My Lords, in his response to the Minister, the noble Lord, Lord Bassam, talked about transparency. The Minister said that he hoped we were reassured by the presence, and indeed the draft, of particular regulations. More specifically on the point made by the noble Lord, Lord Bassam, we would be reassured if the Minister were prepared to share those drafts with Her Majesty’s loyal Opposition and those of us on this Bench, but the Minister has set his face against pre-publishing draft regulations so that we can have a chance. That trust will come if we are trusted in this process, but it does not come for nothing.
I rise to speak to these—whatever the collective noun for amendments is; perhaps a raft or a shedload—amendments, all of which are around delegated powers and secondary legislation, and to move Amendment 6. As we have discussed, in Part 1,
“The core provision is clause 1, which allows the Secretary of State to make regulations specifying the requirements that are to apply for the purpose of protecting or enhancing the security of internet-connectable products made available to consumers in the UK. The security requirements can be applied to … relevant persons.
Clause 3 allows the Secretary of State to make regulations providing that a relevant person is to be treated as complying with the security standard if specified conditions are met. No limits are imposed on the circumstances in which this power would be capable of being used. Subsection (2) provides that the specified conditions may include, “among other things”, compliance with specified standards. But this does not limit the circumstances in which this power may be exercised.
The explanation for the power is given in paragraphs 20 to 22 of the memorandum. The point is made that improving the security of connectable products is a critical global issue”—
which we have discussed,
“and therefore it is likely that many other countries and international standards bodies will introduce standards similar to or aligned with the security requirements imposed under this Bill. The purpose of the power is to allow products which meet these alternative standards to be excepted from the regime under this Bill, provided that those standards achieve equivalent security outcomes and do not weaken the regime established by the Bill.”
Are noble Lords still with me? The Bill’s
“powers will also facilitate mutual recognition agreements and therefore help the UK to avoid placing an undue burden on industry by restricting the free flow of international trade.”
I think we all can see this. I agree with the Delegated Powers and Regulatory Reform Committee,
“that this provides a reasonable explanation for the power contained in Clause 3, it does not explain why it is considered necessary or appropriate for the power to be at large and not limited so that it can only be used where a product is subject to an alternative security regime imposed outside the UK”
and that the Minister needs
“to explain whether the failure to limit the powers in this way is inadvertent; and, if not, why (whether by reference to technological change or otherwise) it is considered necessary to draw the powers more widely than indicated in the memorandum.
Regulations under Clause 3 are subject to the negative resolution procedure. That is based in part on the fact that the regulations will not reduce the effect of the legal framework. But that assumes that other international standards will apply instead.”
This amendment puts forward the DPRRC’s recommendation that
“the affirmative resolution procedure is more appropriate if the width of the regulation-making power is to be retained.”
The alternative is for the Government to narrow that regulation power.
Amendment 9 focuses on regulations under Clause 9(7), which are subject to the negative resolution procedure. This amendment implements the DPRRC recommendation that
“the affirmative resolution procedure is more appropriate if there are to be no limits on the circumstances in which the duty under clause 9 to provide a statement of compliance may be waived.”
Then we have tabled an amendment that removes Clause 9 altogether. Clause 9 is designed to take power to except manufacturers from the duty to provide a statement of compliance. The clause
“requires manufacturers to provide a statement of compliance when a product that is subject to security requirements is made available to the UK. Subsection (7) of clause 9 confers a power by regulations to provide that a manufacturer is to be treated as complying with this requirement if specified conditions are met.
The explanation in the memorandum links this power to the power in Clause 3 to treat a relevant person as complying with a security requirement.
‘Where the government has recognised another standard as being equivalent to compliance with a security requirement using the provisions of clause 3(1), it may be appropriate under certain conditions, for instance where the government has entered into a mutual recognition arrangement with another regime, for the duty to ensure that a product is accompanied by a statement of compliance to be waived for relevant persons in relation to products that meet that standard.’
