Clause 7 - Relevant persons

Part of Product Security and Telecommunications Infrastructure Bill – in a Public Bill Committee am 12:00 pm ar 17 Mawrth 2022.

Danfonwch hysbysiad imi am ddadleuon fel hyn

Photo of Julia Lopez Julia Lopez Parliamentary Secretary (Cabinet Office), Minister of State 12:00, 17 Mawrth 2022

As I say, we are putting requirements on not just manufacturers, but the importer. The importer would be under an obligation to check whether the product fulfilled some of the requirements we would have for it, as would the distributor. I would hope that, along the chain, that product would have been checked several times to make sure it complies.

We have done a lot of work on general cyber-resilience. I will take this opportunity to add that it is also important that we as Members of Parliament try to make our constituents aware of the increasing challenges we face with cyber-resilience, and that we all need to have our own cyber-hygiene in that regard.

The amendment is well intentioned—we understand where the hon. Member for Ogmore is coming from—but it is drafted in a way that would have a much broader reach than just online marketplaces. It would impose security requirements on businesses that cannot comply with them, such as advertising platforms and website hosting services. Distributors use many online facilities offering a vast array of cloud services to support e-commerce to make their products available. As drafted, the amendment would extend duties beyond what is intended.

The Government have carefully considered the amendment. It is clear that our intention is to secure consumer connectable products in the most effective and proportionate manner, without hindering business growth and the online retail facilities enjoyed by consumers. For the reasons I have set out, I am not able to accept the amendment. I hope the hon. Gentleman will consider withdrawing it.

I turn now to chapter 2 of the Bill and clauses 8 to 25. These clauses place duties on businesses in the supply chain of a consumer connectable product to comply with security requirements. Compliance is fundamental to the operation of the regulatory regime. Under these clauses, manufacturers, distributors and importers must prepare, or ensure the presence of, a document to accompany the product that states that, in the opinion of the manufacturer, it has complied with the security requirements, before that product is made available in the UK. I note the point that was made about baby monitors. I hope that, in that process, there would be clear information and a record provided with the product that stated compliance.

The clauses in chapter 2 also require that businesses take all reasonable steps to investigate a compliance failure or potential compliance failure. That is vital to hold businesses accountable for complying with their security requirements and to mandate investigation of potential compliance failures. If compliance failure has occurred, businesses in the supply chain must take all reasonable steps to prevent the product from reaching UK customers and remedy the compliance failure. The measure is needed to ensure that insecure products do not remain on the market and that those that have not yet reached UK customers are prevented from doing so.

Finally, the clauses in chapter 2 require manufacturers and importers to retain records of compliance failures and investigations for at least 10 years. The Secretary of State is able to request this information to investigate and to enforce the legislation. These duties encourage ongoing compliance and accountability. The records will allow a clear audit of the importer’s and manufacturer’s activities, so that we can have effective enforcement.