The Government has introduced a Bill in Parliament to impose new security obligations on manufacturers and distributors of internet connected devices. The Bill is potentially far reaching, with complex provisions that extend the obligations to housebuilders and property developers, in addition to conventional retailers. In this update. we summarise the key provisions of the Bill. 

What is the Product Safety and Telecommunications Infrastructure Bill?

The Product Security and Telecommunications Infrastructure Bill follows a consultation exercise by the Government and makes provisions about the security of internet-connectable products and to make provision about the infrastructure of electronic communications. Part 1 of the Bill creates a new regulatory scheme, with the aim of increasing security against cyber-attacks on consumer facing connectable products and protecting consumers from loss of privacy and personal data.

The Bill will allow ministers to impose security requirements relating to consumer connectable products (smart products) on manufacturers, importers and distributors by:

  • allowing ministers to set out and amend minimum security requirements in relation to smart products;
  • imposing responsibilities on manufacturers, distributors and importers in relation to smart products; and
  • creating civil and criminal sanctions aimed at preventing breaches of these responsibilities.

Full details of the product security requirements have not yet been released – these will be set out in regulations issued by the Secretary of State. They will align with standards found in the 2018 Code of Practice for security in consumer "internet of things" products and security standard EN 303 645. We can expect, for example:

  • a ban on the use of universal default passwords;
  • implementation of a mechanism for reporting of vulnerabilities; and
  • a requirement to notify consumers of the minimum period that products will receive security updates.

While the new laws will introduce transparency obligations to tell consumers about the minimum period for security updates, the Bill does not itself iimpose any requirements in relation to the length of that minimum period.

What products are covered?

The Bill covers all consumer smart products which are internet-connectable or network connectable products. This is wide ranging, from smartphones and connected home appliances to children's toys and baby monitors.

Products that are solely aimed at business customers may fall within scope where the smart product is identical to products made available to consumers through another distributor.

Who will the security requirements apply to?

Manufacturers, distributors (including retailers) and importers of smart products are caught under the Bill. Broadly similar obligations are imposed on all three:

  • to comply with the product security requirements as introduced by the Secretary of State;
  • to ensure that the product is accompanied by a statement of compliance – note, the statement of compliance is prepared by the manufacturer, but all three have a duty to ensure that the statement accompanies the product;
  • to investigate and take action in relation to compliance failures, including remedying compliance failures and notifying the enforcement authority, manufacturers, distributors, importers (as applicable) and, in cases determined by the secretary of state, affected consumers. where necessary, there will be a duty to prevent the product being made available to consumers until the compliance failure has been remedied; and
  • manufacturers and importers must maintain records of compliance failures for ten years, including details of investigations into suspected compliance failures and the results of the investigation.

Will the new obligations apply to house builders, developers and installers of connected devices?

The definition of a "distributor" is potentially very broad and goes beyond conventional distributors and retailers of consumer goods. For example, property developers and trades people should be aware that they will be a distributor (and therefore subject to obligations under the Bill) when constructing new build homes or redeveloping properties that incorporate smart products, such as smart heating systems, security systems, kitchen appliances and AV systems.

However, the Bill will not impose obligations on trades people and businesses that repair smart products or are contracted to install products that the consumer has purchased.

What are the proposed enforcement powers?

A wide range of enforcement powers have been proposed including compliance notices, stop notices and recall notices.

The most significant proposal in terms of enforcement is monetary penalties up to the greater of £10million or 4% of an organisation's worldwide revenue, putting financial penalties on a par with those available for a breach of UK GDPR.

Other powers which will be important to note from a reputational perspective are the power to inform the public of compliance failures and to publish details about enforcement action.

Next steps

While the full impact of the Bill cannot be assessed until the proposed regulations are published, businesses involved in the manufacturer and supply of smart products should be aware of the proposed changes. In particular, they will want to ensure that they are familiar with EN 303 645 and incorporating that into their product design.

Importers and distributors should also think about how the Bill will impact on their business and what support and assistance they need from manufacturers.

You can access the Bill and the explanatory notes on the UK Parliament website.

If you would like to discuss the Bill or its potential application, please contact Martin Sloan.

Contributors