However, this limitation on the circumstances in which the power will be used is not reflected in clause 9(7) itself, which simply confers a power to treat the manufacturer as complying with the duty to provide the statement of compliance ‘if specified conditions are met’, without any indication of or limit on what those conditions might be.”
As such, the purpose of giving notice of our intention to oppose the question that Clause 9 stand part of the Bill amendment is designed to get to the bottom of the issue and to get the Minister to explain whether the failure to limit the power, as described in the memorandum, is inadvertent; and, if not, why it is necessary to draw the power more widely than indicated in the memorandum.
6.45 pm
Amendment 10 would place a duty on the Secretary of State to make regulations about the conditions under which manufacturers must notify customers when they are placed at risk, as recommended by the DPRRC. As on Clause 9, we also propose to remove Clause 11 from the Bill.
“Clause 11 requires a manufacturer to take action where it becomes aware of a compliance failure.”
This is good. This is a probing amendment, not something that we expect to happen.
“This includes notifying persons listed in clause 11(4). These persons are the enforcement authority, other manufacturers of the product, importers, distributors, and:
‘in a case where specified conditions are met, any customer in the United Kingdom to whom the manufacturer supplied the product.’
The reference in the provision quoted above to ‘specified conditions’ is to conditions specified in regulations subject to the negative resolution procedure.
The explanation for this regulation-making power is contained in paragraph 55 of the memorandum:
‘Where the nature of a compliance failure in relation to consumer connectable products supplied to customers exposes those customers to risk, it is important that they are informed and can respond accordingly. The Government will use this power to set out practical conditions, the effect of which will be that customers will need to be notified of compliance failures where that failure has exposed the customer to significant risk. These conditions will be defined in regulations, and will be based on an assessment of the additional risk of cyber-attack presented by different kinds of compliance failure, for instance, in relation to specific security requirements.’
However, despite the stated intention to use the power to ensure that customers are informed where they are put at risk as a result of the compliance failure, there is no duty on the Secretary of State on the face of the legislation to act in that way. Instead, the provision simply gives the Secretary of State an unfettered discretion to determine the circumstances in which customers should be notified.”
Once again, we on these Benches agree that, as the committee states,
“it is important that customers are notified where they are put at risk as a result of a compliance failure.”
The problem here is that
“the power is drafted in a way that gives the Secretary of State a discretion to decide whether or not to make regulations requiring notification in those circumstances.”
The DPRRC recommends that
“legislation should be framed so that the Secretary of State is under a duty to make regulations requiring manufacturers to notify customers … at a significant risk, and we recommend accordingly.”
So, once again, this is a probing amendment to get the Minister to explain to your Lordships’ House why there should be discretion, and perhaps to explain how that discretion might be used in future so that we better understand the Government’s thinking on this, or whether it was merely inadvertence.
Amendments 11, 12 and 13 all raise similar issues with powers in Clauses 18, 19, 24 and 25. The DPRRC says:
“Each of those clauses is also concerned with notification of compliance failures with the notification of customers only being required where conditions specified in regulations are met. We therefore make the same recommendation with respect to those powers as we do in paragraph 15 … in relation to the powers conferred by clause 11”.
The amendments would implement that recommendation.
I turn Amendment 15. The DPRRC says:
“Chapter 3 of Part 1 (clauses 26 to 52) makes provision for the enforcement of the duties imposed on manufacturers, importers and distributors in relation to the security requirements which apply to internet-connectable products. The enforcement functions conferred by Chapter 3 include: … the power to give a compliance notice requiring a person who is failing to comply with a relevant duty to comply with that duty within a specified period; … the power to give a stop notice to prevent a continuing breach of a relevant duty; … the power to give a recall notice to manufacturers for the purpose of securing the return of products; … the power to impose monetary penalties for a failure to comply with a relevant duty; … the power to apply to the court for the forfeiture of products where there is a compliance failure; … the power to require a person to provide information and the power to enter premises. The functions are conferred on the Secretary of State.”
