The Product Security and Telecommunications Infrastructure Bill would:
- Allow the Secretary of State to make regulations to introduce mandatory security requirements for consumer connectable products (also described as smart devices or internet of things (IoT) devices) sold in the UK; and
- Make changes to the electronic communications code which governs the rights of telecoms companies to install infrastructure on land.
Information about the Bill’s stages and related publications is provided on the Parliamentary Bill page.
Consideration of Lords amendments is tabled for 31 October 2022.
Security requirements for consumer connectable products
Part 1 of the Bill relates to powers to introduce mandatory security requirements for consumer connectable products such as smart phones, smart TVs and connected speakers.
What are current safety and security requirements for smart devices?
Consumer connectable products are required to meet certain safety standards, but there are currently no mandatory security requirements. There is growing concern about the risks to consumers associated with some of these products, through breaches in safety and privacy and their potential for use in wider cyber-attacks.
The Government published a voluntary Code of Practice for Consumer IoT Security, in 2018. It provided manufacturers and others with guidance (13 principles) on good practice to ensure connectable products were secure.
In response to poor uptake of the Code of Practice and continued risks to consumers, the Government consulted in 2019 on introducing mandatory security requirements for connectable products. Legislative proposals were consulted on in 2020.
What would the Bill change?
The Bill would provide regulation-making powers for the Secretary of State to introduce security requirements for consumer connectable products sold in the UK.
The Government has said that it intends the following products to be affected by the Bill:
- smartphones
- connected cameras, TVs and speakers
- connected children’s toys and baby monitors
- connected safety-relevant products such as smoke detectors and door locks
- Internet of Things base stations and hubs to which multiple devices connect
- Wearable connected fitness trackers
- outdoor leisure products, such as handheld connected GPS devices that are not wearables
- connected home automation and alarm systems
- connected appliances, such as washing machines and fridges
- smart home assistants.
Some products would be excluded, such as smart meters, medical devices, vehicles and smart chargepoints (for electric vehicles).
The Government said it will use the powers under clause 1 of the Bill to introduce the top three guidelines from the Code of Practice:
- A ban on default passwords;
- A requirement for products to have a vulnerability disclosure policy whereby any security weakness in a product is identified and notified; and
- A requirement for transparency about the time period for which a manufacturer will provide security updates for the product.
It would also place duties on manufacturers, importers and distributers of these products to ensure compliance with the statutory requirements and to take action where a compliance failure has occurred.
The Bill sets out a number of enforcement measures that could be taken when there is a breach of compliance. For serious issues of non-compliance, the Bill sets the maximum penalty at £10 million or 4% of the company’s worldwide revenue.
Changes to the electronic communications code (ECC)
Part 2 of the Bill would make changes to the electronic communications code (ECC). The ECC is the main law that governs the rights of telecoms companies to install infrastructure on land, UK-wide.
Previous ECC reform
The ECC was significantly reformed in 2017. This included changes to rights to upgrade and share infrastructure and changes to dispute resolution processes. It also included changes to how land is valued when determining rent for hosting telecoms equipment under a court-imposed agreement.
Reforms to the ECC have always been highly contested, with often strongly opposing views between telecoms operators and site providers (landowners). The Government has to strike a difficult balance between ensuring digital connectivity is widely available while property rights are respected.
The land valuation reforms have been particularly controversial, with reports that rents for hosting telecoms equipment have reduced, in some cases dramatically. The ECC is said to be causing delays to infrastructure roll-out through lengthy negotiations and legal proceedings.
The Government’s consultation that informed the Bill did not revisit the topic of land valuation.
What would the Bill change?
The Bill aims to encourage faster and more collaborative negotiations for the installation and maintenance of telecoms equipment on private land. The Government says this would help ensure the efficient roll-out of digital infrastructure such as gigabit-broadband and 5G.
The main changes the Bill would make include:
- New provisions to actively encourage alternative dispute resolution rather than legal proceedings where possible;
- Introducing a faster procedure to allow telecoms operators to get temporary rights to access and install infrastructure on land when an occupier is unresponsive;
- Giving telecoms operators rights to automatically upgrade and share equipment that was installed before 2017;
- Changes to the drafting of the ECC to clarify who can grant rights to host infrastructure on land in cases where infrastructure is already installed;
- Changes to the terms for renewing certain types of telecoms agreements that were in place before December 2017;
- Allowing a time period to be set for the court to resolve disputes on the renewal of code agreements; and
- Changes to what can be sought as temporary, interim orders while a telecoms infrastructure agreement is being renewed (for example, access rights in addition to rent payments).
Telecoms operators and site providers had opposing views on most of the above changes, with telecoms operators agreeing that changes should be made and most site providers disagreeing.
The Bill would apply to all of the UK.
Progress of the Bill
Commons stages
The Bill had its Second reading debate on 26 January 2022. The Secretary of State for Digital, Culture, Media and Sport, Nadine Dorries, introduced the Bill. She said that the Government had made significant progress to strengthen the UK’s cyber security, but legislation was needed to protect from the harm posed by cyber criminals. There was cross party support for the provisions in part one of the Bill, but some concerns raised that the Bill should have come sooner and could do more.
Nadine Dorries highlighted the importance of Part 2 of the Bill to ensure that gigabit-broadband and 5G infrastructure can be rolled-out at pace. Many members highlighted issues with connectivity in their constituencies, and some raised concerns about rent reductions faced by landowners in their constituencies following the 2017 ECC reforms.
Part one of the Bill was not amended during Committee Stage. There was one proposed New Clause, and two Opposition amendments, one of which was moved to a division.
Five Government amendments were made to Part 2 of the Bill. They were all technical or consequential amendments to tidy the legislation and were passed without a vote. The Opposition tabled 5 amendments and two new clauses which did not pass.
Report stage took place on 25 May 2022. The Government moved a number of amendments, all of which were agreed without a vote. Of the opposition and backbench amendments that were moved at Report stage, one went to a division and was defeated. All of the amendments concerned Part Two of the Bill.
Lords stages
The Government made the following amendments to Part Two the Bill during its passage through the House of Lords.
- Clause 57 (definition of ‘occupier’) was removed from the Bill;
- New Clause 60 was added to the Bill. It would grant an automatic right to share and upgrade telecommunications equipment on telegraph poles;
- New Clause 66 was added to the Bill. It would grant the Secretary of State powers to prevent access rights under the ECC being granted to a telecoms operator if doing so would prejudice national security.
One opposition amendment was agreed on division:
- New Clause 76 was added to the Bill. It would require the Secretary of State to review the impact of the post-2017 reforms to the Electronic Communications Code.
The Government also introduced a series of amendments to Part One implementing some of the recommendations made by the Delegated Powers and Regulatory Reform Committee (DPRRC). They were agreed without a vote.