there may be instances in which the online marketplace is not the distributor. None the less, it is necessary for the third party operating in the marketplace to comply with the security requirements, and it is not just that one party who carries liability under the Bill: the manufacturer and importer also have responsibility. We think we have taken a belt-and-braces approach in that regard.
We have also worked closely with industry to make sure the regulation is proportionate and fits the wider regulatory environment for product safety. Manufacturers care a great deal about these regulatory requirements. On Tuesday, we heard from a representative of Google, who described how it works to comply with requirements in many different jurisdictions. Over the past three years, hundreds of manufacturers have engaged with my Department through the many public consultations and industry discussions we have had. The hon. Member for Ogmore gives the impression that amendment 7 would provide consumers with a vital line of defence, but that is not the case: there are already multiple lines of defence in this Bill.
It is also worth noting that consumers can never be 100% protected by regulation—a point that we have already discussed this morning. We need to have a broader approach to raising national cyber-resilience, which is why in December we published our national cyber strategy. The Cyber Aware campaign is ongoing—hon. Members may have seen the advertisements last weekend, or the ones on the radio and online this week. We also have a range of school programmes designed to reach parents and teachers in order to raise cyber-security awareness, and the Home Office, the police and the NCSC run regular campaigns at a local level in every region of the country. In relation to the comments made about Ukraine, the point is even more important because of the context in which we are operating.
Just to be clear, if, for example, I purchased a connectable baby monitor online through Amazon, but it came from a third-party supplier—which is quite common when customers are given that list of products to buy—how would the Bill impact on that device and its availability in the UK?
As I say, we are putting requirements on not just manufacturers, but the importer. The importer would be under an obligation to check whether the product fulfilled some of the requirements we would have for it, as would the distributor. I would hope that, along the chain, that product would have been checked several times to make sure it complies.
We have done a lot of work on general cyber-resilience. I will take this opportunity to add that it is also important that we as Members of Parliament try to make our constituents aware of the increasing challenges we face with cyber-resilience, and that we all need to have our own cyber-hygiene in that regard.
The amendment is well intentioned—we understand where the hon. Member for Ogmore is coming from—but it is drafted in a way that would have a much broader reach than just online marketplaces. It would impose security requirements on businesses that cannot comply with them, such as advertising platforms and website hosting services. Distributors use many online facilities offering a vast array of cloud services to support e-commerce to make their products available. As drafted, the amendment would extend duties beyond what is intended.
The Government have carefully considered the amendment. It is clear that our intention is to secure consumer connectable products in the most effective and proportionate manner, without hindering business growth and the online retail facilities enjoyed by consumers. For the reasons I have set out, I am not able to accept the amendment. I hope the hon. Gentleman will consider withdrawing it.
I turn now to chapter 2 of the Bill and clauses 8 to 25. These clauses place duties on businesses in the supply chain of a consumer connectable product to comply with security requirements. Compliance is fundamental to the operation of the regulatory regime. Under these clauses, manufacturers, distributors and importers must prepare, or ensure the presence of, a document to accompany the product that states that, in the opinion of the manufacturer, it has complied with the security requirements, before that product is made available in the UK. I note the point that was made about baby monitors. I hope that, in that process, there would be clear information and a record provided with the product that stated compliance.
The clauses in chapter 2 also require that businesses take all reasonable steps to investigate a compliance failure or potential compliance failure. That is vital to hold businesses accountable for complying with their security requirements and to mandate investigation of potential compliance failures. If compliance failure has occurred, businesses in the supply chain must take all reasonable steps to prevent the product from reaching UK customers and remedy the compliance failure. The measure is needed to ensure that insecure products do not remain on the market and that those that have not yet reached UK customers are prevented from doing so.
Finally, the clauses in chapter 2 require manufacturers and importers to retain records of compliance failures and investigations for at least 10 years. The Secretary of State is able to request this information to investigate and to enforce the legislation. These duties encourage ongoing compliance and accountability. The records will allow a clear audit of the importer’s and manufacturer’s activities, so that we can have effective enforcement.
I have listened to the Minister. The Opposition are not in any way suggesting that the Government do not do an awful lot on cyber awareness-raising. All Governments could do more—that is the nature of teaching and learning and of being able to get our constituents to understand the cyber-security space and the impact that it can have on their homes.
In response to my hon. Friend the Member for Cardiff West, the Minister mentioned the belt-and-braces approach. However, organisations such as Which? say that there is an exemption for online marketplaces such as Amazon and eBay. The Online Safety Bill has of course been published today, and there are economic crime impacts linked to this. If this is a belt-and-braces approach, as the Minister says, surely another level of protection would be to include the online marketplaces. She says there are three stages that could be protected—importer, product design and distribution—but there is this gap through which some products could come. Therefore, I am not minded to withdraw the amendment and would ask the Committee for a decision.