Clause 27 essentially potentially confers the power of the Secretary of State to an enforcer. As the committee states, it
“provides that the Secretary of State may enter into an agreement with any person authorising the person to exercise any enforcement function of the Secretary of State. Clause 27(6) provides that, where a person is authorised under clause 27 to exercise an enforcement function, any reference in Chapter 3 to the Secretary of State in connection with that function is to be read as a reference to that person.”
In a sense, the enforcer is a proxy for the Secretary of State. The report continues:
“The memorandum makes no reference to the power to delegate the exercise of enforcement functions conferred by clause 27.”
The DPRRC assumed that
“this is because the Department do not view it as a legislative power on the basis that in some sense the Secretary of State remains the owner of the function where a delegation occurs.”
Perhaps the Minister might comment on that. The DPRRC continues:
“In this regard, clause 27(3) provides that an agreement under clause 27 may be cancelled by the Secretary of State at any time, and that the existence of such an agreement does not prevent the Secretary of State from performing a function to which the agreement relates.”
So, in other words, there could be two enforcers involved in this. First is the delegated enforcer, and then the Secretary of State could step in too. Again, the Minister might explain how that will work in future.
The committee goes on to say:
“In the Explanatory Notes for the Bill, the delegation power contained in clause 27 is described as ‘a routine power that replicates other legislation such as section 125 of the Environmental Protection Act 1990’ … The maximum penalty is the greater of £10 million and 4% of the person’s qualifying worldwide revenue for the person’s most recent complete accounting period.”
It finds that:
“There is a notable difference between section 125 and clause 27”
of this Bill,
“in that the delegation of enforcement powers in the former case is limited to delegation by the Secretary of State to any public authority”,
and not any person, as in the case of this Bill. Again, the Minister might speak to the issue of public authority versus person.
Despite the department’s approach and what it says in the Explanatory Notes, the DPRRC considers that
“giving the Secretary of State the power to delegate enforcement functions as proposed in this case is in substance the delegation of a legislative power.”
In other words, it disagrees with the idea that the Secretary of State is retaining some of that power. It continues:
“Thus, it allows the Secretary of State to determine who is to have the legal authority to exercise functions under the Bill, where the exercise of those functions can include having the sole responsibility to decide how, against whom and in what circumstances enforcement powers under the Bill are exercised. There is nothing on the face of the Bill which requires the Secretary of State to have any involvement in or oversight of the exercise of the functions once a person has been authorised by an agreement under clause 27 … The enforcement functions which may be delegated by an agreement under clause 27 are very significant”—
I think we all agree that that is true—
“and how they are exercised will no doubt have an important impact on the effectiveness of the regulatory regime”
that comes from this Bill. It goes on to say:
“Also, there are no limitations on the persons to whom the functions may be delegated. As things stand, there is no requirement for parliamentary scrutiny of the delegation by the Secretary of State of the power to exercise enforcement functions under clause 27, and there are no limitations on the persons to whom the functions may be delegated. There is not even any requirement on the Secretary of State to publish information about delegations made under clause 27.”
The Minister will not be surprised that members of the DPRRC
“strongly take the view that the determination of who is to exercise enforcement functions under Chapter 3 of Part 1 should be subject to parliamentary scrutiny”—
we should all agree that the sovereign nature of Parliament means that this important job should be scrutinised by your Lordships and the other place—
“and therefore that the power to delegate functions under clause 27 should be done by way of regulations rather than by agreement. Given the significance of the functions and the width of the power (which extends to conferring the functions on private as well as public bodies), we consider the regulations should be subject to the affirmative resolution procedure.”
In conclusion—noble Lords will be pleased to hear—I note the Minister’s letter of 14 June and respond that it is not good enough not to tell us which enforcement body it will be, because the various processes have to be gone through. This is particularly wrong as we believe that the Minister already knows who the enforcement body is going to be and has decided not to disclose it to your Lordships’ House. Either way, it should be specified in the Bill or subject to parliamentary oversight. The Government cannot have it both ways. I beg to move Amendment 6.